Refactor automatic HTTPS configuration; ability to skip certain names

2 files changed, 62 insertions, 26 deletions

diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go
index 036a3ab..850501f 100644
--- a/modules/caddyhttp/caddyhttp.go
+++ b/modules/caddyhttp/caddyhttp.go
@@ -48,16 +48,23 @@ func (app *App) Provision(ctx caddy.Context) error {
 	repl := caddy.NewReplacer()
 
 	for _, srv := range app.Servers {
+		if srv.AutoHTTPS == nil {
+			// avoid nil pointer dereferences
+			srv.AutoHTTPS = new(AutoHTTPSConfig)
+		}
+
 		// TODO: Test this function to ensure these replacements are performed
 		for i := range srv.Listen {
 			srv.Listen[i] = repl.ReplaceAll(srv.Listen[i], "")
 		}
+
 		if srv.Routes != nil {
 			err := srv.Routes.Provision(ctx)
 			if err != nil {
 				return fmt.Errorf("setting up server routes: %v", err)
 			}
 		}
+
 		if srv.Errors != nil {
 			err := srv.Errors.Routes.Provision(ctx)
 			if err != nil {
@@ -187,7 +194,7 @@ func (app *App) automaticHTTPS() error {
 	for srvName, srv := range app.Servers {
 		srv.tlsApp = tlsApp
 
-		if srv.DisableAutoHTTPS {
+		if srv.AutoHTTPS.Disabled {
 			continue
 		}
 
@@ -203,7 +210,7 @@ func (app *App) automaticHTTPS() error {
 				for _, m := range matcherSet {
 					if hm, ok := m.(*MatchHost); ok {
 						for _, d := range *hm {
-							if certmagic.HostQualifies(d) {
+							if certmagic.HostQualifies(d) && !srv.AutoHTTPS.HostSkipped(d) {
 								domainSet[d] = struct{}{}
 							}
 						}
@@ -256,7 +263,7 @@ func (app *App) automaticHTTPS() error {
 				{ALPN: defaultALPN},
 			}
 
-			if srv.DisableAutoHTTPSRedir {
+			if srv.AutoHTTPS.DisableRedir {
 				continue
 			}
 
@@ -324,10 +331,10 @@ func (app *App) automaticHTTPS() error {
 			lnAddrs = append(lnAddrs, addr)
 		}
 		app.Servers["auto_https_redirects"] = &Server{
-			Listen:           lnAddrs,
-			Routes:           redirRoutes,
-			DisableAutoHTTPS: true,
-			tlsApp:           tlsApp, // required to solve HTTP challenge
+			Listen:    lnAddrs,
+			Routes:    redirRoutes,
+			AutoHTTPS: &AutoHTTPSConfig{Disabled: true},
+			tlsApp:    tlsApp, // required to solve HTTP challenge
 		}
 	}
 
diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go
index 94fd4d4..be46d6d 100644
--- a/modules/caddyhttp/server.go
+++ b/modules/caddyhttp/server.go
@@ -14,19 +14,17 @@ import (
 
 // Server is an HTTP server.
 type Server struct {
-	Listen            []string         `json:"listen,omitempty"`
-	ReadTimeout       caddy.Duration   `json:"read_timeout,omitempty"`
-	ReadHeaderTimeout caddy.Duration   `json:"read_header_timeout,omitempty"`
-	WriteTimeout      caddy.Duration   `json:"write_timeout,omitempty"`
-	IdleTimeout       caddy.Duration   `json:"idle_timeout,omitempty"`
-	MaxHeaderBytes    int              `json:"max_header_bytes,omitempty"`
-	Routes            RouteList        `json:"routes,omitempty"`
-	Errors            *httpErrorConfig `json:"errors,omitempty"`
-	// TODO: Having a separate connection policy to act as a default or template would be handy... then override using first matching conn policy...
-	TLSConnPolicies       caddytls.ConnectionPolicies `json:"tls_connection_policies,omitempty"`
-	DisableAutoHTTPS      bool                        `json:"disable_auto_https,omitempty"`
-	DisableAutoHTTPSRedir bool                        `json:"disable_auto_https_redir,omitempty"`
-	MaxRehandles          int                         `json:"max_rehandles,omitempty"`
+	Listen            []string                    `json:"listen,omitempty"`
+	ReadTimeout       caddy.Duration              `json:"read_timeout,omitempty"`
+	ReadHeaderTimeout caddy.Duration              `json:"read_header_timeout,omitempty"`
+	WriteTimeout      caddy.Duration              `json:"write_timeout,omitempty"`
+	IdleTimeout       caddy.Duration              `json:"idle_timeout,omitempty"`
+	MaxHeaderBytes    int                         `json:"max_header_bytes,omitempty"`
+	Routes            RouteList                   `json:"routes,omitempty"`
+	Errors            *HTTPErrorConfig            `json:"errors,omitempty"`
+	TLSConnPolicies   caddytls.ConnectionPolicies `json:"tls_connection_policies,omitempty"`
+	AutoHTTPS         *AutoHTTPSConfig            `json:"automatic_https,omitempty"`
+	MaxRehandles      int                         `json:"max_rehandles,omitempty"`
 
 	tlsApp *caddytls.TLS
 }
@@ -121,13 +119,44 @@ func (s *Server) listenersUseAnyPortOtherThan(otherPort int) bool {
 	return false
 }
 
-type httpErrorConfig struct {
+// AutoHTTPSConfig is used to disable automatic HTTPS
+// or certain aspects of it for a specific server.
+type AutoHTTPSConfig struct {
+	// If true, automatic HTTPS will be entirely disabled.
+	Disabled bool `json:"disable,omitempty"`
+
+	// If true, only automatic HTTP->HTTPS redirects will
+	// be disabled.
+	DisableRedir bool `json:"disable_redirects,omitempty"`
+
+	// Hosts/domain names listed here will not be included
+	// in automatic HTTPS (they will not have certificates
+	// loaded nor redirects applied).
+	Skip []string `json:"skip,omitempty"`
+}
+
+// HostSkipped returns true if name is supposed to be skipped
+// when setting up automatic HTTPS.
+func (ahc AutoHTTPSConfig) HostSkipped(name string) bool {
+	for _, n := range ahc.Skip {
+		if name == n {
+			return true
+		}
+	}
+	return false
+}
+
+// HTTPErrorConfig determines how to handle errors
+// from the HTTP handlers.
+type HTTPErrorConfig struct {
 	Routes RouteList `json:"routes,omitempty"`
-	// TODO: some way to configure the logging of errors, probably? standardize
-	// the logging configuration first.
 }
 
-const ServerCtxKey caddy.CtxKey = "server"
+// Context keys for HTTP request context values.
+const (
+	// For referencing the server instance
+	ServerCtxKey caddy.CtxKey = "server"
 
-// TableCtxKey is the context key for the request's variable table. TODO: implement this
-const TableCtxKey caddy.CtxKey = "table"
+	// For the request's variable table (TODO: implement this)
+	TableCtxKey caddy.CtxKey = "table"
+)