Enable skipping just certificate management for some auto HTTPS names

2 files changed, 21 insertions, 9 deletions

diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go
index 850501f..9c80992 100644
--- a/modules/caddyhttp/caddyhttp.go
+++ b/modules/caddyhttp/caddyhttp.go
@@ -210,7 +210,8 @@ func (app *App) automaticHTTPS() error {
 				for _, m := range matcherSet {
 					if hm, ok := m.(*MatchHost); ok {
 						for _, d := range *hm {
-							if certmagic.HostQualifies(d) && !srv.AutoHTTPS.HostSkipped(d) {
+							if certmagic.HostQualifies(d) &&
+								!srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) {
 								domainSet[d] = struct{}{}
 							}
 						}
@@ -221,9 +222,12 @@ func (app *App) automaticHTTPS() error {
 
 		if len(domainSet) > 0 {
 			// marshal the domains into a slice
-			var domains []string
+			var domains, domainsForCerts []string
 			for d := range domainSet {
 				domains = append(domains, d)
+				if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.SkipCerts) {
+					domainsForCerts = append(domainsForCerts, d)
+				}
 			}
 
 			// ensure that these certificates are managed properly;
@@ -245,13 +249,13 @@ func (app *App) automaticHTTPS() error {
 			acmeManager.SetDefaults()
 			tlsApp.Automation.Policies = append(tlsApp.Automation.Policies,
 				caddytls.AutomationPolicy{
-					Hosts:      domains,
+					Hosts:      domainsForCerts,
 					Management: acmeManager,
 				})
 
 			// manage their certificates
-			log.Printf("[INFO] Enabling automatic HTTPS for %v", domains)
-			err := tlsApp.Manage(domains)
+			log.Printf("[INFO] Enabling automatic HTTPS certificates for %v", domainsForCerts)
+			err := tlsApp.Manage(domainsForCerts)
 			if err != nil {
 				return fmt.Errorf("%s: managing certificate for %s: %s", srvName, domains, err)
 			}
@@ -267,6 +271,8 @@ func (app *App) automaticHTTPS() error {
 				continue
 			}
 
+			log.Printf("[INFO] Enabling automatic HTTP->HTTPS redirects for %v", domains)
+
 			// create HTTP->HTTPS redirects
 			for _, addr := range srv.Listen {
 				netw, host, port, err := splitListenAddr(addr)
diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go
index be46d6d..05763ba 100644
--- a/modules/caddyhttp/server.go
+++ b/modules/caddyhttp/server.go
@@ -133,12 +133,18 @@ type AutoHTTPSConfig struct {
 	// in automatic HTTPS (they will not have certificates
 	// loaded nor redirects applied).
 	Skip []string `json:"skip,omitempty"`
+
+	// Hosts/domain names listed here will still be enabled
+	// for automatic HTTPS (unless in the Skip list), except
+	// that certificates will not be provisioned and managed
+	// for these names.
+	SkipCerts []string `json:"skip_certificates,omitempty"`
 }
 
-// HostSkipped returns true if name is supposed to be skipped
-// when setting up automatic HTTPS.
-func (ahc AutoHTTPSConfig) HostSkipped(name string) bool {
-	for _, n := range ahc.Skip {
+// Skipped returns true if name is in skipSlice, which
+// should be one of the Skip* fields on ahc.
+func (ahc AutoHTTPSConfig) Skipped(name string, skipSlice []string) bool {
+	for _, n := range skipSlice {
 		if name == n {
 			return true
 		}