summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2023-03-14 10:29:27 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2023-03-14 10:29:27 -0600
commita7af7c486e5240da974e02b7dfee9d265aaa654a (patch)
tree3b0fbc6eb62595fb64086d942ca53a9fb58bb0d4 /modules
parentb97c76fb4789b8da0b80f5a2c1c1c5bebba163b5 (diff)
caddytls: Allow on-demand w/o ask for internal-only
Diffstat (limited to 'modules')
-rw-r--r--modules/caddytls/automation.go76
1 files changed, 42 insertions, 34 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index 526aef5..fffc0a3 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -165,40 +165,6 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
ap.storage = cmStorage
}
- // on-demand TLS
- var ond *certmagic.OnDemandConfig
- if ap.OnDemand {
- // ask endpoint is now required after a number of negligence cases causing abuse
- if tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "" {
- return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details")
- }
- ond = &certmagic.OnDemandConfig{
- DecisionFunc: func(name string) error {
- if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil {
- // distinguish true errors from denials, because it's important to elevate actual errors
- if errors.Is(err, errAskDenied) {
- tlsApp.logger.Debug("certificate issuance denied",
- zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask),
- zap.String("domain", name),
- zap.Error(err))
- } else {
- tlsApp.logger.Error("request to 'ask' endpoint failed",
- zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask),
- zap.String("domain", name),
- zap.Error(err))
- }
- return err
- }
- // check the rate limiter last because
- // doing so makes a reservation
- if !onDemandRateLimiter.Allow() {
- return fmt.Errorf("on-demand rate limit exceeded")
- }
- return nil
- },
- }
- }
-
// we don't store loaded modules directly in the certmagic config since
// policy provisioning may happen more than once (during auto-HTTPS) and
// loading a module clears its config bytes; thus, load the module and
@@ -255,6 +221,40 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
storage = tlsApp.ctx.Storage()
}
+ // on-demand TLS
+ var ond *certmagic.OnDemandConfig
+ if ap.OnDemand {
+ // ask endpoint is now required after a number of negligence cases causing abuse
+ if !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") {
+ return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details")
+ }
+ ond = &certmagic.OnDemandConfig{
+ DecisionFunc: func(name string) error {
+ if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil {
+ // distinguish true errors from denials, because it's important to elevate actual errors
+ if errors.Is(err, errAskDenied) {
+ tlsApp.logger.Debug("certificate issuance denied",
+ zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask),
+ zap.String("domain", name),
+ zap.Error(err))
+ } else {
+ tlsApp.logger.Error("request to 'ask' endpoint failed",
+ zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask),
+ zap.String("domain", name),
+ zap.Error(err))
+ }
+ return err
+ }
+ // check the rate limiter last because
+ // doing so makes a reservation
+ if !onDemandRateLimiter.Allow() {
+ return fmt.Errorf("on-demand rate limit exceeded")
+ }
+ return nil
+ },
+ }
+ }
+
template := certmagic.Config{
MustStaple: ap.MustStaple,
RenewalWindowRatio: ap.RenewalWindowRatio,
@@ -286,6 +286,14 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
return nil
}
+func (ap *AutomationPolicy) onlyInternalIssuer() bool {
+ if len(ap.Issuers) != 1 {
+ return false
+ }
+ _, ok := ap.Issuers[0].(*InternalIssuer)
+ return ok
+}
+
// DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults.
// This function is experimental and has no compatibility promises.
func DefaultIssuers() []certmagic.Issuer {