summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modules/caddytls/tls.go13
1 files changed, 12 insertions, 1 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 8051653..92004b8 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -22,6 +22,7 @@ import (
"log"
"net/http"
"runtime/debug"
+ "strings"
"sync"
"time"
@@ -259,7 +260,17 @@ func (t *TLS) Start() error {
if t.Automation.OnDemand == nil ||
(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
for _, ap := range t.Automation.Policies {
- if ap.OnDemand {
+ isWildcardOrDefault := false
+ if len(ap.Subjects) == 0 {
+ isWildcardOrDefault = true
+ }
+ for _, sub := range ap.Subjects {
+ if strings.HasPrefix(sub, "*") {
+ isWildcardOrDefault = true
+ break
+ }
+ }
+ if ap.OnDemand && isWildcardOrDefault {
t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
break