summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modules/caddyhttp/app.go5
-rw-r--r--modules/caddytls/tls.go12
2 files changed, 14 insertions, 3 deletions
diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go
index 42e7725..4f5bc84 100644
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@@ -176,8 +176,8 @@ func (app *App) Provision(ctx caddy.Context) error {
// domain fronting is desired and access is not restricted
// based on hostname
if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() {
- app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured",
- zap.String("server_name", srvName),
+ app.logger.Warn("enabling strict SNI-Host enforcement because TLS client auth is configured",
+ zap.String("server_id", srvName),
)
trueBool := true
srv.StrictSNIHost = &trueBool
@@ -283,7 +283,6 @@ func (app *App) Validate() error {
}
}
}
-
return nil
}
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 489d87f..fdff447 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -236,6 +236,18 @@ func (t *TLS) Validate() error {
// Start activates the TLS module.
func (t *TLS) Start() error {
+ // warn if on-demand TLS is enabled but no restrictions are in place
+ if t.Automation.OnDemand == nil ||
+ (t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
+ for _, ap := range t.Automation.Policies {
+ if ap.OnDemand {
+ t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
+ zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
+ break
+ }
+ }
+ }
+
// now that we are running, and all manual certificates have
// been loaded, time to load the automated/managed certificates
err := t.Manage(t.automateNames)