diff options
Diffstat (limited to 'caddyconfig')
-rw-r--r-- | caddyconfig/httpcaddyfile/directives.go | 46 | ||||
-rw-r--r-- | caddyconfig/httpcaddyfile/directives_test.go | 94 | ||||
-rw-r--r-- | caddyconfig/httpcaddyfile/httptype.go | 12 | ||||
-rw-r--r-- | caddyconfig/httpcaddyfile/tlsapp.go | 45 |
4 files changed, 164 insertions, 33 deletions
diff --git a/caddyconfig/httpcaddyfile/directives.go b/caddyconfig/httpcaddyfile/directives.go index 8fa48cd..ff248bf 100644 --- a/caddyconfig/httpcaddyfile/directives.go +++ b/caddyconfig/httpcaddyfile/directives.go @@ -393,23 +393,30 @@ type serverBlock struct { } // hostsFromKeys returns a list of all the non-empty hostnames found in -// the keys of the server block sb, unless allowEmpty is true, in which -// case a key with no host (e.g. ":443") will be added to the list as an -// empty string. Otherwise, if allowEmpty is false, and if sb has a key -// that omits the hostname (i.e. is a catch-all/empty host), then the returned -// list is empty, because the server block effectively matches ALL hosts. -// The list may not be in a consistent order. If includePorts is true, then -// any non-empty, non-standard ports will be included. -func (sb serverBlock) hostsFromKeys(allowEmpty, includePorts bool) []string { - // first get each unique hostname +// the keys of the server block sb. If logger mode is false, a key with +// an empty hostname portion will return an empty slice, since that +// server block is interpreted to effectively match all hosts. An empty +// string is never added to the slice. +// +// If loggerMode is true, then the non-standard ports of keys will be +// joined to the hostnames. This is to effectively match the Host +// header of requests that come in for that key. +// +// The resulting slice is not sorted but will never have duplicates. +func (sb serverBlock) hostsFromKeys(loggerMode bool) []string { + // ensure each entry in our list is unique hostMap := make(map[string]struct{}) for _, addr := range sb.keys { - if addr.Host == "" && !allowEmpty { - // server block contains a key like ":443", i.e. the host portion - // is empty / catch-all, which means to match all hosts - return []string{} + if addr.Host == "" { + if !loggerMode { + // server block contains a key like ":443", i.e. the host portion + // is empty / catch-all, which means to match all hosts + return []string{} + } + // never append an empty string + continue } - if includePorts && + if loggerMode && addr.Port != "" && addr.Port != strconv.Itoa(caddyhttp.DefaultHTTPPort) && addr.Port != strconv.Itoa(caddyhttp.DefaultHTTPSPort) { @@ -428,6 +435,17 @@ func (sb serverBlock) hostsFromKeys(allowEmpty, includePorts bool) []string { return sblockHosts } +// hasHostCatchAllKey returns true if sb has a key that +// omits a host portion, i.e. it "catches all" hosts. +func (sb serverBlock) hasHostCatchAllKey() bool { + for _, addr := range sb.keys { + if addr.Host == "" { + return true + } + } + return false +} + type ( // UnmarshalFunc is a function which can unmarshal Caddyfile // tokens into zero or more config values using a Helper type. diff --git a/caddyconfig/httpcaddyfile/directives_test.go b/caddyconfig/httpcaddyfile/directives_test.go new file mode 100644 index 0000000..03768ac --- /dev/null +++ b/caddyconfig/httpcaddyfile/directives_test.go @@ -0,0 +1,94 @@ +package httpcaddyfile + +import ( + "reflect" + "sort" + "testing" +) + +func TestHostsFromKeys(t *testing.T) { + for i, tc := range []struct { + keys []Address + expectNormalMode []string + expectLoggerMode []string + }{ + { + []Address{ + Address{Original: "foo", Host: "foo"}, + }, + []string{"foo"}, + []string{"foo"}, + }, + { + []Address{ + Address{Original: "foo", Host: "foo"}, + Address{Original: "bar", Host: "bar"}, + }, + []string{"bar", "foo"}, + []string{"bar", "foo"}, + }, + { + []Address{ + Address{Original: ":2015", Port: "2015"}, + }, + []string{}, []string{}, + }, + { + []Address{ + Address{Original: ":443", Port: "443"}, + }, + []string{}, []string{}, + }, + { + []Address{ + Address{Original: "foo", Host: "foo"}, + Address{Original: ":2015", Port: "2015"}, + }, + []string{}, []string{"foo"}, + }, + { + []Address{ + Address{Original: "example.com:2015", Host: "example.com", Port: "2015"}, + }, + []string{"example.com"}, + []string{"example.com:2015"}, + }, + { + []Address{ + Address{Original: "example.com:80", Host: "example.com", Port: "80"}, + }, + []string{"example.com"}, + []string{"example.com"}, + }, + { + []Address{ + Address{Original: "https://:2015/foo", Scheme: "https", Port: "2015", Path: "/foo"}, + }, + []string{}, + []string{}, + }, + { + []Address{ + Address{Original: "https://example.com:2015/foo", Scheme: "https", Host: "example.com", Port: "2015", Path: "/foo"}, + }, + []string{"example.com"}, + []string{"example.com:2015"}, + }, + } { + sb := serverBlock{keys: tc.keys} + + // test in normal mode + actual := sb.hostsFromKeys(false) + sort.Strings(actual) + if !reflect.DeepEqual(tc.expectNormalMode, actual) { + t.Errorf("Test %d (loggerMode=false): Expected: %v Actual: %v", i, tc.expectNormalMode, actual) + } + + // test in logger mode + actual = sb.hostsFromKeys(true) + sort.Strings(actual) + if !reflect.DeepEqual(tc.expectLoggerMode, actual) { + t.Errorf("Test %d (loggerMode=true): Expected: %v Actual: %v", i, tc.expectLoggerMode, actual) + } + } +} diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go index a738166..4c5f445 100644 --- a/caddyconfig/httpcaddyfile/httptype.go +++ b/caddyconfig/httpcaddyfile/httptype.go @@ -378,7 +378,7 @@ func (st *ServerType) serversFromPairings( return nil, fmt.Errorf("server block %v: compiling matcher sets: %v", sblock.block.Keys, err) } - hosts := sblock.hostsFromKeys(false, false) + hosts := sblock.hostsFromKeys(false) // tls: connection policies if cpVals, ok := sblock.pile["tls.connection_policy"]; ok { @@ -450,9 +450,13 @@ func (st *ServerType) serversFromPairings( LoggerNames: make(map[string]string), } } - for _, h := range sblock.hostsFromKeys(true, true) { - if ncl.name != "" { - srv.Logs.LoggerNames[h] = ncl.name + if sblock.hasHostCatchAllKey() { + srv.Logs.LoggerName = ncl.name + } else { + for _, h := range sblock.hostsFromKeys(true) { + if ncl.name != "" { + srv.Logs.LoggerNames[h] = ncl.name + } } } } diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 2ce7ea3..b31bdc5 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -16,6 +16,7 @@ package httpcaddyfile import ( "bytes" + "encoding/json" "fmt" "reflect" "sort" @@ -53,7 +54,7 @@ func (st ServerType) buildTLSApp( continue } if otherAddr.Host != "" { - hostsSharedWithHostlessKey[addr.Host] = struct{}{} + hostsSharedWithHostlessKey[otherAddr.Host] = struct{}{} } } break @@ -72,7 +73,7 @@ func (st ServerType) buildTLSApp( // get values that populate an automation policy for this block var ap *caddytls.AutomationPolicy - sblockHosts := sblock.hostsFromKeys(false, false) + sblockHosts := sblock.hostsFromKeys(false) if len(sblockHosts) == 0 { ap = catchAllAP } @@ -263,6 +264,33 @@ func (st ServerType) buildTLSApp( tlsApp.Automation.OnDemand = onDemand } + // if any hostnames appear on the same server block as a key with + // no host, they will not be used with route matchers because the + // hostless key matches all hosts, therefore, it wouldn't be + // considered for auto-HTTPS, so we need to make sure those hosts + // are manually considered for managed certificates; we also need + // to make sure that any of these names which are internal-only + // get internal certificates by default rather than ACME + var al caddytls.AutomateLoader + internalAP := &caddytls.AutomationPolicy{ + IssuerRaw: json.RawMessage(`{"module":"internal"}`), + } + for h := range hostsSharedWithHostlessKey { + al = append(al, h) + if !certmagic.SubjectQualifiesForPublicCert(h) { + internalAP.Subjects = append(internalAP.Subjects, h) + } + } + if len(al) > 0 { + tlsApp.CertificatesRaw["automate"] = caddyconfig.JSON(al, &warnings) + } + if len(internalAP.Subjects) > 0 { + if tlsApp.Automation == nil { + tlsApp.Automation = new(caddytls.AutomationConfig) + } + tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, internalAP) + } + // if there is a global/catch-all automation policy, ensure it goes last if catchAllAP != nil { // first, encode its issuer @@ -276,19 +304,6 @@ func (st ServerType) buildTLSApp( tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, catchAllAP) } - // if any hostnames appear on the same server block as a key with - // no host, they will not be used with route matchers because the - // hostless key matches all hosts, therefore, it wouldn't be - // considered for auto-HTTPS, so we need to make sure those hosts - // are manually considered for managed certificates - var al caddytls.AutomateLoader - for h := range hostsSharedWithHostlessKey { - al = append(al, h) - } - if len(al) > 0 { - tlsApp.CertificatesRaw["automate"] = caddyconfig.JSON(al, &warnings) - } - // do a little verification & cleanup if tlsApp.Automation != nil { // ensure automation policies don't overlap subjects (this should be |