diff options
Diffstat (limited to 'caddyconfig')
-rw-r--r-- | caddyconfig/httpcaddyfile/httptype.go | 51 |
1 files changed, 48 insertions, 3 deletions
diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go index 5620c2e..0cd2fca 100644 --- a/caddyconfig/httpcaddyfile/httptype.go +++ b/caddyconfig/httpcaddyfile/httptype.go @@ -372,6 +372,7 @@ func (st *ServerType) serversFromPairings( srv.AutoHTTPS.Skip = append(srv.AutoHTTPS.Skip, autoHTTPSQualifiedHosts...) } else if cpVals, ok := sblock.pile["tls.connection_policy"]; ok { // tls connection policies + var hasCatchAll bool for _, cpVal := range cpVals { cp := cpVal.Value.(*caddytls.ConnectionPolicy) @@ -381,14 +382,31 @@ func (st *ServerType) serversFromPairings( return nil, err } - // TODO: are matchers needed if every hostname of the config is matched? + // TODO: are matchers needed if every hostname of the resulting config is matched? if len(hosts) > 0 { cp.MatchersRaw = caddy.ModuleMap{ "sni": caddyconfig.JSON(hosts, warnings), // make sure to match all hosts, not just auto-HTTPS-qualified ones } + } else { + hasCatchAll = true } + srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp) } + + // a catch-all is necessary to ensure TLS can be offered to + // all hostnames of the server; even though only one policy + // is needed to enable TLS for the server, that policy might + // apply to only certain TLS handshakes; but when using the + // Caddyfile, user would expect all handshakes to at least + // have a matching connection policy, so here we append a + // catch-all/default policy if there isn't one already (it's + // important that it goes at the end) - see issue #3004: + // https://github.com/caddyserver/caddy/issues/3004 + if !hasCatchAll { + srv.TLSConnPolicies = append(srv.TLSConnPolicies, new(caddytls.ConnectionPolicy)) + } + // TODO: consolidate equal conn policies } @@ -569,14 +587,41 @@ func consolidateAutomationPolicies(aps []caddytls.AutomationPolicy) []caddytls.A if j == i { continue } - if reflect.DeepEqual(aps[i].ManagementRaw, aps[j].ManagementRaw) { - aps[i].Hosts = append(aps[i].Hosts, aps[j].Hosts...) + + // if they're exactly equal in every way, just keep one of them + if reflect.DeepEqual(aps[i], aps[j]) { aps = append(aps[:j], aps[j+1:]...) i-- break } + + // if the policy is the same, we can keep just one, but we have + // to be careful which one we keep; if only one has any hostnames + // defined, then we need to keep the one without any hostnames, + // otherwise the one without any hosts (a catch-all) would be + // eaten up by the one with hosts; and if both have hosts, we + // need to combine their lists + if reflect.DeepEqual(aps[i].ManagementRaw, aps[j].ManagementRaw) && + aps[i].ManageSync == aps[j].ManageSync { + if len(aps[i].Hosts) == 0 && len(aps[j].Hosts) > 0 { + aps = append(aps[:j], aps[j+1:]...) + } else if len(aps[i].Hosts) > 0 && len(aps[j].Hosts) == 0 { + aps = append(aps[:i], aps[i+1:]...) + } else { + aps[i].Hosts = append(aps[i].Hosts, aps[j].Hosts...) + aps = append(aps[:j], aps[j+1:]...) + } + i-- + break + } } } + + // ensure any catch-all policies go last + sort.SliceStable(aps, func(i, j int) bool { + return len(aps[i].Hosts) > len(aps[j].Hosts) + }) + return aps } |