summaryrefslogtreecommitdiff
path: root/modules/caddytls
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddytls')
-rw-r--r--modules/caddytls/acmeissuer.go6
-rw-r--r--modules/caddytls/connpolicy.go7
-rw-r--r--modules/caddytls/tls.go19
3 files changed, 21 insertions, 11 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index f108d72..53638fe 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -144,6 +144,10 @@ func (m *ACMEIssuer) SetConfig(cfg *certmagic.Config) {
m.magic = cfg
}
+// TODO: I kind of hate how each call to these methods needs to
+// make a new ACME manager to fill in defaults before using; can
+// we find the right place to do that just once and then re-use?
+
// PreCheck implements the certmagic.PreChecker interface.
func (m *ACMEIssuer) PreCheck(names []string, interactive bool) error {
return certmagic.NewACMEManager(m.magic, m.template).PreCheck(names, interactive)
@@ -156,7 +160,7 @@ func (m *ACMEIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*
// IssuerKey returns the unique issuer key for the configured CA endpoint.
func (m *ACMEIssuer) IssuerKey() string {
- return m.template.IssuerKey() // does not need storage and cache
+ return certmagic.NewACMEManager(m.magic, m.template).IssuerKey()
}
// Revoke revokes the given certificate.
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 5b830f9..7618db4 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -55,6 +55,11 @@ func (cp ConnectionPolicies) Provision(ctx caddy.Context) error {
cp[i].certSelector = val.(certmagic.CertificateSelector)
}
+ // enable HTTP/2 by default
+ if len(pol.ALPN) == 0 {
+ pol.ALPN = append(pol.ALPN, defaultALPN...)
+ }
+
// pre-build standard TLS config so we don't have to at handshake-time
err = pol.buildStandardTLSConfig(ctx)
if err != nil {
@@ -452,3 +457,5 @@ func (a *PublicKeyAlgorithm) UnmarshalJSON(b []byte) error {
type ConnectionMatcher interface {
Match(*tls.ClientHelloInfo) bool
}
+
+var defaultALPN = []string{"h2", "http/1.1"}
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index f91229f..0b39c71 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -181,7 +181,6 @@ func (t *TLS) Validate() error {
// ensure that host aren't repeated; since only the first
// automation policy is used, repeating a host in the lists
// isn't useful and is probably a mistake
- // TODO: test this
hostSet := make(map[string]int)
for i, ap := range t.Automation.Policies {
for _, h := range ap.Hosts {
@@ -279,8 +278,8 @@ func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool {
if ap.magic.Issuer == nil {
return false
}
- if am, ok := ap.magic.Issuer.(*certmagic.ACMEManager); ok {
- return am.HandleHTTPChallenge(w, r)
+ if am, ok := ap.magic.Issuer.(*ACMEIssuer); ok {
+ return certmagic.NewACMEManager(am.magic, am.template).HandleHTTPChallenge(w, r)
}
return false
}
@@ -709,7 +708,7 @@ const automateKey = "automate"
// (beta 16 changed the storage path for certificates),
// after which this function can be deleted
func (t *TLS) moveCertificates() error {
- log := t.logger.Named("automigrate")
+ logger := t.logger.Named("automigrate")
baseDir := caddy.AppDataDir()
@@ -760,7 +759,7 @@ func (t *TLS) moveCertificates() error {
}
if len(oldAcmeSites) > 0 {
- log.Warn("certificate storage path has changed; attempting one-time auto-migration",
+ logger.Warn("certificate storage path has changed; attempting one-time auto-migration",
zap.String("old_folder", oldAcmeSitesDir),
zap.String("new_folder", newBaseDir),
zap.String("details", "https://github.com/caddyserver/caddy/issues/2955"))
@@ -775,13 +774,13 @@ func (t *TLS) moveCertificates() error {
// move the folder
oldPath := filepath.Join(oldAcmeSitesDir, siteInfo.Name())
newPath := filepath.Join(newBaseDir, siteInfo.Name())
- log.Info("moving certificate assets",
+ logger.Info("moving certificate assets",
zap.String("ca", oldCA),
zap.String("site", siteInfo.Name()),
zap.String("destination", newPath))
err = os.Rename(oldPath, newPath)
if err != nil {
- log.Error("failed moving site to new path; skipping",
+ logger.Error("failed moving site to new path; skipping",
zap.String("old_path", oldPath),
zap.String("new_path", newPath),
zap.Error(err))
@@ -792,7 +791,7 @@ func (t *TLS) moveCertificates() error {
metaFilePath := filepath.Join(newPath, siteInfo.Name()+".json")
metaContents, err := ioutil.ReadFile(metaFilePath)
if err != nil {
- log.Error("could not read metadata file",
+ logger.Error("could not read metadata file",
zap.String("filename", metaFilePath),
zap.Error(err))
continue
@@ -806,12 +805,12 @@ func (t *TLS) moveCertificates() error {
}
newMeta, err := json.MarshalIndent(cr, "", "\t")
if err != nil {
- log.Error("encoding new metadata file", zap.Error(err))
+ logger.Error("encoding new metadata file", zap.Error(err))
continue
}
err = ioutil.WriteFile(metaFilePath, newMeta, 0600)
if err != nil {
- log.Error("writing new metadata file", zap.Error(err))
+ logger.Error("writing new metadata file", zap.Error(err))
continue
}
}