summaryrefslogtreecommitdiff
path: root/modules/caddytls
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddytls')
-rw-r--r--modules/caddytls/tls.go12
1 files changed, 12 insertions, 0 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 489d87f..fdff447 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -236,6 +236,18 @@ func (t *TLS) Validate() error {
// Start activates the TLS module.
func (t *TLS) Start() error {
+ // warn if on-demand TLS is enabled but no restrictions are in place
+ if t.Automation.OnDemand == nil ||
+ (t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
+ for _, ap := range t.Automation.Policies {
+ if ap.OnDemand {
+ t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
+ zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
+ break
+ }
+ }
+ }
+
// now that we are running, and all manual certificates have
// been loaded, time to load the automated/managed certificates
err := t.Manage(t.automateNames)
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-03 18:06:00 +0000