diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/caddyhttp/autohttps.go | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/modules/caddyhttp/autohttps.go b/modules/caddyhttp/autohttps.go index ad0a716..f62543b 100644 --- a/modules/caddyhttp/autohttps.go +++ b/modules/caddyhttp/autohttps.go @@ -152,12 +152,12 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er } // nothing more to do here if there are no domains that qualify for - // automatic HTTPS or there are no explicit TLS connection policies; - // if there is at least one domain but no TLS conn policy, we'll add - // one below; if there is a TLS conn policy (meaning TLS is enabled) - // and no domains, it could be a catch-all with on-demand TLS, and - // in that case we would still need HTTP->HTTPS redirects, which we - // do below + // automatic HTTPS and there are no explicit TLS connection policies: + // if there is at least one domain but no TLS conn policy (F&&T), we'll + // add one below; if there are no domains but at least one TLS conn + // policy (meaning TLS is enabled) (T&&F), it could be a catch-all with + // on-demand TLS -- and in that case we would still need HTTP->HTTPS + // redirects, which we set up below; hence these two conditions if len(serverDomainSet) == 0 && len(srv.TLSConnPolicies) == 0 { continue } @@ -345,6 +345,13 @@ uniqueDomainsLoop: // not entirely clear what the redirect destination should be, // so I'm going to just hard-code the app's HTTPS port and call // it good for now... + // TODO: This implies that all plaintext requests will be blindly + // redirected to their HTTPS equivalent, even if this server + // doesn't handle that hostname at all; I don't think this is a + // bad thing, and it also obscures the actual hostnames that this + // server is configured to match on, which may be desirable, but + // it's not something that should be relied on. We can change this + // if we want to. appendCatchAll := func(routes []Route) []Route { redirTo := "https://{http.request.host}" if app.httpsPort() != DefaultHTTPSPort { |