summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-11-12caddytls: Support ACME alt cert chain preferencesMatthew Holt
2020-11-12Update contact infoMatthew Holt
2020-11-04httpcaddyfile: Add certificate_pem placeholder short, add to godoc (#3846)Gaurav Dhameeja
Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2020-11-04ci: remove the continuous fuzzing job (#3845)Mohammed Al Sahaf
Between Github Actions deprecting a command we use[0] and Fuzzit planning to deprecate their standalone service after being acquired by Gitlab[1][2], there are no reasons to keep this job. [0] https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ [1] https://about.gitlab.com/press/releases/2020-06-11-gitlab-acquires-peach-tech-and-fuzzit-to-expand-devsecops-offering.html [2] https://fuzzit.dev/2020/06/11/news-fuzzit-is-acquired-by-gitlab/
2020-11-02caddyhttp: Merge query matchers in Caddyfile (#3839)Francis Lavoie
Also, turns out that `Add` on headers will work even if there's nothing there yet, so we can remove the condition I introduced in #3832
2020-11-02logging: Fix for IP filteringChristoph Kluge
2020-11-02fastcgi: Add timeouts support to Caddyfile adapter (#3842)Francis Lavoie
* fastcgi: Add timeouts support to Caddyfile adapter * fastcgi: Use tabs instead of spaces
2020-11-02reverseproxy: Wire up some http transport options in Caddyfile (#3843)Francis Lavoie
2020-11-02fileserver: Improve and clarify file hiding logic (#3844)Matt Holt
* fileserver: Improve and clarify file hiding logic * Oops, forgot to run integration tests * Make this one integration test OS-agnostic * See if this appeases the Windows gods * D'oh
2020-10-31caddyauth: Prevent user enumeration by timingMatthew Holt
Always follow the code path of hashing and comparing a plaintext password even if the account is not found by the given username; this ensures that similar CPU cycles are spent for both valid and invalid usernames. Thanks to @tylerlm for helping and looking into this!
2020-10-31caddyhttp: Merge header matchers in Caddyfile (#3832)Francis Lavoie
2020-10-30reverseproxy: Add max_idle_conns_per_host; fix godocs (#3829)Francis Lavoie
2020-10-29reverseproxy: caddyfile: Don't add port if upstream has placeholder (#3819)Jason McCallister
* check if the host is a placeholder * Update modules/caddyhttp/reverseproxy/caddyfile.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-10-28httpcaddyfile: Revise automation policy generation (#3824)Matt Holt
* httpcaddyfile: Revise automation policy generation This should fix a frustrating edge case where wildcard subjects are used, which potentially get shadowed by more specific versions of themselves; see the new tests for an example. This change is motivated by an actual customer requirement. Although all the tests pass, this logic is incredibly complex and nuanced, and I'm worried it is not correct. But it took me about 4 days to get this far on a solution. I did my best. * Fix typo
2020-10-22go.mod: Update CertMagicMatthew Holt
2020-10-22httpcaddyfile: Improve AP logic with OnDemandMatthew Holt
We have users that have site blocks like *.*.tld with on-demand TLS enabled. While *.*.tld does not qualify for a publicly-trusted cert due to its wildcards, On-Demand TLS does not actually obtain a cert with those wildcards, since it uses the actual hostname on the handshake. This improves on that logic, but I am still not 100% satisfied with the result since I think we need to also check if another site block is more specific, like foo.example.tld, which might not have on-demand TLS enabled, and make sure an automation policy gets created before the more general policy with on-demand...
2020-10-19readme: Add zerosslMatthew Holt
2020-10-13caddyhttp: Restore original request params before error handlers (#3781)Matt Holt
* caddyhttp: Restore original request params before error handlers Fixes #3717 * Add comment
2020-10-13reverseproxy: Fix dial placeholders, SRV, active health checks (#3780)Matt Holt
* reverseproxy: Fix dial placeholders, SRV, active health checks Supercedes #3776 Partially reverts or updates #3756, #3693, and #3695 * reverseproxy: add integration tests Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
2020-10-09readme: Add link to website for download instructions (#3785)AJ ONeal
* add Webi as install method * link to install page
2020-10-02map: Bug fixes; null literal with hyphen in CaddyfileMatthew Holt
2020-10-02map: Apply default if mapped output is nilMatthew Holt
2020-10-02map: Reimplement; multiple outputs; optimizeMatthew Holt
2020-10-01Update SECURITY.mdMatt Holt
2020-10-01reverseproxy: allow no port for SRV; fix regression in d55d50b (#3756)Mohammed Al Sahaf
* reverseproxy: fix breakage in handling SRV lookup introduced by 3695 * reverseproxy: validate against incompatible config options with lookup_srv * reverseproxy: add integration test cases for validations involving lookup_srv * reverseproxy: clarify the reason for skipping an iteration * grammar.. Oxford comma Co-authored-by: Francis Lavoie <lavofr@gmail.com> Co-authored-by: Francis Lavoie <lavofr@gmail.com> Fixes #3753
2020-10-01reverseproxy: Change 500 error to 502 for lookup_srv config (#3771)Aleksei
Fixes #3763
2020-10-01reverseproxy: default to port 80 for upstreams in Caddyfile (#3772)Mohammed Al Sahaf
* reverseproxy: default to port 80 for port-less upstream dial addresses * reverseproxy: replace integration test with an adapter test Fixes #3761
2020-10-01reverseproxy: Ignore RFC 1521 params in Content-Type header (#3758)Christian Flach
Without this change, a Content-Type header like "text/event-stream;charset=utf-8" would not trigger the immediate flushing. Fixes #3765
2020-10-01metrics: fix handler to not run the next route (#3769)Dave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2020-09-25admin: lower log level to Debug for /metrics requests (#3749)Dave Henderson
* admin: lower log level to Debug for /metrics requests Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Apply suggestions from code review Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-09-25caddyfile: Add support for `vars` and `vars_regexp` matchers (#3730)Mohammed Al Sahaf
* caddyfile: support vars and vars_regexp matchers in the caddyfile * caddyfile: matchers: Brian Kernighan said printf is good debugging tool but didn't say keep them around
2020-09-22metrics: Always track method label in uppercase (#3742)Dave Henderson
* metrics: Always track method label in uppercase Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Just use strings.ToUpper for clarity Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2020-09-22httpcaddyfile: Fix panic when parsing route with matchers (#3746)Francis Lavoie
Fixes #3745
2020-09-21httpcaddyfile: Disallow args on route/handle directive family (#3740)Francis Lavoie
2020-09-21metrics: Fix panic when headers aren't written (#3737)Dave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2020-09-17metrics: Fix hidden panic while observing with bad exemplars (#3733)Dave Henderson
* metrics: Fixing panic while observing with bad exemplars Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Minor cleanup The server is already added to the context. So, we can simply use that to get the server name, which is a field on the server. * Add integration test for auto HTTP->HTTPS redirects A test like this would have caught the problem in the first place Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-09-17caddyhttp: Remove server name from metricsMatthew Holt
For some reason this breaks automatic HTTP->HTTPS redirects. I am not sure why yet, but as a hotfix remove this until we understand it better.
2020-09-17go.mod: Upgrade dependenciesMatthew Holt
2020-09-17metrics: Initial integration of Prometheus metrics (#3709)Dave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2020-09-17reverseproxy: Correct alternate port for active health checks (#3693)Mohammed Al Sahaf
* reverseproxy: construct active health-check transport from scratch (Fixes #3691) * reverseproxy: do upstream health-check on the correct alternative port * reverseproxy: add integration test for health-check on alternative port * reverseproxy: put back the custom transport for health-check http client * reverseproxy: cleanup health-check integration test * reverseproxy: fix health-check of unix socket upstreams * reverseproxy: skip unix socket tests on Windows * tabs > spaces Co-authored-by: Francis Lavoie <lavofr@gmail.com> * make the linter (and @francislavoie) happy Co-authored-by: Francis Lavoie <lavofr@gmail.com> * One more lint fix Co-authored-by: Francis Lavoie <lavofr@gmail.com> Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2020-09-16httpcaddyfile: Ensure handle_path is sorted equally to handle (#3676)Francis Lavoie
* httpcaddyfile: Ensure handle_path is sorted as equal to handle * httpcaddyfile: Make mutual exclusivity grouping deterministic (I hope) * httpcaddyfile: Add comment linking to the issue being fixed * httpcaddyfile: Typo fix, comment clarity Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Update caddyconfig/httpcaddyfile/httptype.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-09-16reverseproxy: Enforce port range size of 1 at provision (#3695)Mohammed Al Sahaf
* reverse_proxy: ensure upstream address has port range of only 1 * reverse_proxy: don't log the error if upstream range size is more than 1
2020-09-16fileserver: Fix try_files for directories; windows fix (#3684)Francis Lavoie
* fileserver: Fix try_files for directories, windows fix * fileserver: Add new file type placeholder, refactoring, tests * fileserver: Review cleanup * fileserver: Flip the return args order
2020-09-16caddyhttp: New placeholder for PEM of client certificate (#3662)Gaurav Dhameeja
* Fix-3585: added placeholder for a PEM encoded value of the certificate * Update modules/caddyhttp/replacer.go Change type of block and empty headers removed Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * fixed tests Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-09-15logging: Implement Caddyfile support for filter encoder (#3578)Francis Lavoie
* logging: Implement Caddyfile support for filter encoder * logging: Add support for parsing IP masks from strings wip * logging: Implement Caddyfile support for ip_mask * logging: Get rid of unnecessary logic to allow strings, not that useful * logging: Add adapt test
2020-09-14cmd: Allow `caddy fmt` to read from stdin (#3680)Matthew Penner
* Allow 'caddy fmt' to read from stdin * fmt: use '-' as the file name for reading from stdin * Minor adjustments Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-09-11httpcaddyfile: Properly record whether we added catch-all conn policyMatthew Holt
We recently introduced `if !cp.SettingsEmpty()` which conditionally adds the connection policy to the list. If the condition evaluates to false, the policy wouldn't actually be added, even if hasCatchAllTLSConnPolicy was set to true on the previous line. Now we set that variable in accordance with whether we actually add the policy. While debugging this I noticed that catch-all policies added early in that loop (i.e. not at the end if we later determine we need one) are not always at the end of the list. They should be, though, since they are selected by which one matches first, and having a catch-all first would nullify any more specific ones later in the list. So I added a sort in consolidateConnPolicies to take care of that. Should fix #3670 and https://caddy.community/t/combining-on-demand-tls-with-custom-ssl-certs-doesnt-seem-to-work-in-2-1-1/9719 but I won't know for sure until somebody verifies it, since at least in the GitHub issue there is not yet enough information (the configs are redacted).
2020-09-11fileserver: Fix new file hide tests on Windows (#3719)Matt Holt
2020-09-11fileserver: Improve file hiding logic for directories and prefixesMatthew Holt
Now, a filename to hide that is specified without a path separator will count as hidden if it appears in any component of the file path (not only the last component); semantically, this means hiding a file by only its name (without any part of a path) will hide both files and folders, e.g. hiding ".git" will hide "/.git" and also "/.git/foo". We also do prefix matching so that hiding "/.git" will hide "/.git" and "/.git/foo" but not "/.gitignore". The remaining logic is a globular match like before.
2020-09-09caddytls: Fix resolvers option of acme issuer (Caddyfile)Matthew Holt
Reported in: https://caddy.community/t/dns-challenge-with-namecheap-and-split-horizon-dns/9611/17?u=matt