| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Potential fix for #4017 although the consensus is unclear.
Made change to return status code 421 instead of 403 when StrictSNIHost matching is on.
|
|
|
|
When this listener code was first written, UsagePool didn't exist. We
can simplify much of the wrapped listener logic by utilizing UsagePool.
This also fixes a bug where new servers were able to clear deadlines
set by old servers, even if the old server didn't get booted out of its
Accept() call yet. And with the deadline cleared, they never would.
(Sometimes. Based on reports and difficulty of reproducing the bug,
this behavior was extremely rare.) I don't know why that happened
exactly, maybe some polling mechanism in the kernel and if the timings
worked out just wrong it would expose the bug.
Anyway, now we ensure that only the closer that set the deadline is the
same one that clears it, ensuring that old servers always return out of
Accept(), because the deadline doesn't get cleared until they do.
Of course, all this hinges on the hope that my suspicions in the middle
of the night are correct and that kernels work the way I think they do
in my head.
Also minor enhancement to UsagePool where if a value errors upon
construction (a very real possibility with listeners), it is removed from
the pool. Not 100% sure the sync logic is correct there, or maybe we
don't have to even put it in the pool until after construction, but it's
subtle either way and I think this is safe... right?
|
|
Best guess for https://caddy.community/t/on-fly-certificate-generation-based-on-sni/14639/4
|
|
|
|
* caddyhttp: Redirect HTTP requests on the HTTPS port to https://
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
|
|
|
|
Close caddyserver/website#91
|
|
|
|
|
|
|
|
This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542
Turns out that doing `TrimRight` to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning.
|
|
Fixes #4481
|
|
|
|
|
|
* caddyhttp: Enhance vars matcher
Enable "or" logic for multiple values.
Fall back to checking placeholders if not a var name.
* Fix tests (thanks @mohammed90 !)
|
|
* pki: Avoid provisioning the `local` CA when not necessary
* pki: Refactor CA loading to keep the logic in the PKI app
|
|
|
|
|
|
|
|
|
|
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
|
|
|
|
* logging: add support for hashing data
* Update modules/logging/filters.go
Co-authored-by: wiese <wiese@users.noreply.github.com>
* Update modules/logging/filters.go
Co-authored-by: wiese <wiese@users.noreply.github.com>
Co-authored-by: wiese <wiese@users.noreply.github.com>
|
|
|
|
* fastcgi: Fix a TODO, prevent zap using reflection for logging env
* Update modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
* reverseproxy: Adjust defaults, document defaults
Related to some of the issues in https://github.com/caddyserver/caddy/issues/4245, a complaint about the proxy transport defaults not being properly documented in https://caddy.community/t/default-values-for-directives/14254/6.
- Dug into the stdlib to find the actual defaults for some of the timeouts and buffer limits, documenting them in godoc so the JSON docs get them next release.
- Moved the keep-alive and dial-timeout defaults from `reverseproxy.go` to `httptransport.go`. It doesn't make sense to set defaults in the proxy, because then any time the transport is configured with non-defaults, the keep-alive and dial-timeout defaults are lost!
- Sped up the dial timeout from 10s to 3s, in practice it rarely makes sense to wait a whole 10s for dialing. A shorter timeout helps a lot with the load balancer retries, so using something lower helps with user experience.
* reverseproxy: Make keepalive interval configurable via Caddyfile
* fastcgi: DialTimeout default for fastcgi transport too
|
|
|
|
* feat(logging): add a filter for cookies
* Improve godoc and add validation
|
|
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
|
|
(#4410)
|
|
|
|
Fixes #4428
It's best to still log handler errors at debug level so that they're hidden by default, but still accessible if additional details are necessary.
|
|
Work around for common misconfiguration
|
|
|
|
|
|
This makes it easier for users to find the default browse template if they
want to create a custom template based on that. It also makes it easier to
view the template with proper syntax highlighting.
|
|
|
|
|
|
* caddycmd: Add `--skip-cleanup` to upgrade commands
This is a partial fix for https://github.com/caddyserver/caddy/issues/4057, making it possible to retain the old build of Caddy, in case something went wrong.
* caddycmd: Fix duplicate error message
The error message "download succeeded, but unable to execute" was repeated, because it was both in the `listModules`/`showVersion` functions and in the calling `upgradeBuild` function. Oversight when this was refactored.
* caddycmd: Implement fix for performing cleanup on Windows
Without this, the cleanup operation would fail with an error message like this:
upgrade: download succeeded, but unable to clean up backup binary: remove C:\caddy\caddy.exe.tmp: Access is denied.
* caddycmd: Rename to `--keep-backup`, simplify build constraints
|
|
See discussion on 42b7134ffa3bf3e9e86514c82407979c2627a5ab
|
|
|
|
* caddyhttp: Sanitize scheme and host on incoming requests
* reverseproxy: Sanitize the URL scheme and host before proxying
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
|
|
* test: replicated empty tls automation policy issue
* fix: empty tls policy for an http:// endpoint running on a non-standard http port
|
