summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-02-19httpcaddyfile: Disabling OCSP stapling for both managed and unmanaged (#4589)Francis Lavoie
2022-02-17caddyconfig: Support placeholders in HTTP loaderMatthew Holt
2022-02-17caddytls: Support external certificate Managers (like Tailscale) (#4541)Matt Holt
Huge thank-you to Tailscale (https://tailscale.com) for making this change possible! This is a great feature for Caddy and Tailscale is a great fit for a standard implementation. * caddytls: GetCertificate modules; Tailscale * Caddyfile support for get_certificate Also fix AP provisioning in case of empty subject list (persist loaded module on struct, much like Issuers, to surive reprovisioning). And implement start of HTTP cert getter, still WIP. * Update modules/caddytls/automation.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Use tsclient package, check status for name * Implement HTTP cert getter And use reuse CertMagic's PEM functions for private keys. * Remove cache option from Tailscale getter Tailscale does its own caching and we don't need the added complexity... for now, at least. * Several updates - Option to disable cert automation in auto HTTPS - Support multiple cert managers - Remove cache feature from cert manager modules - Minor improvements to auto HTTPS logging * Run go mod tidy * Try to get certificates from Tailscale implicitly Only for domains ending in .ts.net. I think this is really cool! Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2022-02-15admin: Write proper status on invalid requests (#4569) (fix #4561)Alok Naushad
2022-02-15admin: Enforce and refactor origin checkingMatthew Holt
Using URLs seems a little cleaner and more correct cf: https://caddy.community/t/protect-admin-endpoint/15114 (This used to work. Something must have changed recently.)
2022-02-06templates: Elaborate on what's supported by the markdown function (#4564)Francis Lavoie
2022-02-01reverseproxy: Avoid returning a `nil` error during GetClientCertificate (#4550)Francis Lavoie
2022-02-01go.mod: Upgrade dependenciesMatthew Holt
Including crucial CertMagic upgrade
2022-01-30Interrim upgrade CertMagicMatthew Holt
For auto-replace certificate on revocation for on-demand mode, until a proper release is made.
2022-01-25Merge pull request #4545 from hairyhenderson/metrics-restrict-http-methodsDave Henderson
metrics: Enforce smaller set of method labels
2022-01-25move common metrics-related funcs to internal packageDave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2022-01-25Update modules/caddyhttp/metrics_test.goFrancis Lavoie
2022-01-25other is not uppercaseDave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2022-01-25metrics: Enforce smaller set of method labelsDave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2022-01-24caddyhttp: Fix test when /tmp/etc already exists (#4544)Kevin Daudt
The TestFileListing test in tplcontext_test has one test that verifies if directory traversal is not happening. The context root is set to '/tmp' and then it tries to open '../../../../../etc', which gets normalized to '/tmp/etc'. The test then expects an error to be returned, assuming that '/tmp/etc' does not exist on the system. When it does exist, it results in a test failure: ``` --- FAIL: TestFileListing (0.00s) tplcontext_test.go:422: Test 4: Expected error but had none FAIL FAIL github.com/caddyserver/caddy/v2/modules/caddyhttp/templates 0.042s ``` Instead of using '/tmp' as root, use a dedicated directory created with `os.MkdirTemp()` instead. That way, we know that the directory is empty.
2022-01-19caddyhttp: Reject absurd methods (#4538)Matt Holt
* caddyhttp: Reject absurdly long methods * Limit method to 32 chars and truncate * Just reject the request and debug-log it * Log remote address
2022-01-19Improve the reverse-proxy CLI --to flag help message (#4535)Vojtech Vitek
2022-01-19More explanatory error message from Listen (#4534)Forest Johnson
* explain cryptic unix socket listener error related to process kill https://github.com/caddyserver/caddy/pull/4533 * less ambiguous wording: clean up -> delete * shorten error message explanation * link back to pull request in comment for later archeaology
2022-01-18caddytls: Add internal Caddyfile `lifetime`, `sign_with_root` opts (#4513)Francis Lavoie
2022-01-18httpcaddyfile: Add pki app `root` and `intermediate` cert/key config (#4514)Francis Lavoie
2022-01-18rewrite: Add `method` Caddyfile directive (#4528)Francis Lavoie
2022-01-18caddyhttp: Fix HTTP->HTTPS redir not preferring HTTPS port if ambiguous (#4530)Francis Lavoie
2022-01-18httpcaddyfile: Add `default_bind` global option (#4531)Francis Lavoie
2022-01-18httpcaddyfile: Fix incorrect handling of IPv6 bind addresses (#4532)Francis Lavoie
The `net.JoinHostPort()` function has some naiive logic for handling IPv6, it just checks if the host part has a `:` and if so it wraps the host part with `[ ]` but this causes our network type prefix to get wrapped as well, which is invalid for `caddy.NetworkAddress`. Instead, we can just concatenate the host and port manually here to avoid this side-effect.
2022-01-16cmd: Print error if fmt overwrite fails (fix #4524)Matthew Holt
2022-01-13rewrite: Fix a double-encode issue when using the `{uri}` placeholder (#4516)Francis Lavoie
2022-01-13caddytls: Fix `MatchRemoteIP` provisoning with multiple CIDR ranges (#4522)GallopingKylin
2022-01-12caddyhttp: Return HTTP 421 for mismatched Host header (#4023)rayjlinden
Potential fix for #4017 although the consensus is unclear. Made change to return status code 421 instead of 403 when StrictSNIHost matching is on.
2022-01-10Fix lint warningsMatthew Holt
2022-01-10core: Simplify shared listeners, fix deadline bugMatthew Holt
When this listener code was first written, UsagePool didn't exist. We can simplify much of the wrapped listener logic by utilizing UsagePool. This also fixes a bug where new servers were able to clear deadlines set by old servers, even if the old server didn't get booted out of its Accept() call yet. And with the deadline cleared, they never would. (Sometimes. Based on reports and difficulty of reproducing the bug, this behavior was extremely rare.) I don't know why that happened exactly, maybe some polling mechanism in the kernel and if the timings worked out just wrong it would expose the bug. Anyway, now we ensure that only the closer that set the deadline is the same one that clears it, ensuring that old servers always return out of Accept(), because the deadline doesn't get cleared until they do. Of course, all this hinges on the hope that my suspicions in the middle of the night are correct and that kernels work the way I think they do in my head. Also minor enhancement to UsagePool where if a value errors upon construction (a very real possibility with listeners), it is removed from the pool. Not 100% sure the sync logic is correct there, or maybe we don't have to even put it in the pool until after construction, but it's subtle either way and I think this is safe... right?
2022-01-07caddypki: Return error if no PEM data foundMatthew Holt
Best guess for https://caddy.community/t/on-fly-certificate-generation-based-on-sni/14639/4
2022-01-05httpcaddyfile: Support configuring `pki` app names via global options (#4450)Francis Lavoie
2022-01-05caddyhttp: Redirect HTTP requests on the HTTPS port to https:// (#4313)Francis Lavoie
* caddyhttp: Redirect HTTP requests on the HTTPS port to https:// * Apply suggestions from code review Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-01-05admin: Require identity for remote (fix #4478)Matthew Holt
2022-01-05templates: Document .OriginalReqMatthew Holt
Close caddyserver/website#91
2022-01-04admin, reverseproxy: Stop timers if canceled to avoid goroutine leak (#4482)Денис Телюх
2022-01-04logging: Support turning off roll compression via Caddyfile (#4505)Francis Lavoie
2022-01-04headers: Fix `+` in Caddyfile to properly append rather than set (#4506)Francis Lavoie
2021-12-30caddyhttp: Fix `MatchPath` sanitizing (#4499)Francis Lavoie
This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542 Turns out that doing `TrimRight` to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning.
2021-12-17reverseproxy: Fix incorrect `health_headers` Caddyfile parsing (#4485)Francis Lavoie
Fixes #4481
2021-12-15caddyhttp: Implement http.request.uuid placeholder (#4285)Rainer Borene
2021-12-13caddypki: Minor tweak, don't use context pointerMatthew Holt
2021-12-13caddyhttp: Enhance vars matcher (#4433)Matt Holt
* caddyhttp: Enhance vars matcher Enable "or" logic for multiple values. Fall back to checking placeholders if not a var name. * Fix tests (thanks @mohammed90 !)
2021-12-13pki: Avoid provisioning the `local` CA when not necessary (#4463)Francis Lavoie
* pki: Avoid provisioning the `local` CA when not necessary * pki: Refactor CA loading to keep the logic in the PKI app
2021-12-13httpcaddyfile: Fix sorting edgecase for nested `handle_path` (#4477)Francis Lavoie
2021-12-11fileserver: do not double-escape paths (#4447)Mohammed Al Sahaf
2021-12-10go.mod: Update smallstep/certificates, no longer need replace (#4475)Francis Lavoie
2021-12-09go.mod: Update smallstep/truststore, fix build on FreeBSD (#4473)Francis Lavoie
2021-12-07caddyfile: impove fmt warning message (#4444)Runzhi He
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2021-12-05docs: use backticks to not italicise glob path (#4460)Adam Burgess