summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2021-03-19fileserver: Browse listing supports dark mode (#4066)rai
* Add dark color scheme media query * Theme search box, make everything less contrasting * Further contrast tweaks
2021-03-19CONTRIBUTING: fix spelling (#4070)Simão Gomes Viana
Minor spelling fixes to make this document even better
2021-03-12httpcaddyfile: Add `error` directive for the existing handler (#4034)Francis Lavoie
* httpcaddyfile: Add `error` directive for the existing handler * httpcaddyfile: Move `error` to the end of the order
2021-03-12logging: add replace filter for static value replacement (#4029)Aaron Taylor
This filter is intended to be useful in scenarios where you may want to redact a value with a static string, giving you information that the field did previously exist and was present, but not revealing the value itself in the logs. This was inspired by work on adding more complete support for removing sensitive values from logs [1]. An example use case would be the Authorization header in request log output, for which the value should usually not be logged, but it may be quite useful for debugging to confirm that the header was present in the request. [1] https://github.com/caddyserver/caddy/issues/3958
2021-03-12caddyconfig: add global option for configuring loggers (#4028)Aaron Taylor
This change is aimed at enhancing the logging module within the Caddyfile directive to allow users to configure logs other than the HTTP access log stream, which is the current capability of the Caddyfile [1]. The intent here is to leverage the same syntax as the server log directive at a global level, so that similar customizations can be added without needing to resort to a JSON-based configuration. Discussion for this approach happened in the referenced issue. Closes https://github.com/caddyserver/caddy/issues/3958 [1] https://caddyserver.com/docs/caddyfile/directives/log
2021-03-10map: Accept regex substitution in outputs (#3991)Rajat Jain
* Replace placeholders with regex groups * using Matcher methods * test added * linting fix * Revert "linting fix" This reverts commit cafd7296f43639bbcd2601bea79a47f60763a200. * Revert "test added" This reverts commit 3a76cc7b0bc5dcef15ca5c8ec22efcd4067d484c. * Revert "using Matcher methods" This reverts commit cc34337b8ebb61d40ec343cee0fc225a694d3db6. * tests added
2021-03-03reverseproxy: Fix upstreams with placeholders with no port (#4046)Francis Lavoie
2021-03-01rewrite: Implement regex path replacementsMatthew Holt
https://caddy.community/t/collapsing-multiple-forward-slashes-in-path-only/11626
2021-03-01fileserver: Don't replace in request paths (fix #4027)Matthew Holt
2021-02-26caddypki: Add SignWithRoot option for ACME serverMatthew Holt
See https://caddy.community/t/setting-up-a-caddy-pki-based-on-a-windows- root-ca-was-getting-pki-config/11616/7 Also improved a godoc comment in the caddytls package.
2021-02-25reverseproxy: Fix round robin data race (#4038)Matthew Holt
2021-02-24Update docs; commit setcap.shMatthew Holt
2021-02-24go.mod: Latest CertMagic (updated libdns conventions)Matthew Holt
2021-02-23core: Initialize logging before adminMatthew Holt
We'll see how this goes. https://caddy.community/t/calling-the-admin-api-from-within-a-route-route-causes-a-deadlock/11319
2021-02-22caddytls: Remove old asset migration code (close #3894)Matthew Holt
2021-02-22reverseproxy: Add duration/latency placeholders (close #4012) (#4013)Matt Holt
* reverseproxy: Add duration/latency placeholders (close #4012) (and #2268) Adds 4 placeholders, one is actually outside reverse proxy though: {http.request.duration} is how long since the server decoded the HTTP request (headers). {http.reverse_proxy.upstream.latency} is how long it took a proxy upstream to write the response header. {http.reverse_proxy.upstream.duration} is total time proxying to the upstream, including writing response body to client. {http.reverse_proxy.duration} is total time spent proxying, including selecting an upstream and retries. Obviously, most of these are only useful at the end of a request, like when writing response headers or logs. See also: https://caddy.community/t/any-equivalent-of-request-time-and-upstream-header-time-from-nginx/11418 * Add new placeholders to documentation
2021-02-22httpcaddyfile: Fix catch-all site block sortingMatthew Holt
A site block that has a catch-all and the shortest address is now sorted better. https://caddy.community/t/caddy-suddenly-directs-my-site-to-the-wrong-directive/11597/2
2021-02-18ci: Build and test on Go 1.16, bump minimum to 1.15 (#4024)Francis Lavoie
* ci: Build and test on Go 1.16 * ci: Drop Go 1.14 support
2021-02-16caddy: Support SetReadBuffer and SyscallConn for QUIC (fix #3998)Matthew Holt
Supersedes #3999
2021-02-16Improve security warningsMatthew Holt
2021-02-15httpcaddyfile: Configure other apps from global options (#3990)Francis Lavoie
2021-02-15cmd: Clean up `build-info` and `upgrade` outputMatthew Holt
2021-02-11caddyhttp: Support placeholders in header matcher values (close #3916)Matthew Holt
2021-02-10caddytls: Save email with account if not already specifiedMatthew Holt
I'm pretty sure this fixes a bug when the default email is used...
2021-02-09reverseproxy: Response buffering & configurable buffer sizeMatthew Holt
Proxy response bodies can now be buffered, and the size of the request body and response body buffer can be limited. Any remaining content that doesn't fit in the buffer will remain on the wire until it can be read; i.e. bodies are not truncated, even if the buffer is not big enough. This fulfills a customer requirement. This was made possible by their sponsorship!
2021-02-08httpcaddyfile: Fix automation policiesMatthew Holt
Fixes a bug introduced in #3862
2021-02-05ci: deflake integration tests (#3966)Mohammed Al Sahaf
* ci: deflake integration tests by pulling Caddy for the running config until new config is loaded
2021-02-02httpcaddyfile: Add resolvers subdir of tls (close #4008)Matthew Holt
Allows conveniently setting the resolvers for the DNS challenge using a TLS subdirective, which applies to default issuers, rather than having to explicitly define the issuers and overwrite the defaults.
2021-02-02acmeserver: Support custom CAs from CaddyfileMatthew Holt
The HTTP Caddyfile adapter can now configure the PKI app, and the acme_server directive can now be used to specify a custom CA used for issuing certificates. More customization options can follow later as needed.
2021-02-02caddyhttp: Check for invalid subdirectives of static_responseMatthew Holt
Ref: https://caddy.community/t/acme-server-implementation/11256/
2021-02-02httpcaddyfile: Fix default issuers when email providedMatthew Holt
If `tls <email>` is used, we should apply that to all applicable default issuers, not drop them. This refactoring applies implicit ACME issuer settings from the tls directive to all default ACME issuers, like ZeroSSL. We also consolidate some annoying logic and improve config validity checks. Ref: https://caddy.community/t/error-obtaining-certificate-after-caddy-restart/11335/8
2021-02-01cmd: Add --force flag to reload command (close #4005)Matthew Holt
Can be useful if user wants to reload manual certificates, for example.
2021-02-01httpcaddyfile: Warn if site address uses unspecified IP (close #4004)Matthew Holt
2021-02-01httpcaddyfile: Sort catch-all site blocks properly (fix #4003)Matthew Holt
2021-01-28ci: update the command to run tests on the s390x machine (#3995)Mohammed Al Sahaf
2021-01-28caddyhttp: Fix redir html status code, improve flow (#3987)Tyler Kropp
* Fix html redir code, improve flow * Fix integer check error and add tests
2021-01-28caddyhttp: Implement handler abort; new 'abort' directive (close #3871) (#3983)Matt Holt
* caddyhttp: Implement handler abort; new 'abort' directive (close #3871) * Move abort directive ordering; clean up redirects Seems logical for the end-all of handlers to go at the... end. The Connection header no longer needs to be set there, since Close is true, and the static_response handler now does that.
2021-01-27admin: Identity management, remote admin, config loaders (#3994)Matt Holt
This commits dds 3 separate, but very related features: 1. Automated server identity management How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it). Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs. This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below). 2. Remote administration over secure connection This feature adds generic remote admin functionality that is safe to expose on a public interface. - The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint. - It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS. - TLS cannot be disabled on this endpoint. - TLS mutual auth is required, and cannot be disabled. - The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded. - The TLS server takes care of verifying the client. - The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\ - Sensible defaults are still WIP. - Config fields subject to change/renaming. 3. Dyanmic config loading at startup Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR. Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense). This PR comes with a standard config loader module called `caddy.config_loaders.http`. Caddyfile config for all of this can probably be added later. COMMITS: * admin: Secure socket for remote management Functional, but still WIP. Optional secure socket for the admin endpoint is designed for remote management, i.e. to be exposed on a public port. It enforces TLS mutual authentication which cannot be disabled. The default port for this is :2021. The server certificate cannot be specified manually, it MUST be obtained from a certificate issuer (i.e. ACME). More polish and sensible defaults are still in development. Also cleaned up and consolidated the code related to quitting the process. * Happy lint * Implement dynamic config loading; HTTP config loader module This allows Caddy to load a dynamic config when it starts. Dynamically-loaded configs are intentionally not persisted to storage. Includes an implementation of the standard config loader, HTTPLoader. Can be used to download configs over HTTP(S). * Refactor and cleanup; prevent recursive config pulls Identity management is now separated from remote administration. There is no need to enable remote administration if all you want is identity management, but you will need to configure identity management if you want remote administration. * Fix lint warnings * Rename identities->identifiers for consistency
2021-01-19caddycmd: Add upgrade command (#3972)Matt Holt
Replaces the current Caddy executable with a new one from the build server. Honors custom builds, as long as plugins are registered on the Caddy website. Requires permissions to replace current executable, of course. This is an experimental command that may get changed or removed later.
2021-01-19Revert "requestbody: Allow overwriting remote address"Matthew Holt
This reverts commit 0bf2046da7f2f5bf1b7d9fa055ae28de9a06ddaf. No actual use case.
2021-01-19caddytest: Update Caddyfile tests for formatting, HTTP-only blocksMatthew Holt
Previous commit improved the Caddyfile adapter so it doesn't unnecessarily add names to "skip" in "auto_https" when the server is already HTTP-only. This commit updates the tests to reflect that change, while also fixing the Caddyfile formatting in many of the tests. We also print the line number of the divergence between input and formatted version in Caddyfile adapt warnings - very useful for finding initial formatting problems.
2021-01-19httpcaddyfile: Skip TLS APs for HTTP-only hosts (fix #3977)Matthew Holt
This is probably an invasive change, but existing tests continue to pass. It seems to make sense this way. There is likely an edge case I haven't considered.
2021-01-16cmd: Print more detailed version with --environMatthew Holt
2021-01-16map: Add missing json struct tagMatthew Holt
2021-01-13tests: use actual admin port value in error message (#3973)Sven Dowideit
Signed-off-by: Sven Dowideit <sven.dowideit@csiro.au>
2021-01-12cmd: Implement sd_notify() to notify systemd about readiness (#3963)Stefan Tatschner
Issue: #3786 Based on Gaurav Dhameeja's work in #3908.
2021-01-11templates: Add fileExists and httpError template actionsMatthew Holt
The httpError function isn't particularly useful until https://github.com/golang/go/issues/34201 is fixed in the Go standard lib.
2021-01-11requestbody: Allow overwriting remote addressMatthew Holt
An experimental feature, let's see if it's useful.
2021-01-11rewrite: Use RawPath instead of Path (fix #3596) (#3918)go-d
Prevent information loss, i.e. the encoded form that was sent by the client, when using URL strip/replace.
2021-01-08Update docsMatthew Holt