summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2020-02-20httpcaddyfile: tls: Load repeated cert files only once, with one tagMatthew Holt
See end of issue #3004. Loading the same certificate file multiple times with different tags will result in it being de-duplicated in the in- memory cache, because of course they all have the same bytes. This meant that any certs of the same filename loaded with different tags would be overwritten by the next certificate of the same filename, and any conn policies looking for the tags of the previous ones would never find them, causing connections to fail. So, now we remember cert filenames and their tags, instead of loading them multiple times and overwriting previous ones. A user crafting their own JSON might make this error too... maybe we won't see it happen. But if it does, one possibility is, when loading a duplicate cert, instead of discarding it completely, merge the tag list into the one that's already stored in the cache, then discard.
2020-02-20httpcaddyfile: Combine repeated cert loaders (fix #3004)Matthew Holt
Also only append 1 catch-all TLS connection policy to a server, even if multiple site blocks contribute to that server.
2020-02-18httpcaddyfile: Properly add all cert loaders across sites (fixes #3056)Matthew Holt
2020-02-18http: Close HTTP/3 servers and listeners; upstream bug irreproducibleMatthew Holt
See https://github.com/lucas-clemente/quic-go/issues/2103 and https://github.com/caddyserver/caddy/pull/2727
2020-02-18tls: Fix panic loading automation management modules (fix #3004)Matthew Holt
When AutomationPolicy was turned into a pointer, we continued passing a double pointer to LoadModule, oops.
2020-02-17basicauth: default hash to bcrypt (#3050)Robin Lambertz
The documentation specifies that the hash algorithm defaults to bcrypt. However, the implementation returns an error in provision if no hash is provided. Fix this inconsistency by *actually* defaulting to bcrypt.
2020-02-17go.mod: update quic-go to v0.14.4 (#3048)Marten Seemann
2020-02-16httpcaddyfile: 'handle_errors' directiveMatthew Holt
Not sure I love the name of the directive; might change it later.
2020-02-16httpcaddyfile: Refactor global options parsing; prevent duplicate keysMatthew Holt
2020-02-16http: Remove redundant test fileMatthew Holt
Forgot to delete this when I moved its test into a different file
2020-02-14tls: Avoid duplication AutomationPolicies for large quantities of namesMatthew Holt
This should greatly reduce memory usage at scale. Part of an overall effort between Caddy 2 and CertMagic to optimize for large numbers of names.
2020-02-14Minor tweaks to docs/commentsMatthew Holt
2020-02-14caddyfile: Refactor; NewFromNextSegment(); fix repeated matchersMatthew Holt
Now multiple instances of the same matcher can be used within a named matcher without overwriting previous ones.
2020-02-12tls: Add acme_ca_root and tls/ca_root to caddyfile (#3040)Mark Sargent
2020-02-08httpcaddyfile: Add support for DNS challenge solversMatthew Holt
Configuration via the Caddyfile requires use of env variables, but an upstream issue is currently blocking that: https://github.com/go-acme/lego/issues/1054 Providers will need to be retrofitted upstream in order to support env var configuration.
2020-02-08browse: allow filter init via `filter` query param (#3027)Jeremy Lin
This allows creating links that display only a subset of files in a directory.
2020-02-08v2: Implement RegExp Vars Matcher (#2997)Mohammed Al Sahaf
* implement regexp var matcher * use subtests pattern for tests * be more consistent with naming: MatchVarRE -> MatchVarsRE, var_regexp -> vars_regexp
2020-02-07tls: Slight adjustment to how DNS provider modules are loadedMatthew Holt
We don't load the provider directly, because the lego provider types aren't designed for JSON configuration and they are not implemented as Caddy modules (there are some setup steps which a Provision call would need to do, but they do not have Provision methods, they have their own constructor functions that we have to wrap). Instead of loading the challenge providers directly, the modules are simple wrappers over the challenge providers, to facilitate the JSON config structure and to provide a consistent experience. This also lets us swap out the underlying challenge providers transparently if needed; it acts as a layer of abstraction.
2020-02-07Fix typo in readmeMatthew Holt
2020-02-07Update readmeMatthew Holt
The list of improvements and FAQ were moved to the wiki for now. They still need to be updated.
2020-02-06Remove Starlark, for nowMatthew Holt
This is temporary as we prepare for a stable v2 release. We don't want to make promises we don't know we can keep, and the Starlark integration deserves much more focused attention which resources and funding do not currently permit. When the project is financially stable, I will be able to revisit this properly and add flexible, robust Starlark scripting support to Caddy 2.
2020-02-06caddyfile: tls: Ensure there is always a catch-all conn policy (#3005)Matthew Holt
If user provides their own certs or makes any hostname-specific TLS connection policy, it means that no TLS connection would be served for any other hostnames, even though you'd expect that TLS is enabled for them, too. So now we append a catch-all conn policy if none exist, which allows all ClientHellos to be matched and served. We also fix the consolidation of automation policies, which previously gobbled up automation policies without hosts in favor of automation policies with hosts. Instead of a host-specific policy eating up an identical catch-all policy, the catch-all policy eats up the identical host-specific policy, ensuring that the policy is applied to all hosts which need it. See also: https://caddy.community/t/v2-automatic-https-certificate-errors/6847/9?u=matt
2020-02-06caddyfile: tls: Tag manual certificates (#2588)Matthew Holt
This ensure that if there are multiple certs that match a particular ServerName or other parameter, then specifically the one the user provided in the Caddyfile will be used.
2020-02-05http: Split 2-phase auto-HTTPS into 3 phasesMatthew Holt
This is necessary to avoid a race for sockets. Both the HTTP servers and CertMagic solvers will try to bind the HTTP/HTTPS ports, but we need to make sure that our HTTP servers bind first. This is kind of a new thing now that management is async in Caddy 2. Also update to CertMagic 0.9.2, which fixes some async use cases at scale.
2020-02-04caddyhttp: Fix orig_uri placeholder docs (#3002)Francis Lavoie
Fixes #3001
2020-02-04httpcaddyfile: Add {remote} shorthand placeholdersMatthew Holt
Also sort the list
2020-02-04httpcaddyfile: Make root directive mutually exclusiveMatthew Holt
See https://caddy.community/t/caddyfile-and-v2/6766/22?u=matt
2020-02-04header: caddyfile: Defer header operations for deletions or manuallyMatthew Holt
See https://caddy.community/t/caddy-server-that-returns-only-ip-address-as-text/6928/6?u=matt In most cases, we will want to apply header operations immediately, rather than waiting until the response is written. The exceptions are generally going to be if we are deleting a header field or if a field is to be overwritten. We now automatically defer header ops if deleting a header field, and allow the user to manually enable deferred mode with the defer subdirective.
2020-02-04cmd: adapt: Make --config flag optional when Caddyfile existsMatthew Holt
2020-02-03v2: only compare TLS protocol versions if both are set (#3005)Mohammed Al Sahaf
2020-01-23httpcaddyfile: Skip hosts from auto-https when http:// scheme (fix #2998)Matthew Holt
2020-01-22cmd: Emit error if reload cannot find a config to loadMatthew Holt
2020-01-22http: Fix vars matcherMatthew Holt
2020-01-22rewrite: Prepend "/" if missing from strip path prefixMatthew Holt
Paths always begin with a slash, and omitting the leading slash could be convenient to avoid confusion with a path matcher in the Caddyfile. I do not think there would be any harm to implicitly add the leading slash.
2020-01-22reverseproxy: Fix casing of RootCAPEMFilesMatthew Holt
2020-01-22reverseproxy: Accept integer values for flush_interval (fix #2996)Matthew Holt
2020-01-22httpcaddyfile: Rename 'headers' directive to 'header'Matthew Holt
2020-01-22cmd: Make --config flag optional for reload commandMatthew Holt
In case it is using the default Caddyfile
2020-01-22httpcaddyfile: Update directive docs; put root after rewriteMatthew Holt
2020-01-22httpcaddyfile: Get rid of 'tls off' parameter; probably not usefulMatthew Holt
2020-01-19httpcaddyfile: Fix address parsing; don't infer port at parse-timeMatthew Holt
Before, listener ports could be wrong because ParseAddress doesn't know about the user-configured HTTP/HTTPS ports, instead hard-coding port 80 or 443, which could be wrong if the user changed them to something else. Now we defer port and scheme validation/inference to a later part of building the output JSON.
2020-01-18Merge pull request #2980 from moorereason/bugfix-ciphersuite-loggingZaq? Wiedmann
v2: http: Fix ciphersuite logging
2020-01-18reverse_proxy: CB docs; rename type -> factor (#2986)Mohammed Al Sahaf
* v2: add documentation for circuit breaker config and "random selection" load balancing policy * v2: rename circuit breaker config inline key from `type` to `breaker` to avoid json key clash between the `circuit_breaker` type and the `type` field of the generic circuit breaker Config struct used by circuit breaking implementations * v2: restore the circuit breaker inline key to `type` and rename the name circuit breaker config field from `Type` to `Factor`
2020-01-17httpcaddyfile: Move redir before rewriteMatthew Holt
Using rewrite is like saying, "I accept this request, but I just need to act on it as if it came in differently." Whereas redir implies more of, "I reject this request, send it to me differently, then I will process it." Makes sense for it to come before rewrites. This can always be changed using the 'order' global option if needed.
2020-01-17caddyhttp: Improve docs, and Caddyfile for respond directiveMatthew Holt
2020-01-17cmd: version: Add module replace to outputMatthew Holt
2020-01-16httpcaddyfile: Fix nested blocks; add handle directive; refactorMatthew Holt
The fix that was initially put forth in #2971 was good, but only for up to one layer of nesting. The real problem was that we forgot to increment nesting when already inside a block if we saw another open curly brace that opens another block (dispenser.go L157-158). The new 'handle' directive allows HTTP Caddyfiles to be designed more like nginx location blocks if the user prefers. Inside a handle block, directives are still ordered just like they are outside of them, but handler blocks at a given level of nesting are mutually exclusive. This work benefitted from some refactoring and cleanup.
2020-01-16http: Fix ciphersuite loggingCameron Moore
2020-01-16httpcaddyfile: Replace 'handler_order' option with 'order'Matthew Holt
This allows individual directives to be ordered relative to others, where order matters (for example HTTP handlers). Will primarily be useful when developing new directives, so you don't have to modify the Caddy source code. Can also be useful if you prefer that redir comes before rewrite, for example. Note that these are global options. The route directive can be used to give a specific order to a specific group of HTTP handler directives.
2020-01-16httpcaddyfile: Group try_files routes together (#2891)Matthew Holt
This ensures that only the first matching route is used.