summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2022-03-03templates: Fix docs for .ArgsMatthew Holt
2022-03-03core: Retry dynamic config load if error or no-op (#4603)Matthew Holt
Also fix ineffectual assignment (unrelated)
2022-03-03reverseproxy: Make shallow-ish clone of the request (#4551)Francis Lavoie
* reverseproxy: Make shallow-ish clone of the request * Refactor request cloning into separate function Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-02caddyhttp: Don't attempt to manage Tailscale certsMatthew Holt
If .ts.net domains are explicitly added to config, don't try to manage a cert for them (it will fail, and our implicit Tailscale module will get those certs at run-time).
2022-03-02caddypki: Try to fix lint warningsMatthew Holt
2022-03-02caddypki: Refactor /pki/ admin endpointsMatthew Holt
Remove /pki/certificates/<ca> endpoint and split into two endpoints: - GET /pki/ca/<id> to get CA info and certs in JSON format - GET /pki/ca/<id>/certificates to get cert in PEM chain
2022-03-02fastcgi: Set SERVER_PORT to 80 or 443 depending on scheme (#4572)ttys3
2022-03-02pki: Implement API endpoints for certs and `caddy trust` (#4443)Francis Lavoie
* admin: Implement /pki/certificates/<id> API * pki: Lower "skip_install_trust" log level to INFO See https://github.com/caddyserver/caddy/issues/4058#issuecomment-976132935 It's not necessary to warn about this, because this was an option explicitly configured by the user. Still useful to log, but we don't need to be so loud about it. * cmd: Export functions needed for PKI app, return API response to caller * pki: Rewrite `caddy trust` command to use new admin endpoint instead * pki: Rewrite `caddy untrust` command to support using admin endpoint * Refactor cmd and pki packages for determining admin API endpoint
2022-03-01httpcaddyfile: Support explicitly turning off `strict_sni_host` (#4592)Francis Lavoie
2022-03-01caddyhttp: Support zone identifiers in remote_ip matcher (#4597)BitWuehler
* Update matchers.go * Update matchers.go * implementation of zone_id handling * last changes in zone handling * give return true values instead of bool * Apply suggestions from code review Co-authored-by: Francis Lavoie <lavofr@gmail.com> * changes as suggested * Apply suggestions from code review Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Update matchers.go * shortened the Match function * changed mazcher handling * Update matchers.go * delete space Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2022-03-01fileserver: Canonical redir when whole path is stripped (#4549)Francis Lavoie
2022-03-01core: Config LoadInterval -> LoadDelay for clarityMatthew Holt
And improve/clarify docs about this feature See #4577
2022-03-01reverseproxy: Move status replacement intercept to `replace_status` (#4300)Francis Lavoie
2022-03-01core: Revert 7f364c7; simplify dynamic config loadMatthew Holt
Fixes #4577
2022-03-01core: Config load interval only reloads if changed (#4603)Noorain Panjwani
2022-02-19caddyhttp: Move HTTP redirect listener to an optional module (#4585)Francis Lavoie
2022-02-19ci: update goreleaser (#4582)Mohammed Al Sahaf
2022-02-19logging: Add `roll_local_time` Caddyfile option (#4583)Francis Lavoie
2022-02-19caddyhttp: Always log handled errors at debug level (#4584)Francis Lavoie
2022-02-19go.mod: Revert version bump of CEL (#4587)Francis Lavoie
2022-02-19httpcaddyfile: Disabling OCSP stapling for both managed and unmanaged (#4589)Francis Lavoie
2022-02-17caddyconfig: Support placeholders in HTTP loaderMatthew Holt
2022-02-17caddytls: Support external certificate Managers (like Tailscale) (#4541)Matt Holt
Huge thank-you to Tailscale (https://tailscale.com) for making this change possible! This is a great feature for Caddy and Tailscale is a great fit for a standard implementation. * caddytls: GetCertificate modules; Tailscale * Caddyfile support for get_certificate Also fix AP provisioning in case of empty subject list (persist loaded module on struct, much like Issuers, to surive reprovisioning). And implement start of HTTP cert getter, still WIP. * Update modules/caddytls/automation.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Use tsclient package, check status for name * Implement HTTP cert getter And use reuse CertMagic's PEM functions for private keys. * Remove cache option from Tailscale getter Tailscale does its own caching and we don't need the added complexity... for now, at least. * Several updates - Option to disable cert automation in auto HTTPS - Support multiple cert managers - Remove cache feature from cert manager modules - Minor improvements to auto HTTPS logging * Run go mod tidy * Try to get certificates from Tailscale implicitly Only for domains ending in .ts.net. I think this is really cool! Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2022-02-15admin: Write proper status on invalid requests (#4569) (fix #4561)Alok Naushad
2022-02-15admin: Enforce and refactor origin checkingMatthew Holt
Using URLs seems a little cleaner and more correct cf: https://caddy.community/t/protect-admin-endpoint/15114 (This used to work. Something must have changed recently.)
2022-02-06templates: Elaborate on what's supported by the markdown function (#4564)Francis Lavoie
2022-02-01reverseproxy: Avoid returning a `nil` error during GetClientCertificate (#4550)Francis Lavoie
2022-02-01go.mod: Upgrade dependenciesMatthew Holt
Including crucial CertMagic upgrade
2022-01-30Interrim upgrade CertMagicMatthew Holt
For auto-replace certificate on revocation for on-demand mode, until a proper release is made.
2022-01-25Merge pull request #4545 from hairyhenderson/metrics-restrict-http-methodsDave Henderson
metrics: Enforce smaller set of method labels
2022-01-25move common metrics-related funcs to internal packageDave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2022-01-25Update modules/caddyhttp/metrics_test.goFrancis Lavoie
2022-01-25other is not uppercaseDave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2022-01-25metrics: Enforce smaller set of method labelsDave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2022-01-24caddyhttp: Fix test when /tmp/etc already exists (#4544)Kevin Daudt
The TestFileListing test in tplcontext_test has one test that verifies if directory traversal is not happening. The context root is set to '/tmp' and then it tries to open '../../../../../etc', which gets normalized to '/tmp/etc'. The test then expects an error to be returned, assuming that '/tmp/etc' does not exist on the system. When it does exist, it results in a test failure: ``` --- FAIL: TestFileListing (0.00s) tplcontext_test.go:422: Test 4: Expected error but had none FAIL FAIL github.com/caddyserver/caddy/v2/modules/caddyhttp/templates 0.042s ``` Instead of using '/tmp' as root, use a dedicated directory created with `os.MkdirTemp()` instead. That way, we know that the directory is empty.
2022-01-19caddyhttp: Reject absurd methods (#4538)Matt Holt
* caddyhttp: Reject absurdly long methods * Limit method to 32 chars and truncate * Just reject the request and debug-log it * Log remote address
2022-01-19Improve the reverse-proxy CLI --to flag help message (#4535)Vojtech Vitek
2022-01-19More explanatory error message from Listen (#4534)Forest Johnson
* explain cryptic unix socket listener error related to process kill https://github.com/caddyserver/caddy/pull/4533 * less ambiguous wording: clean up -> delete * shorten error message explanation * link back to pull request in comment for later archeaology
2022-01-18caddytls: Add internal Caddyfile `lifetime`, `sign_with_root` opts (#4513)Francis Lavoie
2022-01-18httpcaddyfile: Add pki app `root` and `intermediate` cert/key config (#4514)Francis Lavoie
2022-01-18rewrite: Add `method` Caddyfile directive (#4528)Francis Lavoie
2022-01-18caddyhttp: Fix HTTP->HTTPS redir not preferring HTTPS port if ambiguous (#4530)Francis Lavoie
2022-01-18httpcaddyfile: Add `default_bind` global option (#4531)Francis Lavoie
2022-01-18httpcaddyfile: Fix incorrect handling of IPv6 bind addresses (#4532)Francis Lavoie
The `net.JoinHostPort()` function has some naiive logic for handling IPv6, it just checks if the host part has a `:` and if so it wraps the host part with `[ ]` but this causes our network type prefix to get wrapped as well, which is invalid for `caddy.NetworkAddress`. Instead, we can just concatenate the host and port manually here to avoid this side-effect.
2022-01-16cmd: Print error if fmt overwrite fails (fix #4524)Matthew Holt
2022-01-13rewrite: Fix a double-encode issue when using the `{uri}` placeholder (#4516)Francis Lavoie
2022-01-13caddytls: Fix `MatchRemoteIP` provisoning with multiple CIDR ranges (#4522)GallopingKylin
2022-01-12caddyhttp: Return HTTP 421 for mismatched Host header (#4023)rayjlinden
Potential fix for #4017 although the consensus is unclear. Made change to return status code 421 instead of 403 when StrictSNIHost matching is on.
2022-01-10Fix lint warningsMatthew Holt
2022-01-10core: Simplify shared listeners, fix deadline bugMatthew Holt
When this listener code was first written, UsagePool didn't exist. We can simplify much of the wrapped listener logic by utilizing UsagePool. This also fixes a bug where new servers were able to clear deadlines set by old servers, even if the old server didn't get booted out of its Accept() call yet. And with the deadline cleared, they never would. (Sometimes. Based on reports and difficulty of reproducing the bug, this behavior was extremely rare.) I don't know why that happened exactly, maybe some polling mechanism in the kernel and if the timings worked out just wrong it would expose the bug. Anyway, now we ensure that only the closer that set the deadline is the same one that clears it, ensuring that old servers always return out of Accept(), because the deadline doesn't get cleared until they do. Of course, all this hinges on the hope that my suspicions in the middle of the night are correct and that kernels work the way I think they do in my head. Also minor enhancement to UsagePool where if a value errors upon construction (a very real possibility with listeners), it is removed from the pool. Not 100% sure the sync logic is correct there, or maybe we don't have to even put it in the pool until after construction, but it's subtle either way and I think this is safe... right?