summaryrefslogtreecommitdiff
path: root/caddyconfig/httpcaddyfile/builtins.go
AgeCommit message (Collapse)Author
2020-11-16caddytls: Support multiple issuers (#3862)Matt Holt
* caddytls: Support multiple issuers Defaults are Let's Encrypt and ZeroSSL. There are probably bugs. * Commit updated integration tests, d'oh * Update go.mod
2020-10-02map: Reimplement; multiple outputs; optimizeMatthew Holt
2020-08-11Update comment and Caddy 1 EOLMatthew Holt
2020-08-11caddytls: Add support for ZeroSSL; add Caddyfile support for issuers (#3633)Matt Holt
* caddytls: Add support for ZeroSSL; add Caddyfile support for issuers Configuring issuers explicitly in a Caddyfile is not easily compatible with existing ACME-specific parameters such as email or acme_ca which infer the kind of issuer it creates (this is complicated now because the ZeroSSL issuer wraps the ACME issuer)... oh well, we can revisit that later if we need to. New Caddyfile global option: { cert_issuer <name> ... } Or, alternatively, as a tls subdirective: tls { issuer <name> ... } For example, to use ZeroSSL with an API key: { cert_issuser zerossl API_KEY } For now, that still uses ZeroSSL's ACME endpoint; it fetches EAB credentials for you. You can also provide the EAB credentials directly just like any other ACME endpoint: { cert_issuer acme { eab KEY_ID MAC_KEY } } All these examples use the new global option (or tls subdirective). You can still use traditional/existing options with ZeroSSL, since it's just another ACME endpoint: { acme_ca https://acme.zerossl.com/v2/DV90 acme_eab KEY_ID MAC_KEY } That's all there is to it. You just can't mix-and-match acme_* options with cert_issuer, because it becomes confusing/ambiguous/complicated to merge the settings. * Fix broken test This test was asserting buggy behavior, oops - glad this branch both discovers and fixes the bug at the same time! * Fix broken test (post-merge) * Update modules/caddytls/acmeissuer.go Fix godoc comment Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Add support for ZeroSSL's EAB-by-email endpoint Also transform the ACMEIssuer into ZeroSSLIssuer implicitly if set to the ZeroSSL endpoint without EAB (the ZeroSSLIssuer is needed to generate EAB if not already provided); this is now possible with either an API key or an email address. * go.mod: Use latest certmagic, acmez, and x/net * Wrap underlying logic rather than repeating it Oops, duh * Form-encode email info into request body for EAB endpoint Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2020-08-05httpcaddyfile: Allow named matchers in `route` blocks (#3632)Francis Lavoie
2020-07-30caddytls: Replace lego with acmez (#3621)Matt Holt
* Replace lego with acmez; upgrade CertMagic * Update integration test
2020-06-05httpcaddyfile: Add client_auth options to tls directive (#3335)NWHirschfeld
* reading client certificate config from Caddyfile Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * Update caddyconfig/httpcaddyfile/builtins.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * added adapt test for parsing client certificate configuration from Caddyfile Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844 Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * Update modules/caddytls/connpolicy.go * Make review adjustments Co-authored-by: Francis Lavoie <lavofr@gmail.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-05-29caddyconfig: Minor internal and godoc tweaksMatthew Holt
2020-05-26httpcaddyfile: New `handle_path` directive (#3281)Francis Lavoie
* caddyconfig: WIP implementation of handle_path * caddyconfig: Complete the implementation - h.NewRoute was key * caddyconfig: Add handle_path integration test * caddyhttp: Use the path matcher as-is, strip the trailing *, update test
2020-05-15httpcaddyfile: Be stricter about `log` syntax (#3419)Francis Lavoie
2020-05-02caddytls: Finish upgrading to libdns DNS providers for ACME challengesMatthew Holt
Until we finish the migration to the new acme library, we have to bring the solver type in-house. It's small and temporary.
2020-05-01httpcaddyfile: Update tls parsing for DNS providersMatthew Holt
2020-04-30caddytls: Adjust DNS challenge structure; clarify some docsMatthew Holt
2020-04-01caddytls: Refactor certificate selection policies (close #1575)Matthew Holt
Certificate selection used to be a module, but this seems unnecessary, especially since the built-in CustomSelectionPolicy allows quite complex selection logic on a number of fields in certs. If we need to extend that logic, we can, but I don't think there are SO many possibilities that we need modules. This update also allows certificate selection to choose between multiple matching certs based on client compatibility and makes a number of other improvements in the default cert selection logic, both here and in the latest CertMagic. The hardest part of this was the conn policy consolidation logic (Caddyfile only, of course). We have to merge connection policies that we can easily combine, because if two certs are manually loaded in a Caddyfile site block, that produces two connection policies, and each cert is tagged with a different tag, meaning only the first would ever be selected. So given the same matchers, we can merge the two, but this required improving the Tag selection logic to support multiple tags to choose from, hence "tags" changed to "any_tag" or "all_tags" (but we use any_tag in our Caddyfile logic). Combining conn policies with conflicting settings is impossible, so that should return an error if two policies with the exact same matchers have non-empty settings that are not the same (the one exception being any_tag which we can merge because the logic for them is to OR them). It was a bit complicated. It seems to work in numerous tests I've conducted, but we'll see how it pans out in the release candidates.
2020-04-01caddytls: Update cipher suite names and curve namesMatthew Holt
Now using IANA-compliant names and Go 1.14's CipherSuites() function so we don't have to maintain our own mapping of currently-secure cipher suites.
2020-03-23httpcaddyfile: Allow php_fastcgi to be used in route directiveMatthew Holt
Fixes https://caddy.community/t/v2-help-to-set-up-a-yourls-instance/7260/22
2020-03-22httpcaddyfile: Fix little typo (Next -> NextArg)Matthew Holt
2020-03-20httpcaddyfile: Simplify 'root' directive parsingMatthew Holt
I must have written that one before the helper function `RegisterHandlerDirective`.
2020-03-20httpcaddyfile: Append access logger name to log's includes (fix #3110)Matthew Holt
2020-03-18Little tweaky tweaksMatthew Holt
2020-03-17httpcaddyfile: Many tls-related improvements including on-demand supportMatthew Holt
Holy heck this was complicated
2020-03-13v2: Implement 'pki' app powered by Smallstep for localhost certificates (#3125)Matt Holt
* pki: Initial commit of PKI app (WIP) (see #2502 and #3021) * pki: Ability to use root/intermediates, and sign with root * pki: Fix benign misnamings left over from copy+paste * pki: Only install root if not already trusted * Make HTTPS port the default; all names use auto-HTTPS; bug fixes * Fix build - what happened to our CI tests?? * Fix go.mod
2020-03-06Merge branch 'certmagic-refactor' into v2Matthew Holt
2020-03-06Refactor for CertMagic v0.10; prepare for PKI appMatthew Holt
This is a breaking change primarily in two areas: - Storage paths for certificates have changed - Slight changes to JSON config parameters Huge improvements in this commit, to be detailed more in the release notes. The upcoming PKI app will be powered by Smallstep libraries.
2020-03-04httpcaddyfile: remove certificate tags from global state (#3111)Mark Sargent
* remove the certificate tag tracking from global state * refactored helper state, added log counter * moved state initialisation close to where it is used. * added helper state comment
2020-02-28httpcaddyfile: Treat no matchers as 0-len path matchers (fix #3100)Matthew Holt
+ a couple other minor changes from linter
2020-02-25v2: 'log' directive for Caddyfile, and debug mode (#3052)Matt Holt
* httpcaddyfile: Begin implementing log directive, and debug mode For now, debug mode just sets the log level for all logs to DEBUG (unless a level is specified explicitly). * httpcaddyfile: Finish 'log' directive Also rename StringEncoder -> SingleFieldEncoder * Fix minor bug in replacer (when vals are empty)
2020-02-20httpcaddyfile: tls: Load repeated cert files only once, with one tagMatthew Holt
See end of issue #3004. Loading the same certificate file multiple times with different tags will result in it being de-duplicated in the in- memory cache, because of course they all have the same bytes. This meant that any certs of the same filename loaded with different tags would be overwritten by the next certificate of the same filename, and any conn policies looking for the tags of the previous ones would never find them, causing connections to fail. So, now we remember cert filenames and their tags, instead of loading them multiple times and overwriting previous ones. A user crafting their own JSON might make this error too... maybe we won't see it happen. But if it does, one possibility is, when loading a duplicate cert, instead of discarding it completely, merge the tag list into the one that's already stored in the cache, then discard.
2020-02-16httpcaddyfile: 'handle_errors' directiveMatthew Holt
Not sure I love the name of the directive; might change it later.
2020-02-14caddyfile: Refactor; NewFromNextSegment(); fix repeated matchersMatthew Holt
Now multiple instances of the same matcher can be used within a named matcher without overwriting previous ones.
2020-02-12tls: Add acme_ca_root and tls/ca_root to caddyfile (#3040)Mark Sargent
2020-02-08httpcaddyfile: Add support for DNS challenge solversMatthew Holt
Configuration via the Caddyfile requires use of env variables, but an upstream issue is currently blocking that: https://github.com/go-acme/lego/issues/1054 Providers will need to be retrofitted upstream in order to support env var configuration.
2020-02-06caddyfile: tls: Tag manual certificates (#2588)Matthew Holt
This ensure that if there are multiple certs that match a particular ServerName or other parameter, then specifically the one the user provided in the Caddyfile will be used.
2020-01-22httpcaddyfile: Update directive docs; put root after rewriteMatthew Holt
2020-01-22httpcaddyfile: Get rid of 'tls off' parameter; probably not usefulMatthew Holt
2020-01-16httpcaddyfile: Fix nested blocks; add handle directive; refactorMatthew Holt
The fix that was initially put forth in #2971 was good, but only for up to one layer of nesting. The real problem was that we forgot to increment nesting when already inside a block if we saw another open curly brace that opens another block (dispenser.go L157-158). The new 'handle' directive allows HTTP Caddyfiles to be designed more like nginx location blocks if the user prefers. Inside a handle block, directives are still ordered just like they are outside of them, but handler blocks at a given level of nesting are mutually exclusive. This work benefitted from some refactoring and cleanup.
2020-01-09v2: Implement Caddyfile enhancements (breaking changes) (#2960)Matt Holt
* http: path matcher: exact match by default; substring matches (#2959) This is a breaking change. * caddyfile: Change "matcher" directive to "@matcher" syntax (#2959) * cmd: Assume caddyfile adapter for config files named Caddyfile * Sub-sort handlers by path matcher length (#2959) Caddyfile-generated subroutes have handlers, which are sorted first by directive order (this is unchanged), but within directives we now sort by specificity of path matcher in descending order (longest path first, assuming that longest path is most specific). This only applies if there is only one matcher set, and the path matcher in that set has only one path in it. Path matchers with two or more paths are not sorted like this; and routes with more than one matcher set are not sorted like this either, since specificity is difficult or impossible to infer correctly. This is a special case, but definitely a very common one, as a lot of routing decisions are based on paths. * caddyfile: New 'route' directive for appearance-order handling (#2959) * caddyfile: Make rewrite directives mutually exclusive (#2959) This applies only to rewrites in the top-level subroute created by the HTTP caddyfile.
2019-12-13tls: Ensure conn policy is created when providing certs in CaddyfileMatthew Holt
Fixes #2929
2019-12-10v2: Module documentation; refactor LoadModule(); new caddy struct tags (#2924)Matt Holt
This commit goes a long way toward making automated documentation of Caddy config and Caddy modules possible. It's a broad, sweeping change, but mostly internal. It allows us to automatically generate docs for all Caddy modules (including future third-party ones) and make them viewable on a web page; it also doubles as godoc comments. As such, this commit makes significant progress in migrating the docs from our temporary wiki page toward our new website which is still under construction. With this change, all host modules will use ctx.LoadModule() and pass in both the struct pointer and the field name as a string. This allows the reflect package to read the struct tag from that field so that it can get the necessary information like the module namespace and the inline key. This has the nice side-effect of unifying the code and documentation. It also simplifies module loading, and handles several variations on field types for raw module fields (i.e. variations on json.RawMessage, such as arrays and maps). I also renamed ModuleInfo.Name -> ModuleInfo.ID, to make it clear that the ID is the "full name" which includes both the module namespace and the name. This clarity is helpful when describing module hierarchy. As of this change, Caddy modules are no longer an experimental design. I think the architecture is good enough to go forward.
2019-09-30httpcaddyfile: Add acme_ca and email global optionsMatthew Holt
Also add ability to access options from individual unmarshalers through the Helper values
2019-09-16httpcaddyfile: static_response -> respond; minor cleanupsMatthew Holt
2019-09-10caddyfile: Improve Dispenser.NextBlock() to support nestingMatthew Holt
2019-08-22Fix SIV where /v2 was missing from caddyfile adapter work (#2721)Mohammed Al Sahaf
2019-08-21Refactor Caddyfile adapter and module registrationMatthew Holt
Use piles from which to draw config values. Module values can return their name, so now we can do two-way mapping from value to name and name to value; whereas before we could only map name to value. This was problematic with the Caddyfile adapter since it receives values and needs to know the name to put in the config.
2019-08-09Implement config adapters and beginning of Caddyfile adapterMatthew Holt
Along with several other changes, such as renaming caddyhttp.ServerRoute to caddyhttp.Route, exporting some types that were not exported before, and tweaking the caddytls TLS values to be more consistent. Notably, we also now disable automatic cert management for names which already have a cert (manually) loaded into the cache. These names no longer need to be specified in the "skip_certificates" field of the automatic HTTPS config, because they will be skipped automatically.