summaryrefslogtreecommitdiff
path: root/caddyconfig
AgeCommit message (Collapse)Author
2022-03-24httpcaddyfile: Fix #4640 (auto-HTTPS edgecase) (#4661)Francis Lavoie
Guh, this is complicated. Fixes #4640 This also follows up on #4398 (reverting it) which made a change that technically worked, but was incorrect. It changed the condition in `hostsFromKeysNotHTTP` from `&&` to `||`, but then the function no longer did what its name said it would do, and it would return hosts even if they were marked with `http://`, if they used a non-HTTP port. That wasn't the intent of it. The test added in there was kept though, because it is a valid usecase. The actual fix is to check _earlier_ whether all the addresses explicitly have `http://`, and if so we can short circuit and skip considering the rest.
2022-03-23caddyfile: Prevent bad block opening tokens (#4655)Francis Lavoie
* caddyfile: Prevent bad block opening tokens * Clarifying comments
2022-03-22httpcaddyfile: Add 'vars' directiveMatthew Holt
See discussion in #4650
2022-03-18caddyfile: Support for raw token values; improve `map`, `expression` (#4643)Francis Lavoie
* caddyfile: Support for raw token values, improve `map`, `expression` * Applied code review comments * Rename RawVal to ValRaw Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-15ci: Build on Go 1.18, bump actions versions (#4637)Francis Lavoie
* ci: Build on Go 1.18, bump actions versions * Revert linter version bump for now * Try linter again
2022-03-13chore: Comment fixes (#4634)Francis Lavoie
2022-03-09reverseproxy: copy_response and copy_response_headers for handle_response ↵Francis Lavoie
routes (#4391) * reverseproxy: New `copy_response` handler for `handle_response` routes Followup to #4298 and #4388. This adds a new `copy_response` handler which may only be used in `reverse_proxy`'s `handle_response` routes, which can be used to actually copy the proxy response downstream. Previously, if `handle_response` was used (with routes, not the status code mode), it was impossible to use the upstream's response body at all, because we would always close the body, expecting the routes to write a new body from scratch. To implement this, I had to refactor `h.reverseProxy()` to move all the code that came after the `HandleResponse` loop into a new function. This new function `h.finalizeResponse()` takes care of preparing the response by removing extra headers, dealing with trailers, then copying the headers and body downstream. Since basically what we want `copy_response` to do is invoke `h.finalizeResponse()` at a configurable point in time, we need to pass down the proxy handler, the response, and some other state via a new `req.WithContext(ctx)`. Wrapping a new context is pretty much the only way we have to jump a few layers in the HTTP middleware chain and let a handler pick up this information. Feels a bit dirty, but it works. Also fixed a bug with the `http.reverse_proxy.upstream.duration` placeholder, it always had the same duration as `http.reverse_proxy.upstream.latency`, but the former was meant to be the time taken for the roundtrip _plus_ copying/writing the response. * Delete the "Content-Length" header if we aren't copying Fixes a bug where the Content-Length will mismatch the actual bytes written if we skipped copying the response, so we get a message like this when using curl: ``` curl: (18) transfer closed with 18 bytes remaining to read ``` To replicate: ``` { admin off debug } :8881 { reverse_proxy 127.0.0.1:8882 { @200 status 200 handle_response @200 { header Foo bar } } } :8882 { header Content-Type application/json respond `{"hello": "world"}` 200 } ``` * Implement `copy_response_headers`, with include/exclude list support * Apply suggestions from code review Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-03-08tracing: New OpenTelemetry module (#4361)Andrii Kushch
* opentelemetry: create a new module * fix imports * fix test * Update modules/caddyhttp/opentelemetry/README.md Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Update modules/caddyhttp/opentelemetry/README.md Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Update modules/caddyhttp/opentelemetry/README.md Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Update modules/caddyhttp/opentelemetry/tracer.go Co-authored-by: Dave Henderson <dhenderson@gmail.com> * rename error ErrUnsupportedTracesProtocol * replace spaces with tabs in the test data * Update modules/caddyhttp/opentelemetry/README.md Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Update modules/caddyhttp/opentelemetry/README.md Co-authored-by: Francis Lavoie <lavofr@gmail.com> * replace spaces with tabs in the README.md * use default values for a propagation and exporter protocol * set http attributes with helper * simplify code * Cleanup modules/caddyhttp/opentelemetry/README.md Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Update link in README.md Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Update documentation in README.md Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Update link to naming spec in README.md Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Rename module from opentelemetry to tracing Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Rename span_name to span Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Rename span_name to span Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Simplify otel resource creation Co-authored-by: Dave Henderson <dhenderson@gmail.com> * handle extra attributes Co-authored-by: Dave Henderson <dhenderson@gmail.com> * update go.opentelemetry.io/otel/semconv to 1.7.0 Co-authored-by: Dave Henderson <dhenderson@gmail.com> * update go.opentelemetry.io/otel version * remove environment variable handling * always use tracecontext,baggage as propagators * extract tracer name into variable * rename OpenTelemetry to Tracing * simplify resource creation * update go.mod * rename package from opentelemetry to tracing * cleanup tests * update Caddyfile example in README.md * update README.md * fix test * fix module name in README.md * fix module name in README.md * change names in README.md and tests * order imports * remove redundant tests * Update documentation README.md Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Fix grammar Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Update comments Co-authored-by: Dave Henderson <dhenderson@gmail.com> * Update comments Co-authored-by: Dave Henderson <dhenderson@gmail.com> * update go.sum * update go.sum * Add otelhttp instrumentation, update OpenTelemetry libraries. * Use otelhttp instrumentation for instrumenting HTTP requests. This change uses context.WithValue to inject the next handler into the request context via a "nextCall" carrier struct, and pass it on to a standard Go HTTP handler returned by otelhttp.NewHandler. The underlying handler will extract the next handler from the context, call it and pass the returned error to the carrier struct. * use zap.Error() for the error log * remove README.md * update dependencies * clean up the code * change comment * move serveHTTP method from separate file * add syntax to the UnmarshalCaddyfile comment * go import the file * admin: Write proper status on invalid requests (#4569) (fix #4561) * update dependencies Co-authored-by: Dave Henderson <dhenderson@gmail.com> Co-authored-by: Francis Lavoie <lavofr@gmail.com> Co-authored-by: Vibhav Pant <vibhavp@gmail.com> Co-authored-by: Alok Naushad <alokme123@gmail.com> Co-authored-by: Cedric Ziel <cedric@cedric-ziel.com>
2022-03-08caddytls: dns_challenge_override_domain for challenge delegation (#4596)Ran Chen
* Add a override_domain option to allow DNS chanllenge delegation CNAME can be used to delegate answering the chanllenge to another DNS zone. One usage is to reduce the exposure of the DNS credential [1]. Based on the discussion in caddy/certmagic#160, we are adding an option to allow the user explicitly specify the domain to delegate, instead of following the CNAME chain. This needs caddy/certmagic#160. * rename override_domain to dns_challenge_override_domain * Update CertMagic; fix spelling Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-05reverseproxy: Refactor dial address parsing, augment command parsing (#4616)Francis Lavoie
2022-03-01httpcaddyfile: Support explicitly turning off `strict_sni_host` (#4592)Francis Lavoie
2022-02-19httpcaddyfile: Disabling OCSP stapling for both managed and unmanaged (#4589)Francis Lavoie
2022-02-17caddyconfig: Support placeholders in HTTP loaderMatthew Holt
2022-02-17caddytls: Support external certificate Managers (like Tailscale) (#4541)Matt Holt
Huge thank-you to Tailscale (https://tailscale.com) for making this change possible! This is a great feature for Caddy and Tailscale is a great fit for a standard implementation. * caddytls: GetCertificate modules; Tailscale * Caddyfile support for get_certificate Also fix AP provisioning in case of empty subject list (persist loaded module on struct, much like Issuers, to surive reprovisioning). And implement start of HTTP cert getter, still WIP. * Update modules/caddytls/automation.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Use tsclient package, check status for name * Implement HTTP cert getter And use reuse CertMagic's PEM functions for private keys. * Remove cache option from Tailscale getter Tailscale does its own caching and we don't need the added complexity... for now, at least. * Several updates - Option to disable cert automation in auto HTTPS - Support multiple cert managers - Remove cache feature from cert manager modules - Minor improvements to auto HTTPS logging * Run go mod tidy * Try to get certificates from Tailscale implicitly Only for domains ending in .ts.net. I think this is really cool! Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2022-01-18httpcaddyfile: Add pki app `root` and `intermediate` cert/key config (#4514)Francis Lavoie
2022-01-18rewrite: Add `method` Caddyfile directive (#4528)Francis Lavoie
2022-01-18httpcaddyfile: Add `default_bind` global option (#4531)Francis Lavoie
2022-01-18httpcaddyfile: Fix incorrect handling of IPv6 bind addresses (#4532)Francis Lavoie
The `net.JoinHostPort()` function has some naiive logic for handling IPv6, it just checks if the host part has a `:` and if so it wraps the host part with `[ ]` but this causes our network type prefix to get wrapped as well, which is invalid for `caddy.NetworkAddress`. Instead, we can just concatenate the host and port manually here to avoid this side-effect.
2022-01-05httpcaddyfile: Support configuring `pki` app names via global options (#4450)Francis Lavoie
2021-12-13httpcaddyfile: Fix sorting edgecase for nested `handle_path` (#4477)Francis Lavoie
2021-12-07caddyfile: impove fmt warning message (#4444)Runzhi He
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2021-12-02caddyhttp: Make logging of credential headers opt-in (#4438)Francis Lavoie
2021-11-29caddyhttp: Split up logged remote address into IP and port (#4403)Francis Lavoie
2021-11-29logging: Remove common_log field and single_field encoder (#4149) (#4282)Matt Holt
2021-11-28caddyfile: make renew_interval option configurable (#4451)Rainer Borene
2021-11-15caddyfile: Copy input before parsing (fix #4422)Matthew Holt
2021-10-26httpcaddyfile: Empty tls policy for internal http localhost (#4398)Marc Easen
* test: replicated empty tls automation policy issue * fix: empty tls policy for an http:// endpoint running on a non-standard http port
2021-10-20httpcaddyfile: Preserve IPv6 addresses through normalization (fix #4381)Matthew Holt
Remove unnecessary Key() method and improve related tests
2021-10-01caddyhttp: Placeholder for client cert in DER + base64 format (#4241)Oleg
* client.certificate_pem_encoded in base64 format * base64-encoding without pem encoding;naming change * fix cert.Raw instead of block.bytes
2021-09-29Move from deprecated ioutil to os and io packages (#4364)KallyDev
2021-09-16Make copyright notice more consistentMatthew Holt
Some files had the old copyright or were missing the license comment entirely. Also change Light Code Labs to Dyanim in security contact and releases.
2021-08-26httpcaddyfile: Reorder some directives (#4311)Francis Lavoie
We realized we made some mistakes with the directive ordering, so we're making some minor adjustments. `abort` and `error` don't really make sense to be after other handler directives, because you would expect to be able to "fail-fast" and throw an error before falling through to some `file_server` or `respond` typically. So we're moving them up to just before `respond`, i.e. before the common handler directives. This is also more consistent with our existing examples in the docs, which actually didn't work due to the directive ordering. See https://caddyserver.com/docs/caddyfile/directives/error#examples Also, `push` doesn't quite make sense to be after `handle`/`route`, since its job is to read from response headers to push additional resources if necessary, and `handle`/`route` may be terminal so push would not be reached if it was declared outside those. And also, it would make sense to be _before_ `templates` because a template _could_ add a `Link` header to the response dynamically.
2021-08-25httpcaddyfile: Improve unrecognized directive errorsMatthew Holt
2021-08-23caddyfile: Better error message for missing site block braces (#4301)Francis Lavoie
Some new users mistakenly try to define two sites without braces around each. Doing this can yield a confusing error message saying that their site address is an "unknown directive". We can do better by keeping track of whether the current site block was parsed with or without a brace, then changing the error message later based on that. For example, now this invalid config: ``` foo.example.com respond "foo" bar.example.com respond "bar" ``` Will yield this error message: ``` $ caddy adapt 2021/08/22 19:21:31.028 INFO using adjacent Caddyfile adapt: Caddyfile:4: unrecognized directive: bar.example.com Did you mean to define a second site? If so, you must use curly braces around each site to separate their configurations. ```
2021-08-23caddyfile: Error on invalid site addresses containing comma (#4302)Francis Lavoie
Some users forget to use a comma between their site addresses. This is invalid (commas aren't a valid character in domains) and later parts of the code like certificate automation will try to use this otherwise, which doesn't make sense. Best to error as early as possible. Example thread on the forums where this happened: https://caddy.community/t/simplify-caddyfile/13281/9
2021-08-12httpcaddyfile: Add shortcut for proxy hostport placeholder (#4263)Francis Lavoie
* httpcaddyfile: Add shortcut for proxy hostport placeholder I've noticed that it's a pretty common pattern to write a proxy like this, when needing to proxy over HTTPS: ``` reverse_proxy https://example.com { header_up Host {http.reverse_proxy.upstream.hostport} } ``` I find it pretty hard to remember the exact placeholder to use for this, and I continually need to refer to the docs when I need it. I think a simple fix for this is to add another Caddyfile placeholder for this one to shorten it: ``` reverse_proxy https://example.com { header_up Host {proxy_hostport} } ``` * Switch the shortcut name
2021-08-02httpcaddyfile: Ensure hosts to skip for logs can always be collected (#4258)Frederik Ring
* httpcaddyfile: ensure hosts to skip can always be collected Previously, some hosts that should be skipped in logging would be missed as the current logic would only collect them after encountering the first server that would log. This change makes sure the ServerLogConfig is initialized before iterating over the server blocks. * httpcaddyfile: add test case for skip hosts behavior
2021-07-19caddyfile: keep error chain info in Dispenser.Errf (#4233)Ggicci
* caddyfile: Errf enable error chain unwrapping * refactor: remove parseError
2021-06-25httpcaddyfile: Don't put localhost in public APs (fix #4220)Matthew Holt
If an email is specified in global options, a site called 'localhost' shouldn't be bunched together with public DNS names in the automation policies, which get the default, public-CA issuers. Fix old test that did this. I also noticed that these two: localhost { } example.com { } and localhost, example.com { } produce slightly different TLS automation policies. The former is what the new test case covers, and we have logic that removes the empty automation policy for localhost so that auto-HTTPS can implicitly create one. (We prefer that whenever possible.) But the latter case produces two automation policies, with the second one being for localhost, with an explicit internal issuer. It's not wrong, just more explicit than it needs to be. I'd really like to completely rewrite the code from scratch that generates automation policies, hopefully there is a simpler, more correct algorithm.
2021-06-09httpcaddyfile: Don't add HTTP hosts to TLS APs (fix #4176 and fix #4198)Matthew Holt
In the Caddyfile, hosts specified for HTTP sockets (either scheme is "http" or it is on the HTTP port) should not be used as subjects in TLS automation policies (APs).
2021-06-08httpcaddyfile: Add `preferred_chains` global option and issuer subdirective ↵Klooven
(#4192) * Added preferred_chains option to Caddyfile * Caddyfile adapt tests for preferred_chains
2021-06-07httpcaddyfile: Add `skip_install_trust` global option (#4153)Francis Lavoie
Fixes https://github.com/caddyserver/caddy/issues/4002
2021-05-12caddyfile: Add parse error on site address with trailing `{` (#4163)Francis Lavoie
* caddyfile: Add parse error on site address in `{` This is an incredibly common mistake made by users, so we should catch it earlier in the parser and give a more friendly message. Often it ends up adapting but with mistakes, or erroring out later due to other site addresses being read as directives. There's not really ever a situation where a lone '{' is valid at the end of a site address (but I suppose there are edgecases where the user wants to use a path matcher where it ends specifically in `{`, but... why?), so this should be fine. * Update caddyconfig/caddyfile/parse.go
2021-05-11httpcaddyfile: Fix automation policy consolidation again (fix #4161)Matthew Holt
Also fix a previous test that asserted incorrect behavior.
2021-05-10caddyfile: Fix `caddy fmt` nesting not decrementing (#4157)Matthew Penner
* caddyfile(formatter): fix nesting not decrementing This is an extremely weird edge-case where if you had a environment variable {} on one line, a comment on the next line, and the closing of the block on the following line; the rest of the Caddyfile would be indented further than it should've been. ref; https://github.com/matthewpi/vscode-caddyfile-support/issues/13 * run gofmt * fmt: better way of handling edge case
2021-05-07httpcaddyfile: Add `grace_period` global option (#4152)Francis Lavoie
See https://caddyserver.com/docs/json/apps/http/#grace_period
2021-05-02reverseproxy: Add `handle_response` blocks to `reverse_proxy` (#3710) (#4021)Francis Lavoie
* reverseproxy: Add `handle_response` blocks to `reverse_proxy` (#3710) * reverseproxy: complete handle_response test * reverseproxy: Change handle_response matchers to use named matchers reverseproxy: Add support for changing status code * fastcgi: Remove obsolete TODO We already have d.Err("transport already specified") in the reverse_proxy parsing code which covers this case * reverseproxy: Fix support for "4xx" type status codes * Apply suggestions from code review Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * caddyhttp: Reorganize response matchers * reverseproxy: Reintroduce caddyfile.Unmarshaler * reverseproxy: Add comment mentioning Finalize should be called Co-authored-by: Maxime Soulé <btik-git@scoubidou.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2021-05-02httpcaddyfile: Add `auto_https ignore_loaded_certs` (#4077)Francis Lavoie
2021-05-02httpcaddyfile: Add global option for `storage_clean_interval` (#4134)Francis Lavoie
Followup to https://github.com/caddyserver/caddy/commit/42b7134ffa3bf3e9e86514c82407979c2627a5ab
2021-04-29httpcaddyfile: Fix unexpectedly removed policy (#4128)Alban Lecocq
* httpcaddyfile: Fix unexpectedly removed policy When user set on_demand tls option in a catch-all (:443) policy, we expect other policies to not have the on_demand enabled See ex in tls_automation_policies_5.txt Btw, we can remove policies if they are **all** empty. * Update caddyconfig/httpcaddyfile/tlsapp.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>