summaryrefslogtreecommitdiff
path: root/caddyconfig
AgeCommit message (Collapse)Author
2021-06-25httpcaddyfile: Don't put localhost in public APs (fix #4220)Matthew Holt
If an email is specified in global options, a site called 'localhost' shouldn't be bunched together with public DNS names in the automation policies, which get the default, public-CA issuers. Fix old test that did this. I also noticed that these two: localhost { } example.com { } and localhost, example.com { } produce slightly different TLS automation policies. The former is what the new test case covers, and we have logic that removes the empty automation policy for localhost so that auto-HTTPS can implicitly create one. (We prefer that whenever possible.) But the latter case produces two automation policies, with the second one being for localhost, with an explicit internal issuer. It's not wrong, just more explicit than it needs to be. I'd really like to completely rewrite the code from scratch that generates automation policies, hopefully there is a simpler, more correct algorithm.
2021-06-09httpcaddyfile: Don't add HTTP hosts to TLS APs (fix #4176 and fix #4198)Matthew Holt
In the Caddyfile, hosts specified for HTTP sockets (either scheme is "http" or it is on the HTTP port) should not be used as subjects in TLS automation policies (APs).
2021-06-08httpcaddyfile: Add `preferred_chains` global option and issuer subdirective ↵Klooven
(#4192) * Added preferred_chains option to Caddyfile * Caddyfile adapt tests for preferred_chains
2021-06-07httpcaddyfile: Add `skip_install_trust` global option (#4153)Francis Lavoie
Fixes https://github.com/caddyserver/caddy/issues/4002
2021-05-12caddyfile: Add parse error on site address with trailing `{` (#4163)Francis Lavoie
* caddyfile: Add parse error on site address in `{` This is an incredibly common mistake made by users, so we should catch it earlier in the parser and give a more friendly message. Often it ends up adapting but with mistakes, or erroring out later due to other site addresses being read as directives. There's not really ever a situation where a lone '{' is valid at the end of a site address (but I suppose there are edgecases where the user wants to use a path matcher where it ends specifically in `{`, but... why?), so this should be fine. * Update caddyconfig/caddyfile/parse.go
2021-05-11httpcaddyfile: Fix automation policy consolidation again (fix #4161)Matthew Holt
Also fix a previous test that asserted incorrect behavior.
2021-05-10caddyfile: Fix `caddy fmt` nesting not decrementing (#4157)Matthew Penner
* caddyfile(formatter): fix nesting not decrementing This is an extremely weird edge-case where if you had a environment variable {} on one line, a comment on the next line, and the closing of the block on the following line; the rest of the Caddyfile would be indented further than it should've been. ref; https://github.com/matthewpi/vscode-caddyfile-support/issues/13 * run gofmt * fmt: better way of handling edge case
2021-05-07httpcaddyfile: Add `grace_period` global option (#4152)Francis Lavoie
See https://caddyserver.com/docs/json/apps/http/#grace_period
2021-05-02reverseproxy: Add `handle_response` blocks to `reverse_proxy` (#3710) (#4021)Francis Lavoie
* reverseproxy: Add `handle_response` blocks to `reverse_proxy` (#3710) * reverseproxy: complete handle_response test * reverseproxy: Change handle_response matchers to use named matchers reverseproxy: Add support for changing status code * fastcgi: Remove obsolete TODO We already have d.Err("transport already specified") in the reverse_proxy parsing code which covers this case * reverseproxy: Fix support for "4xx" type status codes * Apply suggestions from code review Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * caddyhttp: Reorganize response matchers * reverseproxy: Reintroduce caddyfile.Unmarshaler * reverseproxy: Add comment mentioning Finalize should be called Co-authored-by: Maxime Soulé <btik-git@scoubidou.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2021-05-02httpcaddyfile: Add `auto_https ignore_loaded_certs` (#4077)Francis Lavoie
2021-05-02httpcaddyfile: Add global option for `storage_clean_interval` (#4134)Francis Lavoie
Followup to https://github.com/caddyserver/caddy/commit/42b7134ffa3bf3e9e86514c82407979c2627a5ab
2021-04-29httpcaddyfile: Fix unexpectedly removed policy (#4128)Alban Lecocq
* httpcaddyfile: Fix unexpectedly removed policy When user set on_demand tls option in a catch-all (:443) policy, we expect other policies to not have the on_demand enabled See ex in tls_automation_policies_5.txt Btw, we can remove policies if they are **all** empty. * Update caddyconfig/httpcaddyfile/tlsapp.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2021-04-22caddyfile: Fix `import` replacing unrelated placeholders (#4129)Francis Lavoie
* caddyfile: Fix `import` replacing unrelated placeholders See https://caddy.community/t/snippet-issue-works-outside-snippet/12231 So it turns out that `NewReplacer()` gives a replacer with some global defaults (like `{env.*}` and some system and time placeholders), which is not ideal when running `import` because we just want to replace `{args.*}` only, and nothing else. * caddyfile: Add test
2021-04-16httpcaddyfile: Take into account host scheme/port (fix #4113)Matthew Holt
2021-04-15fuzz: fix the FuzzFormat comparison (#4117)Mohammed Al Sahaf
2021-04-09caddyfile: reject cyclic imports (#4022)Mohammed Al Sahaf
* caddyfile: reject recursive self-imports * caddyfile: detect and reject cyclic imports of snippets and files * caddyfile: do not be stickler about connected nodes not being connected already * caddyfile: include missing test artifacts of cyclic imports * address review comments
2021-04-08ci: fuzz: add 4 more fuzzing targets (#4105)Mohammed Al Sahaf
2021-04-02httpcaddyfile: Fix panic in automation policy consolidation (#4104)Francis Lavoie
* httpcaddyfile: Add reproduce test * httpcaddyfile: Don't allow `i` to go below zero
2021-04-02caddyfile: Normalize line endings before comparing fmt result (#4103)Francis Lavoie
2021-03-12httpcaddyfile: Add `error` directive for the existing handler (#4034)Francis Lavoie
* httpcaddyfile: Add `error` directive for the existing handler * httpcaddyfile: Move `error` to the end of the order
2021-03-12caddyconfig: add global option for configuring loggers (#4028)Aaron Taylor
This change is aimed at enhancing the logging module within the Caddyfile directive to allow users to configure logs other than the HTTP access log stream, which is the current capability of the Caddyfile [1]. The intent here is to leverage the same syntax as the server log directive at a global level, so that similar customizations can be added without needing to resort to a JSON-based configuration. Discussion for this approach happened in the referenced issue. Closes https://github.com/caddyserver/caddy/issues/3958 [1] https://caddyserver.com/docs/caddyfile/directives/log
2021-02-22httpcaddyfile: Fix catch-all site block sortingMatthew Holt
A site block that has a catch-all and the shortest address is now sorted better. https://caddy.community/t/caddy-suddenly-directs-my-site-to-the-wrong-directive/11597/2
2021-02-15httpcaddyfile: Configure other apps from global options (#3990)Francis Lavoie
2021-02-08httpcaddyfile: Fix automation policiesMatthew Holt
Fixes a bug introduced in #3862
2021-02-02httpcaddyfile: Add resolvers subdir of tls (close #4008)Matthew Holt
Allows conveniently setting the resolvers for the DNS challenge using a TLS subdirective, which applies to default issuers, rather than having to explicitly define the issuers and overwrite the defaults.
2021-02-02acmeserver: Support custom CAs from CaddyfileMatthew Holt
The HTTP Caddyfile adapter can now configure the PKI app, and the acme_server directive can now be used to specify a custom CA used for issuing certificates. More customization options can follow later as needed.
2021-02-02httpcaddyfile: Fix default issuers when email providedMatthew Holt
If `tls <email>` is used, we should apply that to all applicable default issuers, not drop them. This refactoring applies implicit ACME issuer settings from the tls directive to all default ACME issuers, like ZeroSSL. We also consolidate some annoying logic and improve config validity checks. Ref: https://caddy.community/t/error-obtaining-certificate-after-caddy-restart/11335/8
2021-02-01httpcaddyfile: Warn if site address uses unspecified IP (close #4004)Matthew Holt
2021-02-01httpcaddyfile: Sort catch-all site blocks properly (fix #4003)Matthew Holt
2021-01-28caddyhttp: Fix redir html status code, improve flow (#3987)Tyler Kropp
* Fix html redir code, improve flow * Fix integer check error and add tests
2021-01-28caddyhttp: Implement handler abort; new 'abort' directive (close #3871) (#3983)Matt Holt
* caddyhttp: Implement handler abort; new 'abort' directive (close #3871) * Move abort directive ordering; clean up redirects Seems logical for the end-all of handlers to go at the... end. The Connection header no longer needs to be set there, since Close is true, and the static_response handler now does that.
2021-01-27admin: Identity management, remote admin, config loaders (#3994)Matt Holt
This commits dds 3 separate, but very related features: 1. Automated server identity management How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it). Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs. This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below). 2. Remote administration over secure connection This feature adds generic remote admin functionality that is safe to expose on a public interface. - The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint. - It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS. - TLS cannot be disabled on this endpoint. - TLS mutual auth is required, and cannot be disabled. - The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded. - The TLS server takes care of verifying the client. - The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\ - Sensible defaults are still WIP. - Config fields subject to change/renaming. 3. Dyanmic config loading at startup Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR. Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense). This PR comes with a standard config loader module called `caddy.config_loaders.http`. Caddyfile config for all of this can probably be added later. COMMITS: * admin: Secure socket for remote management Functional, but still WIP. Optional secure socket for the admin endpoint is designed for remote management, i.e. to be exposed on a public port. It enforces TLS mutual authentication which cannot be disabled. The default port for this is :2021. The server certificate cannot be specified manually, it MUST be obtained from a certificate issuer (i.e. ACME). More polish and sensible defaults are still in development. Also cleaned up and consolidated the code related to quitting the process. * Happy lint * Implement dynamic config loading; HTTP config loader module This allows Caddy to load a dynamic config when it starts. Dynamically-loaded configs are intentionally not persisted to storage. Includes an implementation of the standard config loader, HTTPLoader. Can be used to download configs over HTTP(S). * Refactor and cleanup; prevent recursive config pulls Identity management is now separated from remote administration. There is no need to enable remote administration if all you want is identity management, but you will need to configure identity management if you want remote administration. * Fix lint warnings * Rename identities->identifiers for consistency
2021-01-19caddytest: Update Caddyfile tests for formatting, HTTP-only blocksMatthew Holt
Previous commit improved the Caddyfile adapter so it doesn't unnecessarily add names to "skip" in "auto_https" when the server is already HTTP-only. This commit updates the tests to reflect that change, while also fixing the Caddyfile formatting in many of the tests. We also print the line number of the divergence between input and formatted version in Caddyfile adapt warnings - very useful for finding initial formatting problems.
2021-01-19httpcaddyfile: Skip TLS APs for HTTP-only hosts (fix #3977)Matthew Holt
This is probably an invasive change, but existing tests continue to pass. It seems to make sense this way. There is likely an edge case I haven't considered.
2021-01-07caddytls: Configurable OCSP stapling; global option (closes #3714)Matthew Holt
Allows user to disable OCSP stapling (including support in the Caddyfile via the ocsp_stapling global option) or overriding responder URLs. Useful in environments where responders are not reachable due to firewalls.
2021-01-07httpcaddyfile: Support repeated use of cert_issuer global optionMatthew Holt
This changes the signature of UnmarshalGlobalFunc but this is probably OK since it's only used by this repo as far as we know. We need this change in order to "remember" the previous value in case a global option appears more than once, which is now a possibility with the cert_issuer option since Caddy now supports multiple issuers in the order defined by the user. Bonus: the issuer subdirective of tls now supports one-liner for "acme" when all you need to set is the directory: issuer acme <dir>
2021-01-06caddytls: add 'key_type' subdirective (#3956)Jordi Masip
* caddytls: add 'key_type' subdirective * Suggested change * *string -> string * test
2021-01-05caddyfile: Refactor unmarshaling of module tokensMatthew Holt
Eliminates a fair amount of repeated code
2021-01-04httpcaddyfile: Adjust iterator when removing AP (fix #3953)Matthew Holt
2021-01-04caddyfile: Introduce basic linting and fmt check (#3923)Matt Holt
* caddyfile: Introduce basic linting and fmt check This will help encourage people to keep their Caddyfiles tidy. * Remove unrelated tests I am not sure that testing the output of warnings here is quite the right idea; these tests are just for syntax and parsing success.
2020-12-16caddyfile: Fix minor bug in formatterMatthew Holt
2020-12-07httpcaddyfile: Decrement counter when removing conn policy (fix #3906)Matthew Holt
2020-11-24httpcaddyfile: Proper log config with catch-all blocks (fix #3878)Matthew Holt
2020-11-23caddyfile: Add support for env var defaults; add tests (#3682)Francis Lavoie
* caddyfile: Add support for env var defaults, tests * caddyfile: Use ?? instead, fix redundant cast, remove env chaining * caddyfile: Use : instead
2020-11-23httpcaddyfile: Configure servers via global options (#3836)Francis Lavoie
* httpcaddyfile: First pass at implementing server options * httpcaddyfile: Add listener wrapper support * httpcaddyfile: Sort sbaddrs to make adapt output more deterministic * httpcaddyfile: Add server options adapt tests * httpcaddyfile: Windows line endings lol * caddytest: More windows line endings lol (sorry Matt) * Update caddyconfig/httpcaddyfile/serveroptions.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * httpcaddyfile: Reword listener address "matcher" * Apply suggestions from code review Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * httpcaddyfile: Deprecate experimental_http3 option (moved to servers) * httpcaddyfile: Remove validation step, no longer needed Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-11-22ci: Use golangci's github action for linting (#3794)Dave Henderson
* ci: Use golangci's github action for linting Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix most of the staticcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the prealloc lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the misspell lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the varcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the errcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the bodyclose lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the deadcode lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the unused lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the gosec lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the gosimple lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the ineffassign lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the staticcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Revert the misspell change, use a neutral English Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Remove broken golangci-lint CI job Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Re-add errantly-removed weakrand initialization Signed-off-by: Dave Henderson <dhenderson@gmail.com> * don't break the loop and return * Removing extra handling for null rootKey * unignore RegisterModule/RegisterAdapter Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com> * single-line log message Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Revert ticker change, ignore it instead Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Ignore some of the write errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Remove blank line Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Use lifetime Signed-off-by: Dave Henderson <dhenderson@gmail.com> * close immediately Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Preallocate configVals Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Update modules/caddytls/distributedstek/distributedstek.go Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-11-20headers: Support default header values in Caddyfile with '?' (#3807)Gilbert Gilb's
* implement default values for header directive closes #3804 * remove `set_default` header op and rely on "require" handler instead This has the following advantages over the previous attempt: - It does not introduce a new operation for headers, but rather nicely extends over an existing feature in the header handler. - It removes the need to specify the header as "deferred" because it is already implicitely deferred by the use of the require handler. This should be less confusing to the user. * add integration test for header directive in caddyfile * bubble up errors when parsing caddyfile header directive * don't export unnecessarily and don't canonicalize headers unnecessarily * fix response headers not passed in blocks * caddyfile: fix clash when using default header in block Each header is now set in a separate handler so that it doesn't clash with other headers set/added/deleted in the same block. * caddyhttp: New idle_timeout default of 5m * reverseproxy: fix random hangs on http/2 requests with server push (#3875) see https://github.com/golang/go/issues/42534 * Refactor and cleanup with improvements * More specific link Co-authored-by: Matthew Holt <mholt@users.noreply.github.com> Co-authored-by: Денис Телюх <telyukh.denis@gmail.com>
2020-11-16requestbody: Add Caddyfile support (#3859)Nicola Piccinini
* Add Caddyfile support for request_body: ``` request_body { max_size 10000000 } ``` * Improve Caddyfile parser for request_body module * Remove unnecessary `continue` * Add sample for caddyfile_adapt_test
2020-11-16caddytls: Support multiple issuers (#3862)Matt Holt
* caddytls: Support multiple issuers Defaults are Let's Encrypt and ZeroSSL. There are probably bugs. * Commit updated integration tests, d'oh * Update go.mod
2020-11-04httpcaddyfile: Add certificate_pem placeholder short, add to godoc (#3846)Gaurav Dhameeja
Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Francis Lavoie <lavofr@gmail.com>