summaryrefslogtreecommitdiff
path: root/caddyconfig
AgeCommit message (Collapse)Author
2020-10-28httpcaddyfile: Revise automation policy generation (#3824)Matt Holt
* httpcaddyfile: Revise automation policy generation This should fix a frustrating edge case where wildcard subjects are used, which potentially get shadowed by more specific versions of themselves; see the new tests for an example. This change is motivated by an actual customer requirement. Although all the tests pass, this logic is incredibly complex and nuanced, and I'm worried it is not correct. But it took me about 4 days to get this far on a solution. I did my best. * Fix typo
2020-10-22httpcaddyfile: Improve AP logic with OnDemandMatthew Holt
We have users that have site blocks like *.*.tld with on-demand TLS enabled. While *.*.tld does not qualify for a publicly-trusted cert due to its wildcards, On-Demand TLS does not actually obtain a cert with those wildcards, since it uses the actual hostname on the handshake. This improves on that logic, but I am still not 100% satisfied with the result since I think we need to also check if another site block is more specific, like foo.example.tld, which might not have on-demand TLS enabled, and make sure an automation policy gets created before the more general policy with on-demand...
2020-10-02map: Reimplement; multiple outputs; optimizeMatthew Holt
2020-09-22httpcaddyfile: Fix panic when parsing route with matchers (#3746)Francis Lavoie
Fixes #3745
2020-09-21httpcaddyfile: Disallow args on route/handle directive family (#3740)Francis Lavoie
2020-09-17metrics: Initial integration of Prometheus metrics (#3709)Dave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2020-09-16httpcaddyfile: Ensure handle_path is sorted equally to handle (#3676)Francis Lavoie
* httpcaddyfile: Ensure handle_path is sorted as equal to handle * httpcaddyfile: Make mutual exclusivity grouping deterministic (I hope) * httpcaddyfile: Add comment linking to the issue being fixed * httpcaddyfile: Typo fix, comment clarity Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Update caddyconfig/httpcaddyfile/httptype.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-09-11httpcaddyfile: Properly record whether we added catch-all conn policyMatthew Holt
We recently introduced `if !cp.SettingsEmpty()` which conditionally adds the connection policy to the list. If the condition evaluates to false, the policy wouldn't actually be added, even if hasCatchAllTLSConnPolicy was set to true on the previous line. Now we set that variable in accordance with whether we actually add the policy. While debugging this I noticed that catch-all policies added early in that loop (i.e. not at the end if we later determine we need one) are not always at the end of the list. They should be, though, since they are selected by which one matches first, and having a catch-all first would nullify any more specific ones later in the list. So I added a sort in consolidateConnPolicies to take care of that. Should fix #3670 and https://caddy.community/t/combining-on-demand-tls-with-custom-ssl-certs-doesnt-seem-to-work-in-2-1-1/9719 but I won't know for sure until somebody verifies it, since at least in the GitHub issue there is not yet enough information (the configs are redacted).
2020-08-17httpcaddyfile: Improve directive sorting logic (#3658)Francis Lavoie
* httpcaddyfile: Flip `root` directive sort order * httpcaddyfile: Sort directives with any matcher before those with none * httpcaddyfile: Generalize reverse sort directives, improve logic * httpcaddyfile: Fix "spelling" issue * httpcaddyfile: Turns out the second change precludes the first httpcaddyfile: Delete test that no longer makes sense * httpcaddyfile: Shorten logic Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-08-11Update comment and Caddy 1 EOLMatthew Holt
2020-08-11caddytls: Add support for ZeroSSL; add Caddyfile support for issuers (#3633)Matt Holt
* caddytls: Add support for ZeroSSL; add Caddyfile support for issuers Configuring issuers explicitly in a Caddyfile is not easily compatible with existing ACME-specific parameters such as email or acme_ca which infer the kind of issuer it creates (this is complicated now because the ZeroSSL issuer wraps the ACME issuer)... oh well, we can revisit that later if we need to. New Caddyfile global option: { cert_issuer <name> ... } Or, alternatively, as a tls subdirective: tls { issuer <name> ... } For example, to use ZeroSSL with an API key: { cert_issuser zerossl API_KEY } For now, that still uses ZeroSSL's ACME endpoint; it fetches EAB credentials for you. You can also provide the EAB credentials directly just like any other ACME endpoint: { cert_issuer acme { eab KEY_ID MAC_KEY } } All these examples use the new global option (or tls subdirective). You can still use traditional/existing options with ZeroSSL, since it's just another ACME endpoint: { acme_ca https://acme.zerossl.com/v2/DV90 acme_eab KEY_ID MAC_KEY } That's all there is to it. You just can't mix-and-match acme_* options with cert_issuer, because it becomes confusing/ambiguous/complicated to merge the settings. * Fix broken test This test was asserting buggy behavior, oops - glad this branch both discovers and fixes the bug at the same time! * Fix broken test (post-merge) * Update modules/caddytls/acmeissuer.go Fix godoc comment Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Add support for ZeroSSL's EAB-by-email endpoint Also transform the ACMEIssuer into ZeroSSLIssuer implicitly if set to the ZeroSSL endpoint without EAB (the ZeroSSLIssuer is needed to generate EAB if not already provided); this is now possible with either an API key or an email address. * go.mod: Use latest certmagic, acmez, and x/net * Wrap underlying logic rather than repeating it Oops, duh * Form-encode email info into request body for EAB endpoint Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2020-08-06httpcaddyfile: Avoid repeated subjects in APs (fix #3618)Matthew Holt
When consolidating automation policies, ensure same subject names do not get appended to list.
2020-08-05httpcaddyfile: Allow named matchers in `route` blocks (#3632)Francis Lavoie
2020-08-03httpcaddyfile: Bring `enforce_origin` and `origins` to admin config (#3595)Ye Zhihao
* Bring `ensure_origin` and `origins` to caddyfile admin config * Add unit test for caddyfile admin config update * Add caddyfile adapt test for typical admin setup * httpcaddyfile: Replace admin config error message when there's more arguments than needed Replace d.Err() to d.ArgErr() since the latter provides similarly informative error message Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-07-30caddytls: Replace lego with acmez (#3621)Matt Holt
* Replace lego with acmez; upgrade CertMagic * Update integration test
2020-07-20caddyfile: Export Tokenize function for lexing (#3549)Francis Lavoie
2020-07-20push: Implement HTTP/2 server push (#3573)Matt Holt
* push: Implement HTTP/2 server push (close #3551) * push: Abstract header ops by embedding into new struct type This will allow us to add more fields to customize headers in push-specific ways in the future. * push: Ensure Link resources are pushed before response is written * Change header name from X-Caddy-Push to Caddy-Push
2020-07-07httpcaddyfile: Reorder automation policy logic (close #3550)Matthew Holt
2020-06-26caddyhttp: Add 'map' handler (#3199)Mark Sargent
* inital map implementation * resolve the value during middleware execution * use regex instead * pr feedback * renamed mmap to maphandler * refactored GetString implementation * fixed mispelling * additional feedback
2020-06-16httpcaddyfile: Fix ordering of catch-all site blocksMatthew Holt
Catch-alls should always go last. Normally this is the case, but we have a special case for comparing one wildcard-host site block to another non-wildcard host site block; and a catch-all site block is also a non-wildcard host site block, so now we have to special-case the catch-all site block. Sigh. This could be reproduced with a Caddyfile that has two site blocks: ":80" and "*.example.com", in that order.
2020-06-12httpcaddyfile: New `acme_eab` option (#3492)Chris Ortman
* Adds global options for external account bindings * Maybe other people use ctags too? * Use nested block to configure external account * go format files * Restore acme_ca directive in test file * Change Caddyfile config syntax for acme_eab * Update test Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-06-05httpcaddyfile: Add client_auth options to tls directive (#3335)NWHirschfeld
* reading client certificate config from Caddyfile Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * Update caddyconfig/httpcaddyfile/builtins.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * added adapt test for parsing client certificate configuration from Caddyfile Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844 Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * Update modules/caddytls/connpolicy.go * Make review adjustments Co-authored-by: Francis Lavoie <lavofr@gmail.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-06-03caddypki: Add 'acme_server' Caddyfile directiveMatthew Holt
2020-06-03httpcaddyfile: Sort site blocks with wildcards last (fix #3410)Matthew Holt
2020-06-01caddyfile: Add args on imports (#3423)Francis Lavoie
* caddyfile: Add support for args on imports * caddyfile: Add more import args tests
2020-06-01httpcaddyfile: Let modules add listener wrappers (#3397)Georges Haidar
* httpcaddyfile: allow modules to customize listener wrappers * Update caddyconfig/httpcaddyfile/httptype.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Update caddyconfig/httpcaddyfile/httptype.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Update caddyconfig/httpcaddyfile/httptype.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Update caddyconfig/httpcaddyfile/httptype.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-05-29caddyconfig: Minor internal and godoc tweaksMatthew Holt
2020-05-27chore: Fix typo in dispenser.go (#3456)Francis Lavoie
2020-05-26httpcaddyfile: New `handle_path` directive (#3281)Francis Lavoie
* caddyconfig: WIP implementation of handle_path * caddyconfig: Complete the implementation - h.NewRoute was key * caddyconfig: Add handle_path integration test * caddyhttp: Use the path matcher as-is, strip the trailing *, update test
2020-05-26caddyfile: Move NewTestDispenser into non-test file (#3439)Francis Lavoie
2020-05-20httpcaddyfile: Improve error on matcher declared outside site block (#3431)Francis Lavoie
2020-05-19httpcaddyfile: Add `auto_https` global option (#3284)Francis Lavoie
2020-05-15httpcaddyfile: Be stricter about `log` syntax (#3419)Francis Lavoie
2020-05-11httpcaddyfile: Shorthands for parameterized placeholders (#3305)Francis Lavoie
* httpcaddyfile: Add shorthands for parameterized placeholders httpcaddyfile: Now with regexp instead httpcaddyfile: Allow dashes, gofmt httpcaddyfile: Compile regexp only once httpcaddyfile: Cleanup struct httpcaddyfile: Optimize the replacers, pull out of the loop httpcaddyfile: Add `{port}` shorthand * httpcaddyfile: Switch `r.` to `re.`
2020-05-11core: Add support for `d` duration unit (#3323)Francis Lavoie
* caddy: Add support for `d` duration unit * Improvements to ParseDuration; add unit tests Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-05-11httpcaddyfile: Make global options pluggable (#3265)Francis Lavoie
* httpcaddyfile: Make global options pluggable * httpcaddyfile: Add a global options adapt test * httpcaddyfile: Wrap err Co-Authored-By: Dave Henderson <dhenderson@gmail.com> * httpcaddyfile: Revert wrap err Co-authored-by: Dave Henderson <dhenderson@gmail.com>
2020-05-06httpcaddyfile: Fix route ordering bugMatthew Holt
https://caddy.community/t/cant-get-simple-alias-to-work/7911/8?u=matt This removes an optimization where we amortized path matcher decoding. The decoded matchers were index by... position... which obviously changes during sorting. Duh. Anyway, sorting is sliiightly slower now but the Caddyfile is not really CPU-sensitive, so this is fine.
2020-05-05httpcaddyfile: Only append TLS conn policy if it's non-empty (#3319)Matt Holt
This can lead to nicer, smaller JSON output for Caddyfiles like this: a { tls internal } b { tls foo@bar.com } i.e. where the tls directive only configures automation policies, and is merely meant to enable TLS on a server block (if it wasn't implied). This helps keeps implicit config implicit. Needs a little more testing to ensure it doesn't break anything important.
2020-05-05caddyconfig: Don't start comments in middle of tokens (#3267)Francis Lavoie
* caddyconfig: Only parse # as start of comment if preceded by space * caddyconfig: Simplify # logic using len(val), add a test
2020-05-05httpcaddyfile: Support single-line matchers (#3263)Francis Lavoie
* httpcaddyfile: Support single-line matchers * httpcaddyfile: Add single-line matcher test * httpcaddyfile: Add a matcher syntax adapt test
2020-05-05caddyfile: Support backticks as quotes (closes #2591) (#3242)Matt Holt
2020-05-02caddytls: Finish upgrading to libdns DNS providers for ACME challengesMatthew Holt
Until we finish the migration to the new acme library, we have to bring the solver type in-house. It's small and temporary.
2020-05-02caddytls: Fix namespace tls.dns -> dns.providersMatthew Holt
Coulda sworn I did this already but I think I messed up my git commands
2020-05-01httpcaddyfile: Update tls parsing for DNS providersMatthew Holt
2020-05-01httpcaddyfile: Minor fixes to parsing storage optionsMatthew Holt
2020-04-30caddytls: Adjust DNS challenge structure; clarify some docsMatthew Holt
2020-04-28caddyhttp: General improvements to access logging (#3301)Matt Holt
* httpcaddyfile: Exclude access logs written to files from default log Even though any logs can just be ignored, most users don't seem to like configuring an access log to go to a file only to have it doubly appear in the default log. Related to: - #3294 - https://caddy.community/t/v2-logging-format/7642/4?u=matt - https://caddy.community/t/caddyfile-questions/7651/3?u=matt * caddyhttp: General improvements to access log controls (fixes #3310) * caddyhttp: Move log config nil check higher * Rename LoggerName -> DefaultLoggerName
2020-04-24httpcaddyfile: Add nil check to prevent panic, fix validation logicMatthew Holt
Panic would happen if an automation policy was specified in a singular server block that had no hostnames in its address. Definitely an edge case. Fixed a bug related to checking for server blocks with a host-less key that tried to make an automation policy. Previously if you had only two server blocks like ":443" and another one at ":80", the one at ":443" could not create a TLS automation policy because it thought it would interfere with TLS automation for the block at ":80", but obviously that key doesn't enable TLS because it is on the HTTP port. So now we are a little smarter and count only non-HTTP-empty-hostname keys. Also fixed a bug so that a key like "https://:1234" is sure to have TLS enabled by giving it a TLS connection policy. (Relaxed conditions slightly; the previous conditions were too strict, requiring there to be a TLS conn policy already or a default SNI to be non-empty.) Also clarified a comment thanks to feedback from @Mohammed90
2020-04-22httpcaddyfile: Why was this code repeated??Matthew Holt
2020-04-20ci: fuzz: remove the fuzzer of the Caddyfile parser (#3288)Mohammed Al Sahaf