Age | Commit message (Collapse) | Author |
|
The remote_ip matcher was reading the X-Forwarded-For header by default, but this behavior was not documented in anything that was released. This is also a less secure default, as it is trivially easy to spoof request headers. Reading IPs from that header should be optional, and it should not be the default.
This is technically a breaking change, but anyone relying on the undocumented behavior was just doing so by coincidence/luck up to this point since it was never in any released documentation. We'll still add a mention in the release notes about this.
|
|
Refactor redirect route creation into own function.
Improve condition for appending port.
Fixes a bug manifested through new test case:
TestAutoHTTPRedirectsWithHTTPListenerFirstInAddresses
|
|
https://caddy.community/t/remote-ip-behaviour/10762?u=matt
|
|
* add integration test for null header matcher
* implement null header matcher syntax
* avoid repeating magic !
* check for field following ! character
|
|
* fastcgi: Set PATH_INFO to file matcher remainder as fallback
* fastcgi: Avoid changing scriptName when not necessary
* Stylistic tweaks
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
|
|
|
|
|
|
|
|
The docs at os/signal.Notify warn about this signal delivery loss bug at
https://golang.org/pkg/os/signal/#Notify, which says:
Package signal will not block sending to c: the caller must ensure
that c has sufficient buffer space to keep up with the expected signal
rate. For a channel used for notification of just one signal value,
a buffer of size 1 is sufficient.
Caught by a static analysis tool from Orijtech, Inc. called "sigchanyzer"
|
|
|
|
|
|
|
|
* fix(caddy): Avoid "operation was canceled" errors
- Also add error handling for StatusGatewayTimeout
* revert(caddy): Revert 504 handling
- This will potentially break load balancing and health checks
* Handle client cancellation as different error
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
|
|
|
|
* httpcaddyfile: First pass at implementing server options
* httpcaddyfile: Add listener wrapper support
* httpcaddyfile: Sort sbaddrs to make adapt output more deterministic
* httpcaddyfile: Add server options adapt tests
* httpcaddyfile: Windows line endings lol
* caddytest: More windows line endings lol (sorry Matt)
* Update caddyconfig/httpcaddyfile/serveroptions.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* httpcaddyfile: Reword listener address "matcher"
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* httpcaddyfile: Deprecate experimental_http3 option (moved to servers)
* httpcaddyfile: Remove validation step, no longer needed
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
|
|
* reverseproxy: Add Caddyfile scheme shorthand for h2c
* reverseproxy: Use parentheses for condition
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
|
|
* ci: Use golangci's github action for linting
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix most of the staticcheck lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the prealloc lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the misspell lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the varcheck lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the errcheck lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the bodyclose lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the deadcode lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the unused lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the gosec lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the gosimple lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the ineffassign lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Fix the staticcheck lint errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Revert the misspell change, use a neutral English
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Remove broken golangci-lint CI job
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Re-add errantly-removed weakrand initialization
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* don't break the loop and return
* Removing extra handling for null rootKey
* unignore RegisterModule/RegisterAdapter
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* single-line log message
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Revert ticker change, ignore it instead
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Ignore some of the write errors
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Remove blank line
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Use lifetime
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* close immediately
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Preallocate configVals
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Update modules/caddytls/distributedstek/distributedstek.go
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
|
|
* reverseproxy: Enable error logging for connection upgrades
* reverseproxy: Change some of the error levels, unsugar
* Use unsugared log in one spot
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
|
|
* add CookieHashSelection for session affinity
* add CookieHashSelection for session affinity
* register module
* reverse_proxy: Add and fix cookie lb_policy
* reverse_proxy: Manage hmac.write error on cookie hash selection
* reverse_proxy: fix some comments
* reverse_proxy: variable `cookieValue` is inside the else block
* reverse_proxy: Abstract duplicate nuanced logic of reservoir sampling into a function
* reverse_proxy: Set a default secret is indeed useless
* reverse_proxy: add configuration syntax for cookie lb_policy
* reverse_proxy: doc typo and improvement
Co-authored-by: utick <123liuqingdong@163.com>
|
|
* implement default values for header directive
closes #3804
* remove `set_default` header op and rely on "require" handler instead
This has the following advantages over the previous attempt:
- It does not introduce a new operation for headers, but rather nicely
extends over an existing feature in the header handler.
- It removes the need to specify the header as "deferred" because it is
already implicitely deferred by the use of the require handler. This
should be less confusing to the user.
* add integration test for header directive in caddyfile
* bubble up errors when parsing caddyfile header directive
* don't export unnecessarily and don't canonicalize headers unnecessarily
* fix response headers not passed in blocks
* caddyfile: fix clash when using default header in block
Each header is now set in a separate handler so that it doesn't clash
with other headers set/added/deleted in the same block.
* caddyhttp: New idle_timeout default of 5m
* reverseproxy: fix random hangs on http/2 requests with server push (#3875)
see https://github.com/golang/go/issues/42534
* Refactor and cleanup with improvements
* More specific link
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
Co-authored-by: Денис Телюх <telyukh.denis@gmail.com>
|
|
Before, if there was an error in the error handler, we would not write a
status code, which resulted in Go writing a 200 for us by default, which
does not make sense when there's an error. Now we write the second
error's status if available, otherwise 500.
|
|
|
|
Uncovered in #3807
|
|
|
|
* Add Caddyfile support for request_body:
```
request_body {
max_size 10000000
}
```
* Improve Caddyfile parser for request_body module
* Remove unnecessary `continue`
* Add sample for caddyfile_adapt_test
|
|
* caddytls: Support multiple issuers
Defaults are Let's Encrypt and ZeroSSL.
There are probably bugs.
* Commit updated integration tests, d'oh
* Update go.mod
|
|
* nitpicks and small improvements in basicauth module
1:
roll two if statements into one, since err will be nil in the second case anyhow
2:
unlock cache mutex after reading the key, as this happens by-value and reduces code complexity
3:
switch cache sync.Mutex to sync.RWMutex for better concurrency on cache fast track
* allocate the right kind of mutex
|
|
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
|
|
Also, turns out that `Add` on headers will work even if there's nothing there yet, so we can remove the condition I introduced in #3832
|
|
* fastcgi: Add timeouts support to Caddyfile adapter
* fastcgi: Use tabs instead of spaces
|
|
|
|
* fileserver: Improve and clarify file hiding logic
* Oops, forgot to run integration tests
* Make this one integration test OS-agnostic
* See if this appeases the Windows gods
* D'oh
|
|
Always follow the code path of hashing and comparing a plaintext
password even if the account is not found by the given username; this
ensures that similar CPU cycles are spent for both valid and invalid
usernames.
Thanks to @tylerlm for helping and looking into this!
|
|
|
|
|
|
* check if the host is a placeholder
* Update modules/caddyhttp/reverseproxy/caddyfile.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
|
|
* caddyhttp: Restore original request params before error handlers
Fixes #3717
* Add comment
|
|
* reverseproxy: Fix dial placeholders, SRV, active health checks
Supercedes #3776
Partially reverts or updates #3756, #3693, and #3695
* reverseproxy: add integration tests
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
|
|
|
|
|
|
|
|
* reverseproxy: fix breakage in handling SRV lookup introduced by 3695
* reverseproxy: validate against incompatible config options with lookup_srv
* reverseproxy: add integration test cases for validations involving lookup_srv
* reverseproxy: clarify the reason for skipping an iteration
* grammar.. Oxford comma
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Fixes #3753
|
|
Fixes #3763
|
|
* reverseproxy: default to port 80 for port-less upstream dial addresses
* reverseproxy: replace integration test with an adapter test
Fixes #3761
|
|
Without this change, a Content-Type header like "text/event-stream;charset=utf-8"
would not trigger the immediate flushing.
Fixes #3765
|
|
* caddyfile: support vars and vars_regexp matchers in the caddyfile
* caddyfile: matchers: Brian Kernighan said printf is good debugging tool but didn't say keep them around
|
|
* metrics: Always track method label in uppercase
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Just use strings.ToUpper for clarity
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
|
|
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
|
|
* metrics: Fixing panic while observing with bad exemplars
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Minor cleanup
The server is already added to the context. So, we can simply use that
to get the server name, which is a field on the server.
* Add integration test for auto HTTP->HTTPS redirects
A test like this would have caught the problem in the first place
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
|
|
For some reason this breaks automatic HTTP->HTTPS redirects. I am not
sure why yet, but as a hotfix remove this until we understand it better.
|