summaryrefslogtreecommitdiff
path: root/modules/caddyhttp
AgeCommit message (Collapse)Author
2020-11-22ci: Use golangci's github action for linting (#3794)Dave Henderson
* ci: Use golangci's github action for linting Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix most of the staticcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the prealloc lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the misspell lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the varcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the errcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the bodyclose lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the deadcode lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the unused lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the gosec lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the gosimple lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the ineffassign lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the staticcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Revert the misspell change, use a neutral English Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Remove broken golangci-lint CI job Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Re-add errantly-removed weakrand initialization Signed-off-by: Dave Henderson <dhenderson@gmail.com> * don't break the loop and return * Removing extra handling for null rootKey * unignore RegisterModule/RegisterAdapter Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com> * single-line log message Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Revert ticker change, ignore it instead Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Ignore some of the write errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Remove blank line Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Use lifetime Signed-off-by: Dave Henderson <dhenderson@gmail.com> * close immediately Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Preallocate configVals Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Update modules/caddytls/distributedstek/distributedstek.go Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-11-20reverseproxy: Logging for streaming and upgrades (#3689)Francis Lavoie
* reverseproxy: Enable error logging for connection upgrades * reverseproxy: Change some of the error levels, unsugar * Use unsugared log in one spot Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-11-20reverseproxy: Implement cookie hash selection policy (#3809)Dimitri Masson
* add CookieHashSelection for session affinity * add CookieHashSelection for session affinity * register module * reverse_proxy: Add and fix cookie lb_policy * reverse_proxy: Manage hmac.write error on cookie hash selection * reverse_proxy: fix some comments * reverse_proxy: variable `cookieValue` is inside the else block * reverse_proxy: Abstract duplicate nuanced logic of reservoir sampling into a function * reverse_proxy: Set a default secret is indeed useless * reverse_proxy: add configuration syntax for cookie lb_policy * reverse_proxy: doc typo and improvement Co-authored-by: utick <123liuqingdong@163.com>
2020-11-20headers: Support default header values in Caddyfile with '?' (#3807)Gilbert Gilb's
* implement default values for header directive closes #3804 * remove `set_default` header op and rely on "require" handler instead This has the following advantages over the previous attempt: - It does not introduce a new operation for headers, but rather nicely extends over an existing feature in the header handler. - It removes the need to specify the header as "deferred" because it is already implicitely deferred by the use of the require handler. This should be less confusing to the user. * add integration test for header directive in caddyfile * bubble up errors when parsing caddyfile header directive * don't export unnecessarily and don't canonicalize headers unnecessarily * fix response headers not passed in blocks * caddyfile: fix clash when using default header in block Each header is now set in a separate handler so that it doesn't clash with other headers set/added/deleted in the same block. * caddyhttp: New idle_timeout default of 5m * reverseproxy: fix random hangs on http/2 requests with server push (#3875) see https://github.com/golang/go/issues/42534 * Refactor and cleanup with improvements * More specific link Co-authored-by: Matthew Holt <mholt@users.noreply.github.com> Co-authored-by: Денис Телюх <telyukh.denis@gmail.com>
2020-11-18caddyhttp: Return error if error handling errorMatthew Holt
Before, if there was an error in the error handler, we would not write a status code, which resulted in Go writing a 200 for us by default, which does not make sense when there's an error. Now we write the second error's status if available, otherwise 500.
2020-11-18caddyhttp: New idle_timeout default of 5mMatthew Holt
2020-11-17caddyhttp: Fix header matcher when using nilMatthew Holt
Uncovered in #3807
2020-11-16reverse_proxy: Fix random_choose selection policy (#3811)Dimitri Masson
2020-11-16requestbody: Add Caddyfile support (#3859)Nicola Piccinini
* Add Caddyfile support for request_body: ``` request_body { max_size 10000000 } ``` * Improve Caddyfile parser for request_body module * Remove unnecessary `continue` * Add sample for caddyfile_adapt_test
2020-11-16caddytls: Support multiple issuers (#3862)Matt Holt
* caddytls: Support multiple issuers Defaults are Let's Encrypt and ZeroSSL. There are probably bugs. * Commit updated integration tests, d'oh * Update go.mod
2020-11-13basicauth: Minor internal improvements (#3861)Aurelia
* nitpicks and small improvements in basicauth module 1: roll two if statements into one, since err will be nil in the second case anyhow 2: unlock cache mutex after reading the key, as this happens by-value and reduces code complexity 3: switch cache sync.Mutex to sync.RWMutex for better concurrency on cache fast track * allocate the right kind of mutex
2020-11-04httpcaddyfile: Add certificate_pem placeholder short, add to godoc (#3846)Gaurav Dhameeja
Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2020-11-02caddyhttp: Merge query matchers in Caddyfile (#3839)Francis Lavoie
Also, turns out that `Add` on headers will work even if there's nothing there yet, so we can remove the condition I introduced in #3832
2020-11-02fastcgi: Add timeouts support to Caddyfile adapter (#3842)Francis Lavoie
* fastcgi: Add timeouts support to Caddyfile adapter * fastcgi: Use tabs instead of spaces
2020-11-02reverseproxy: Wire up some http transport options in Caddyfile (#3843)Francis Lavoie
2020-11-02fileserver: Improve and clarify file hiding logic (#3844)Matt Holt
* fileserver: Improve and clarify file hiding logic * Oops, forgot to run integration tests * Make this one integration test OS-agnostic * See if this appeases the Windows gods * D'oh
2020-10-31caddyauth: Prevent user enumeration by timingMatthew Holt
Always follow the code path of hashing and comparing a plaintext password even if the account is not found by the given username; this ensures that similar CPU cycles are spent for both valid and invalid usernames. Thanks to @tylerlm for helping and looking into this!
2020-10-31caddyhttp: Merge header matchers in Caddyfile (#3832)Francis Lavoie
2020-10-30reverseproxy: Add max_idle_conns_per_host; fix godocs (#3829)Francis Lavoie
2020-10-29reverseproxy: caddyfile: Don't add port if upstream has placeholder (#3819)Jason McCallister
* check if the host is a placeholder * Update modules/caddyhttp/reverseproxy/caddyfile.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-10-13caddyhttp: Restore original request params before error handlers (#3781)Matt Holt
* caddyhttp: Restore original request params before error handlers Fixes #3717 * Add comment
2020-10-13reverseproxy: Fix dial placeholders, SRV, active health checks (#3780)Matt Holt
* reverseproxy: Fix dial placeholders, SRV, active health checks Supercedes #3776 Partially reverts or updates #3756, #3693, and #3695 * reverseproxy: add integration tests Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
2020-10-02map: Bug fixes; null literal with hyphen in CaddyfileMatthew Holt
2020-10-02map: Apply default if mapped output is nilMatthew Holt
2020-10-02map: Reimplement; multiple outputs; optimizeMatthew Holt
2020-10-01reverseproxy: allow no port for SRV; fix regression in d55d50b (#3756)Mohammed Al Sahaf
* reverseproxy: fix breakage in handling SRV lookup introduced by 3695 * reverseproxy: validate against incompatible config options with lookup_srv * reverseproxy: add integration test cases for validations involving lookup_srv * reverseproxy: clarify the reason for skipping an iteration * grammar.. Oxford comma Co-authored-by: Francis Lavoie <lavofr@gmail.com> Co-authored-by: Francis Lavoie <lavofr@gmail.com> Fixes #3753
2020-10-01reverseproxy: Change 500 error to 502 for lookup_srv config (#3771)Aleksei
Fixes #3763
2020-10-01reverseproxy: default to port 80 for upstreams in Caddyfile (#3772)Mohammed Al Sahaf
* reverseproxy: default to port 80 for port-less upstream dial addresses * reverseproxy: replace integration test with an adapter test Fixes #3761
2020-10-01reverseproxy: Ignore RFC 1521 params in Content-Type header (#3758)Christian Flach
Without this change, a Content-Type header like "text/event-stream;charset=utf-8" would not trigger the immediate flushing. Fixes #3765
2020-09-25caddyfile: Add support for `vars` and `vars_regexp` matchers (#3730)Mohammed Al Sahaf
* caddyfile: support vars and vars_regexp matchers in the caddyfile * caddyfile: matchers: Brian Kernighan said printf is good debugging tool but didn't say keep them around
2020-09-22metrics: Always track method label in uppercase (#3742)Dave Henderson
* metrics: Always track method label in uppercase Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Just use strings.ToUpper for clarity Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2020-09-21metrics: Fix panic when headers aren't written (#3737)Dave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2020-09-17metrics: Fix hidden panic while observing with bad exemplars (#3733)Dave Henderson
* metrics: Fixing panic while observing with bad exemplars Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Minor cleanup The server is already added to the context. So, we can simply use that to get the server name, which is a field on the server. * Add integration test for auto HTTP->HTTPS redirects A test like this would have caught the problem in the first place Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-09-17caddyhttp: Remove server name from metricsMatthew Holt
For some reason this breaks automatic HTTP->HTTPS redirects. I am not sure why yet, but as a hotfix remove this until we understand it better.
2020-09-17metrics: Initial integration of Prometheus metrics (#3709)Dave Henderson
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2020-09-17reverseproxy: Correct alternate port for active health checks (#3693)Mohammed Al Sahaf
* reverseproxy: construct active health-check transport from scratch (Fixes #3691) * reverseproxy: do upstream health-check on the correct alternative port * reverseproxy: add integration test for health-check on alternative port * reverseproxy: put back the custom transport for health-check http client * reverseproxy: cleanup health-check integration test * reverseproxy: fix health-check of unix socket upstreams * reverseproxy: skip unix socket tests on Windows * tabs > spaces Co-authored-by: Francis Lavoie <lavofr@gmail.com> * make the linter (and @francislavoie) happy Co-authored-by: Francis Lavoie <lavofr@gmail.com> * One more lint fix Co-authored-by: Francis Lavoie <lavofr@gmail.com> Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2020-09-16reverseproxy: Enforce port range size of 1 at provision (#3695)Mohammed Al Sahaf
* reverse_proxy: ensure upstream address has port range of only 1 * reverse_proxy: don't log the error if upstream range size is more than 1
2020-09-16fileserver: Fix try_files for directories; windows fix (#3684)Francis Lavoie
* fileserver: Fix try_files for directories, windows fix * fileserver: Add new file type placeholder, refactoring, tests * fileserver: Review cleanup * fileserver: Flip the return args order
2020-09-16caddyhttp: New placeholder for PEM of client certificate (#3662)Gaurav Dhameeja
* Fix-3585: added placeholder for a PEM encoded value of the certificate * Update modules/caddyhttp/replacer.go Change type of block and empty headers removed Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * fixed tests Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-09-11fileserver: Fix new file hide tests on Windows (#3719)Matt Holt
2020-09-11fileserver: Improve file hiding logic for directories and prefixesMatthew Holt
Now, a filename to hide that is specified without a path separator will count as hidden if it appears in any component of the file path (not only the last component); semantically, this means hiding a file by only its name (without any part of a path) will hide both files and folders, e.g. hiding ".git" will hide "/.git" and also "/.git/foo". We also do prefix matching so that hiding "/.git" will hide "/.git" and "/.git/foo" but not "/.gitignore". The remaining logic is a globular match like before.
2020-09-08browse: align template to struct field renames from 4940325 (#3706)Mohammed Al Sahaf
2020-09-08caddyhttp: Wrap http.Server logging with zap (#3668)Francis Lavoie
2020-09-08reverseproxy: Add `buffer_requests` option to `reverse_proxy` directive (#3710)Francis Lavoie
2020-08-31reverseproxy: Abort active health checks on context cancellationMatthew Holt
2020-08-31fileserver: Fix inconsistencies in browse JSONMatthew Holt
2020-08-20ci: Upgrade to Go 1.15 (#3642)Francis Lavoie
* ci: Try Go 1.15 RC1 out of curiosity * Go 1.15 was released; let's try it * Update to latest quic-go * Attempt at fixing broken test Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-08-17reverseproxy: Make default buffer size constMatthew Holt
2020-08-17reverseproxy: Support header selection policy on `Host` field (#3653)Francis Lavoie
2020-08-11caddytls: Add support for ZeroSSL; add Caddyfile support for issuers (#3633)Matt Holt
* caddytls: Add support for ZeroSSL; add Caddyfile support for issuers Configuring issuers explicitly in a Caddyfile is not easily compatible with existing ACME-specific parameters such as email or acme_ca which infer the kind of issuer it creates (this is complicated now because the ZeroSSL issuer wraps the ACME issuer)... oh well, we can revisit that later if we need to. New Caddyfile global option: { cert_issuer <name> ... } Or, alternatively, as a tls subdirective: tls { issuer <name> ... } For example, to use ZeroSSL with an API key: { cert_issuser zerossl API_KEY } For now, that still uses ZeroSSL's ACME endpoint; it fetches EAB credentials for you. You can also provide the EAB credentials directly just like any other ACME endpoint: { cert_issuer acme { eab KEY_ID MAC_KEY } } All these examples use the new global option (or tls subdirective). You can still use traditional/existing options with ZeroSSL, since it's just another ACME endpoint: { acme_ca https://acme.zerossl.com/v2/DV90 acme_eab KEY_ID MAC_KEY } That's all there is to it. You just can't mix-and-match acme_* options with cert_issuer, because it becomes confusing/ambiguous/complicated to merge the settings. * Fix broken test This test was asserting buggy behavior, oops - glad this branch both discovers and fixes the bug at the same time! * Fix broken test (post-merge) * Update modules/caddytls/acmeissuer.go Fix godoc comment Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Add support for ZeroSSL's EAB-by-email endpoint Also transform the ACMEIssuer into ZeroSSLIssuer implicitly if set to the ZeroSSL endpoint without EAB (the ZeroSSLIssuer is needed to generate EAB if not already provided); this is now possible with either an API key or an email address. * go.mod: Use latest certmagic, acmez, and x/net * Wrap underlying logic rather than repeating it Oops, duh * Form-encode email info into request body for EAB endpoint Co-authored-by: Francis Lavoie <lavofr@gmail.com>