Age | Commit message (Collapse) | Author |
|
See https://caddy.community/t/v2-matcher-or-in-not/7355/
|
|
If a placeholder in the path component injects a query string such as
the {http.request.uri} placeholder is wont to do, we need to separate it
out from the path.
|
|
This is more congruent with its module name. A change that affects only
code, not configurations.
|
|
|
|
|
|
See https://caddy.community/t/v2-match-any-path-but-files/7326/8?u=matt
If rewrites (or redirects, for that matter) match on file existence,
the file matcher would need to know the root of the site.
Making this change implies that root directives that depend on rewritten
URIs will not work as expected. However, I think this is very uncommon,
and am not sure I have ever seen that. Usually, dynamic roots are based
on host, not paths or query strings.
I suspect that rewrites based on file existence will be more common than
roots based on rewritten URIs, so I am moving root to be the first in
the list.
Users can always override this ordering with the 'order' global option.
|
|
Either Dial or LookupSRV will be set, but if we rely on Dial always
being set, we could run into bugs.
Note: Health checks don't support SRV upstreams.
|
|
* caddyauth: Add Metadata field to caddyauth.User
* Apply gofmt
* Tidy it up a bit
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
|
|
|
|
|
|
* reverse_proxy: Begin SRV lookup support (WIP)
* reverse_proxy: Finish adding support for SRV-based backends (#3179)
|
|
Brotli encoder, jsonc and json5 config adapters, and the unfinished
HTTP cache handler are removed.
They will be available in separate repos.
|
|
|
|
|
|
|
|
|
|
|
|
The comments in the code should explain the new logic thoroughly.
The basic problem for the issue was that we were overriding a catch-all
automation policy's explicitly-configured issuer with our own, for names
that we thought looked like public names. In other words, one could
configure an internal issuer for all names, but then our auto HTTPS
would create a new policy for public-looking names that uses the
default ACME issuer, because we assume public<==>ACME and
nonpublic<==>Internal, but that is not always the case. The new logic
still assumes nonpublic<==>Internal (on catch-all policies only), but
no longer assumes that public-looking names always use an ACME issuer.
Also fix a bug where HTTPPort and HTTPSPort from the HTTP app weren't
being carried through to ACME issuers properly. It required a bit of
refactoring.
|
|
|
|
Adds `Alt-Svc` to the list of headers that get removed when proxying
to a backend.
This fixes the issue of having the contents of the Alt-Svc header
duplicated when proxying to another Caddy server.
|
|
* caddyhttp: Implement CEL matcher (see #3051)
CEL (Common Expression Language) is a very fast, flexible way to express
complex logic, useful for matching requests when the conditions are not
easy to express with JSON.
This matcher may be considered experimental even after the 2.0 release.
* Improve CEL module docs
|
|
* rewrite: strip_prefix, strip_suffix, uri_replace -> uri (closes #3140)
* Add period, to satisfy @whitestrake :) and my own OCD
* Restore implied / prefix
|
|
Also remove Table extension, since GFM (already enabled) apparently
enables strikethrough, table, linkify, and tasklist extensions.
https://github.com/yuin/goldmark#built-in-extensions
|
|
Simply allows the matcher to be specified multiple times in a set
which may be more convenient than one long line.
|
|
Holy heck this was complicated
|
|
|
|
|
|
Wrapping listeners is useful for composing custom behavior related
to accepting, closing, reading/writing connections (etc) below the
application layer; for example, the PROXY protocol.
|
|
|
|
|
|
|
|
|
|
|
|
* pki: Initial commit of PKI app (WIP) (see #2502 and #3021)
* pki: Ability to use root/intermediates, and sign with root
* pki: Fix benign misnamings left over from copy+paste
* pki: Only install root if not already trusted
* Make HTTPS port the default; all names use auto-HTTPS; bug fixes
* Fix build - what happened to our CI tests??
* Fix go.mod
|
|
It's still not perfect but I think it should be more correct for
slightly more complex configs. Might still fall apart for complex
configs that use on-demand TLS or at a large scale (workarounds are
to just implement your own redirects, very easy to do anyway).
|
|
|
|
|
|
|
|
This is a breaking change primarily in two areas:
- Storage paths for certificates have changed
- Slight changes to JSON config parameters
Huge improvements in this commit, to be detailed more in
the release notes.
The upcoming PKI app will be powered by Smallstep libraries.
|
|
|
|
|
|
|
|
This makes it more convenient to configure quick proxies that use HTTPS
but also introduces a lot of logical complexity. We have to do a lot of
verification for consistency and errors.
Path and query string is not supported (i.e. no rewriting).
Scheme and port can be inferred from each other if HTTP(S)/80/443.
If omitted, defaults to HTTP.
Any explicit transport config must be consistent with the upstream
schemes, and the upstream schemes must all match too.
But, this change allows a config that used to require this:
reverse_proxy example.com:443 {
transport http {
tls
}
}
to be reduced to this:
reverse_proxy https://example.com
which is really nice syntactic sugar (and is reminiscent of Caddy 1).
|
|
"Transparent mode" is the default, just like the actual handler.
|
|
* Fix typo
* Fix typo, thanks for Spell Checker under VS Code
|
|
This reverts commit 86b785e51cccd5df18611c380962cbd4faf38af5.
|
|
|
|
|
|
* add global default sni
* fixed grammar
* httpcaddyfile: Reduce some duplicated code
* Um, re-commit already-committed commit, I guess? (sigh)
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
|
|
* caddytls: Add CipherSuiteName and ProtocolName functions
The cipher_suites.go file is derived from a commit to the Go master
branch that's slated for Go 1.14. Once Go 1.14 is released, this file
can be removed.
* caddyhttp: Use commonLogEmptyValue in common_log replacer
* caddyhttp: Add TLS placeholders
* caddytls: update unsupportedProtocols
Don't export unsupportedProtocols and update its godoc to mention that
it's used for logging only.
* caddyhttp: simplify getRegTLSReplacement signature
getRegTLSReplacement should receive a string instead of a pointer.
* caddyhttp: Remove http.request.tls.client.cert replacer
The previous behavior of printing the raw certificate bytes was ported
from Caddy 1, but the usefulness of that approach is suspect. Remove
the client cert replacer from v2 until a use case is presented.
* caddyhttp: Use tls.CipherSuiteName from Go 1.14
Remove ported version of CipherSuiteName in the process.
|