summaryrefslogtreecommitdiff
path: root/modules/caddytls
AgeCommit message (Collapse)Author
2020-02-25Expose TLS placeholders (#2982)Cameron Moore
* caddytls: Add CipherSuiteName and ProtocolName functions The cipher_suites.go file is derived from a commit to the Go master branch that's slated for Go 1.14. Once Go 1.14 is released, this file can be removed. * caddyhttp: Use commonLogEmptyValue in common_log replacer * caddyhttp: Add TLS placeholders * caddytls: update unsupportedProtocols Don't export unsupportedProtocols and update its godoc to mention that it's used for logging only. * caddyhttp: simplify getRegTLSReplacement signature getRegTLSReplacement should receive a string instead of a pointer. * caddyhttp: Remove http.request.tls.client.cert replacer The previous behavior of printing the raw certificate bytes was ported from Caddy 1, but the usefulness of that approach is suspect. Remove the client cert replacer from v2 until a use case is presented. * caddyhttp: Use tls.CipherSuiteName from Go 1.14 Remove ported version of CipherSuiteName in the process.
2020-02-18tls: Fix panic loading automation management modules (fix #3004)Matthew Holt
When AutomationPolicy was turned into a pointer, we continued passing a double pointer to LoadModule, oops.
2020-02-14tls: Avoid duplication AutomationPolicies for large quantities of namesMatthew Holt
This should greatly reduce memory usage at scale. Part of an overall effort between Caddy 2 and CertMagic to optimize for large numbers of names.
2020-02-14Minor tweaks to docs/commentsMatthew Holt
2020-02-07tls: Slight adjustment to how DNS provider modules are loadedMatthew Holt
We don't load the provider directly, because the lego provider types aren't designed for JSON configuration and they are not implemented as Caddy modules (there are some setup steps which a Provision call would need to do, but they do not have Provision methods, they have their own constructor functions that we have to wrap). Instead of loading the challenge providers directly, the modules are simple wrappers over the challenge providers, to facilitate the JSON config structure and to provide a consistent experience. This also lets us swap out the underlying challenge providers transparently if needed; it acts as a layer of abstraction.
2020-02-06caddyfile: tls: Tag manual certificates (#2588)Matthew Holt
This ensure that if there are multiple certs that match a particular ServerName or other parameter, then specifically the one the user provided in the Caddyfile will be used.
2020-02-03v2: only compare TLS protocol versions if both are set (#3005)Mohammed Al Sahaf
2020-01-06A few miscellaneous, minor fixesMatthew Holt
2020-01-03v2: housekeeping: address minor lint complaints (#2957)Mohammed Al Sahaf
* v2: housekeeping: update tools * v2: housekeeping: adhere to US locale in spelling * v2: housekeeping: simplify code
2019-12-28http: Enable TLS for servers listening only on HTTPS portMatthew Holt
It seems silly to have to add a single, empty TLS connection policy to a server to enable TLS when it's only listening on the HTTPS port. We now do this for the user as part of automatic HTTPS (thus, it can be disabled / overridden). See https://caddy.community/t/v2-catch-all-server-with-automatic-tls/6692/2?u=matt
2019-12-10v2: Module documentation; refactor LoadModule(); new caddy struct tags (#2924)Matt Holt
This commit goes a long way toward making automated documentation of Caddy config and Caddy modules possible. It's a broad, sweeping change, but mostly internal. It allows us to automatically generate docs for all Caddy modules (including future third-party ones) and make them viewable on a web page; it also doubles as godoc comments. As such, this commit makes significant progress in migrating the docs from our temporary wiki page toward our new website which is still under construction. With this change, all host modules will use ctx.LoadModule() and pass in both the struct pointer and the field name as a string. This allows the reflect package to read the struct tag from that field so that it can get the necessary information like the module namespace and the inline key. This has the nice side-effect of unifying the code and documentation. It also simplifies module loading, and handles several variations on field types for raw module fields (i.e. variations on json.RawMessage, such as arrays and maps). I also renamed ModuleInfo.Name -> ModuleInfo.ID, to make it clear that the ID is the "full name" which includes both the module namespace and the name. This clarity is helpful when describing module hierarchy. As of this change, Caddy modules are no longer an experimental design. I think the architecture is good enough to go forward.
2019-10-28v2: Logging! (#2831)Matt Holt
* logging: Initial implementation * logging: More encoder formats, better defaults * logging: Fix repetition bug with FilterEncoder; add more presets * logging: DiscardWriter; delete or no-op logs that discard their output * logging: Add http.handlers.log module; enhance Replacer methods The Replacer interface has new methods to customize how to handle empty or unrecognized placeholders. Closes #2815. * logging: Overhaul HTTP logging, fix bugs, improve filtering, etc. * logging: General cleanup, begin transitioning to using new loggers * Fixes after merge conflict
2019-10-21tls: Make the on-demand rate limiter actually workMatthew Holt
This required a custom rate limiter implementation in CertMagic
2019-10-16tls: Asynchronous cert management at startup (uses CertMagic v0.8.0)Matthew Holt
2019-10-09tls: Add custom certificate selection policyMatthew Holt
This migrates a feature that was previously reserved for enterprise users, according to https://github.com/caddyserver/caddy/issues/2786. Custom certificate selection policies allow advanced control over which cert is selected when multiple qualify to satisfy a TLS handshake.
2019-10-09tls: Add distributed_stek moduleMatthew Holt
This migrates a feature that was previously reserved for enterprise users, according to https://github.com/caddyserver/caddy/issues/2786. TLS session ticket keys are sensitive, so they should be rotated on a regular basis. Only Caddy does this by default. However, a cluster of servers that rotate keys without synchronization will lose the benefits of having sessions in the first place if the client is routed to a different backend. This module coordinates STEK rotation in a fleet so the same keys are used, and rotated, across the whole cluster. No other server does this, but Twitter wrote about how they hacked together a solution a few years ago: https://blog.twitter.com/engineering/en_us/a/2013/forward-secrecy-at-twitter.html
2019-10-09tls: Add pem_loader moduleMatthew Holt
This migrates a feature that was previously reserved for enterprise users, according to https://github.com/caddyserver/caddy/issues/2786. The PEM loader allows you to embed PEM files (certificates and keys) directly into your config, rather than requiring them to be stored on potentially insecure storage, which adds attack vectors. This is useful in automated settings where sensitive key material is stored only in memory. Note that if the config is persisted to disk, that added benefit may go away, but there will still be the benefit of having lesser dependence on external files.
2019-10-02caddytls: nil check on storageClean fields on StopMatthew Holt
2019-09-30tls: Change struct fields to pointers, add nil checks; rate.Burst updateMatthew Holt
Making them pointers makes for cleaner JSON when adapting configs, if the struct is empty now it will be omitted entirely. The x/time/rate package was updated to support changing the burst, so we've incorporated that here and removed a TODO.
2019-09-24tls: Make cert and OCSP check intervals configurableMatthew Holt
This enables use of ACME CAs that issue shorter-lived certs
2019-09-24tls/acme: Ability to customize trusted roots for ACME servers (#2756)Matt Holt
Closes #2702
2019-09-17tls: Clean up expired OCSP staples and certificatesMatthew Holt
2019-09-14Eliminate some TODOsMatthew Holt
2019-09-13http: Consider wildcards when evaluating automatic HTTPSMatthew Holt
2019-09-12tls: Do away with SetDefaults which did nothing usefulMatthew Holt
CertMagic uses the same defaults for us
2019-09-12go.mod: Use lego v3 and CertMagic 0.7.0Matthew Holt
2019-09-11tls: Remove support for TLS 1.0 and TLS 1.1Matthew Holt
2019-09-11tls: Use Let's Encrypt production endpointMatthew Holt
We're done testing this in staging
2019-09-10Require Go 1.13; use Go 1.13's default support for TLS 1.3Matthew Holt
2019-09-03Initial implementation of TLS client authentication (#2731)Alexandre Stein
* Add support for client TLS authentication Signed-off-by: Alexandre Stein <alexandre_stein@interlab-net.com> * make and use client authentication struct * force StrictSNIHost if TLSConnPolicies is not empty * Implement leafs verification * Fixes issue when using multiple verification * applies the comments from maintainers * Apply comment * Refactor/cleanup initial TLS client auth implementation
2019-08-21Refactor Caddyfile adapter and module registrationMatthew Holt
Use piles from which to draw config values. Module values can return their name, so now we can do two-way mapping from value to name and name to value; whereas before we could only map name to value. This was problematic with the Caddyfile adapter since it receives values and needs to know the name to put in the config.
2019-08-09Implement config adapters and beginning of Caddyfile adapterMatthew Holt
Along with several other changes, such as renaming caddyhttp.ServerRoute to caddyhttp.Route, exporting some types that were not exported before, and tweaking the caddytls TLS values to be more consistent. Notably, we also now disable automatic cert management for names which already have a cert (manually) loaded into the cache. These names no longer need to be specified in the "skip_certificates" field of the automatic HTTPS config, because they will be skipped automatically.
2019-07-18tls: Use IANA-standard cipher suite namesMatthew Holt
2019-07-18Fix DNS provider module unmarshaling (closes #2676)Matthew Holt
2019-07-05acmemanager: Use storage module key "module" instead of "system"Matthew Holt
2019-07-02go.mod: Append /v2 to module name; update all import pathsMatthew Holt
See https://github.com/golang/go/wiki/Modules#semantic-import-versioning
2019-07-01tls: Enable TLS 1.3 by default; set sane defaults on tls.Config structsMatthew Holt
2019-06-30Add licenseMatthew Holt
2019-06-26Optionally enforce strict TLS SNI + HTTP Host matching, & misc. cleanupMatthew Holt
We should look into a way to enable this by default when TLS client auth is configured for a server
2019-06-24caddytls: Support tags for manually-loaded certificatesMatthew Holt
2019-06-21OopsMatthew Holt
2019-06-20tls: Improve (and fix) on-demand configurationMatthew Holt
2019-06-18Implement templates handler; various minor cleanups and bug fixesMatthew Holt
2019-06-14Rename caddy2 -> caddyMatthew Holt
Removes the version from the package name
2019-06-04Fix bugs related to auto HTTPS and alternate port configurationsMatthew Holt
2019-06-04Change import paths to GitHub package namesMatthew Holt
2019-06-03Customize admin endpoint address with -listen flagMatthew Holt
This is a temporary holdover for development purposes
2019-05-29Implement session ticket keys; default STEK module with rotationMatthew Holt
2019-05-28Minor cleanupsMatthew Holt
2019-05-27Separate out certificate selectionMatthew Holt