summaryrefslogtreecommitdiff
path: root/modules/caddytls
AgeCommit message (Collapse)Author
2020-05-05pki: Embedded ACME server (#3198)Matt Holt
* pki: Initial commit of embedded ACME server (#3021) * reverseproxy: Support auto-managed TLS client certificates (#3021) * A little cleanup after today's review session
2020-05-02caddytls: Finish upgrading to libdns DNS providers for ACME challengesMatthew Holt
Until we finish the migration to the new acme library, we have to bring the solver type in-house. It's small and temporary.
2020-05-02caddytls: Fix namespace tls.dns -> dns.providersMatthew Holt
Coulda sworn I did this already but I think I messed up my git commands
2020-04-30go.mod: Remove DNSProviderMaker interface; update to lego 3.6Matthew Holt
2020-04-30caddytls: Adjust DNS challenge structure; clarify some docsMatthew Holt
2020-04-25Fix misspelling in onDemandAskRequest error (#3308)Christoffer Andersson
2020-04-09caddytls: Don't initialize default internal issuer unless necessaryMatthew Holt
Otherwise, a password prompt can occur unnecessarily.
2020-04-08chore: make the linter happier (#3245)Mohammed Al Sahaf
* chore: make the linter happier * chore: remove reference to maligned linter in .golangci.yml
2020-04-08httpcaddyfile, caddytls: Multiple edge case fixes; add testsMatthew Holt
- Create two default automation policies; if the TLS app is used in isolation with the 'automate' certificate loader, it will now use an internal issuer for internal-only names, and an ACME issuer for all other names by default. - If the HTTP Caddyfile adds an 'automate' loader, it now also adds an automation policy for any names in that loader that do not qualify for public certificates so that they will be issued internally. (It might be nice if this wasn't necessary, but the alternative is to either make auto-HTTPS logic way more complex by scanning the names in the 'automate' loader, or to have an automation policy without an issuer switch between default issuer based on the name being issued a certificate - I think I like the latter option better, right now we do something kind of like that but at a level above each individual automation policies, we do that switch only when no automation policies match, rather than when a policy without an issuer does match.) - Set the default LoggerName rather than a LoggerNames with an empty host value, which is now taken literally rather than as a catch-all. - hostsFromKeys, the function that gets a list of hosts from server block keys, no longer returns an empty string in its resulting slice, ever.
2020-04-06caddytls: Support custom bind host for challenges (#3232)Matthew Holt
2020-04-02caddytls: Encode big.Int as string with JSONMatthew Holt
2020-04-01Fix for last commitMatthew Holt
2020-04-01caddytls: Refactor certificate selection policies (close #1575)Matthew Holt
Certificate selection used to be a module, but this seems unnecessary, especially since the built-in CustomSelectionPolicy allows quite complex selection logic on a number of fields in certs. If we need to extend that logic, we can, but I don't think there are SO many possibilities that we need modules. This update also allows certificate selection to choose between multiple matching certs based on client compatibility and makes a number of other improvements in the default cert selection logic, both here and in the latest CertMagic. The hardest part of this was the conn policy consolidation logic (Caddyfile only, of course). We have to merge connection policies that we can easily combine, because if two certs are manually loaded in a Caddyfile site block, that produces two connection policies, and each cert is tagged with a different tag, meaning only the first would ever be selected. So given the same matchers, we can merge the two, but this required improving the Tag selection logic to support multiple tags to choose from, hence "tags" changed to "any_tag" or "all_tags" (but we use any_tag in our Caddyfile logic). Combining conn policies with conflicting settings is impossible, so that should return an error if two policies with the exact same matchers have non-empty settings that are not the same (the one exception being any_tag which we can merge because the logic for them is to OR them). It was a bit complicated. It seems to work in numerous tests I've conducted, but we'll see how it pans out in the release candidates.
2020-04-01caddytls: Update cipher suite names and curve namesMatthew Holt
Now using IANA-compliant names and Go 1.14's CipherSuites() function so we don't have to maintain our own mapping of currently-secure cipher suites.
2020-03-31caddytls: Add support for externalAccountBinding ACME extensionMatthew Holt
2020-03-26caddytls: Remove ManageSyncMatthew Holt
This seems unnecessary for now and we can always add it in later if people have a good reason to need it.
2020-03-26caddytls: Match automation policies by wildcard subjects tooMatthew Holt
https://caddy.community/t/wildcard-snis-not-being-matched/7271/24?u=matt Also use new CertMagic function for matching wildcard names
2020-03-25caddytls: Support placeholders in key_type (#3176)Pascal
* tls: Support placeholders in key_type * caddytls: Simplify placeholder support for ap.KeyType Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-03-23tls: Few minor improvements/simplificationsMatthew Holt
2020-03-20tls/http: Fix auto-HTTPS logic w/rt default issuers (fixes #3164)Matthew Holt
The comments in the code should explain the new logic thoroughly. The basic problem for the issue was that we were overriding a catch-all automation policy's explicitly-configured issuer with our own, for names that we thought looked like public names. In other words, one could configure an internal issuer for all names, but then our auto HTTPS would create a new policy for public-looking names that uses the default ACME issuer, because we assume public<==>ACME and nonpublic<==>Internal, but that is not always the case. The new logic still assumes nonpublic<==>Internal (on catch-all policies only), but no longer assumes that public-looking names always use an ACME issuer. Also fix a bug where HTTPPort and HTTPSPort from the HTTP app weren't being carried through to ACME issuers properly. It required a bit of refactoring.
2020-03-20caddytls: Support wildcard matching in ServerName conn policy matcherMatthew Holt
2020-03-17httpcaddyfile: Many tls-related improvements including on-demand supportMatthew Holt
Holy heck this was complicated
2020-03-15caddytls: Clean up some code related to automationMatthew Holt
2020-03-15Add missing license textsMatthew Holt
2020-03-15caddytls: Set Issuer properly on automation policies (fix #3150)Matthew Holt
When using the default automation policy specifically, ap.Issuer would be nil, so we'd end up overwriting the ap.magic.Issuer's default value (after New()) with nil; this instead sets Issuer on the template before New() is called, and no overwriting is done.
2020-03-13Some hotfixes for beta 16Matthew Holt
2020-03-13v2: Implement 'pki' app powered by Smallstep for localhost certificates (#3125)Matt Holt
* pki: Initial commit of PKI app (WIP) (see #2502 and #3021) * pki: Ability to use root/intermediates, and sign with root * pki: Fix benign misnamings left over from copy+paste * pki: Only install root if not already trusted * Make HTTPS port the default; all names use auto-HTTPS; bug fixes * Fix build - what happened to our CI tests?? * Fix go.mod
2020-03-08caddytls: customizable client auth modes (#2913)evtr
* ability to specify that client cert must be present in SSL * changed the clientauthtype to string and make room for the values supported by go as in caddy1 * renamed the config parameter according to review comments and added documentation on allowed values * missed a reference * Minor cleanup; docs enhancements Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-03-07tls: Couple of quick fixes for 4d18587192e4fffe5b34b714eaabcfc212914c1eMatthew Holt
2020-03-07tls: Auto-migrate cert assets to new path (details in #3124)Matthew Holt
2020-03-06Refactor for CertMagic v0.10; prepare for PKI appMatthew Holt
This is a breaking change primarily in two areas: - Storage paths for certificates have changed - Slight changes to JSON config parameters Huge improvements in this commit, to be detailed more in the release notes. The upcoming PKI app will be powered by Smallstep libraries.
2020-02-18tls: Fix panic loading automation management modules (fix #3004)Matthew Holt
When AutomationPolicy was turned into a pointer, we continued passing a double pointer to LoadModule, oops.
2020-02-14tls: Avoid duplication AutomationPolicies for large quantities of namesMatthew Holt
This should greatly reduce memory usage at scale. Part of an overall effort between Caddy 2 and CertMagic to optimize for large numbers of names.
2020-02-14Minor tweaks to docs/commentsMatthew Holt
2020-02-07tls: Slight adjustment to how DNS provider modules are loadedMatthew Holt
We don't load the provider directly, because the lego provider types aren't designed for JSON configuration and they are not implemented as Caddy modules (there are some setup steps which a Provision call would need to do, but they do not have Provision methods, they have their own constructor functions that we have to wrap). Instead of loading the challenge providers directly, the modules are simple wrappers over the challenge providers, to facilitate the JSON config structure and to provide a consistent experience. This also lets us swap out the underlying challenge providers transparently if needed; it acts as a layer of abstraction.
2020-02-06caddyfile: tls: Tag manual certificates (#2588)Matthew Holt
This ensure that if there are multiple certs that match a particular ServerName or other parameter, then specifically the one the user provided in the Caddyfile will be used.
2020-02-03v2: only compare TLS protocol versions if both are set (#3005)Mohammed Al Sahaf
2020-01-06A few miscellaneous, minor fixesMatthew Holt
2020-01-03v2: housekeeping: address minor lint complaints (#2957)Mohammed Al Sahaf
* v2: housekeeping: update tools * v2: housekeeping: adhere to US locale in spelling * v2: housekeeping: simplify code
2019-12-28http: Enable TLS for servers listening only on HTTPS portMatthew Holt
It seems silly to have to add a single, empty TLS connection policy to a server to enable TLS when it's only listening on the HTTPS port. We now do this for the user as part of automatic HTTPS (thus, it can be disabled / overridden). See https://caddy.community/t/v2-catch-all-server-with-automatic-tls/6692/2?u=matt
2019-12-10v2: Module documentation; refactor LoadModule(); new caddy struct tags (#2924)Matt Holt
This commit goes a long way toward making automated documentation of Caddy config and Caddy modules possible. It's a broad, sweeping change, but mostly internal. It allows us to automatically generate docs for all Caddy modules (including future third-party ones) and make them viewable on a web page; it also doubles as godoc comments. As such, this commit makes significant progress in migrating the docs from our temporary wiki page toward our new website which is still under construction. With this change, all host modules will use ctx.LoadModule() and pass in both the struct pointer and the field name as a string. This allows the reflect package to read the struct tag from that field so that it can get the necessary information like the module namespace and the inline key. This has the nice side-effect of unifying the code and documentation. It also simplifies module loading, and handles several variations on field types for raw module fields (i.e. variations on json.RawMessage, such as arrays and maps). I also renamed ModuleInfo.Name -> ModuleInfo.ID, to make it clear that the ID is the "full name" which includes both the module namespace and the name. This clarity is helpful when describing module hierarchy. As of this change, Caddy modules are no longer an experimental design. I think the architecture is good enough to go forward.
2019-10-28v2: Logging! (#2831)Matt Holt
* logging: Initial implementation * logging: More encoder formats, better defaults * logging: Fix repetition bug with FilterEncoder; add more presets * logging: DiscardWriter; delete or no-op logs that discard their output * logging: Add http.handlers.log module; enhance Replacer methods The Replacer interface has new methods to customize how to handle empty or unrecognized placeholders. Closes #2815. * logging: Overhaul HTTP logging, fix bugs, improve filtering, etc. * logging: General cleanup, begin transitioning to using new loggers * Fixes after merge conflict
2019-10-21tls: Make the on-demand rate limiter actually workMatthew Holt
This required a custom rate limiter implementation in CertMagic
2019-10-16tls: Asynchronous cert management at startup (uses CertMagic v0.8.0)Matthew Holt
2019-10-09tls: Add custom certificate selection policyMatthew Holt
This migrates a feature that was previously reserved for enterprise users, according to https://github.com/caddyserver/caddy/issues/2786. Custom certificate selection policies allow advanced control over which cert is selected when multiple qualify to satisfy a TLS handshake.
2019-10-09tls: Add distributed_stek moduleMatthew Holt
This migrates a feature that was previously reserved for enterprise users, according to https://github.com/caddyserver/caddy/issues/2786. TLS session ticket keys are sensitive, so they should be rotated on a regular basis. Only Caddy does this by default. However, a cluster of servers that rotate keys without synchronization will lose the benefits of having sessions in the first place if the client is routed to a different backend. This module coordinates STEK rotation in a fleet so the same keys are used, and rotated, across the whole cluster. No other server does this, but Twitter wrote about how they hacked together a solution a few years ago: https://blog.twitter.com/engineering/en_us/a/2013/forward-secrecy-at-twitter.html
2019-10-09tls: Add pem_loader moduleMatthew Holt
This migrates a feature that was previously reserved for enterprise users, according to https://github.com/caddyserver/caddy/issues/2786. The PEM loader allows you to embed PEM files (certificates and keys) directly into your config, rather than requiring them to be stored on potentially insecure storage, which adds attack vectors. This is useful in automated settings where sensitive key material is stored only in memory. Note that if the config is persisted to disk, that added benefit may go away, but there will still be the benefit of having lesser dependence on external files.
2019-10-02caddytls: nil check on storageClean fields on StopMatthew Holt
2019-09-30tls: Change struct fields to pointers, add nil checks; rate.Burst updateMatthew Holt
Making them pointers makes for cleaner JSON when adapting configs, if the struct is empty now it will be omitted entirely. The x/time/rate package was updated to support changing the burst, so we've incorporated that here and removed a TODO.
2019-09-24tls: Make cert and OCSP check intervals configurableMatthew Holt
This enables use of ACME CAs that issue shorter-lived certs