Age | Commit message (Collapse) | Author | |
---|---|---|---|
2019-10-09 | tls: Add distributed_stek module | Matthew Holt | |
This migrates a feature that was previously reserved for enterprise users, according to https://github.com/caddyserver/caddy/issues/2786. TLS session ticket keys are sensitive, so they should be rotated on a regular basis. Only Caddy does this by default. However, a cluster of servers that rotate keys without synchronization will lose the benefits of having sessions in the first place if the client is routed to a different backend. This module coordinates STEK rotation in a fleet so the same keys are used, and rotated, across the whole cluster. No other server does this, but Twitter wrote about how they hacked together a solution a few years ago: https://blog.twitter.com/engineering/en_us/a/2013/forward-secrecy-at-twitter.html | |||
2019-10-09 | tls: Add pem_loader module | Matthew Holt | |
This migrates a feature that was previously reserved for enterprise users, according to https://github.com/caddyserver/caddy/issues/2786. The PEM loader allows you to embed PEM files (certificates and keys) directly into your config, rather than requiring them to be stored on potentially insecure storage, which adds attack vectors. This is useful in automated settings where sensitive key material is stored only in memory. Note that if the config is persisted to disk, that added benefit may go away, but there will still be the benefit of having lesser dependence on external files. | |||
2019-10-02 | caddytls: nil check on storageClean fields on Stop | Matthew Holt | |
2019-09-30 | tls: Change struct fields to pointers, add nil checks; rate.Burst update | Matthew Holt | |
Making them pointers makes for cleaner JSON when adapting configs, if the struct is empty now it will be omitted entirely. The x/time/rate package was updated to support changing the burst, so we've incorporated that here and removed a TODO. | |||
2019-09-24 | tls: Make cert and OCSP check intervals configurable | Matthew Holt | |
This enables use of ACME CAs that issue shorter-lived certs | |||
2019-09-24 | tls/acme: Ability to customize trusted roots for ACME servers (#2756) | Matt Holt | |
Closes #2702 | |||
2019-09-17 | tls: Clean up expired OCSP staples and certificates | Matthew Holt | |
2019-09-14 | Eliminate some TODOs | Matthew Holt | |
2019-09-13 | http: Consider wildcards when evaluating automatic HTTPS | Matthew Holt | |
2019-09-12 | tls: Do away with SetDefaults which did nothing useful | Matthew Holt | |
CertMagic uses the same defaults for us | |||
2019-09-12 | go.mod: Use lego v3 and CertMagic 0.7.0 | Matthew Holt | |
2019-09-11 | tls: Remove support for TLS 1.0 and TLS 1.1 | Matthew Holt | |
2019-09-11 | tls: Use Let's Encrypt production endpoint | Matthew Holt | |
We're done testing this in staging | |||
2019-09-10 | Require Go 1.13; use Go 1.13's default support for TLS 1.3 | Matthew Holt | |
2019-09-03 | Initial implementation of TLS client authentication (#2731) | Alexandre Stein | |
* Add support for client TLS authentication Signed-off-by: Alexandre Stein <alexandre_stein@interlab-net.com> * make and use client authentication struct * force StrictSNIHost if TLSConnPolicies is not empty * Implement leafs verification * Fixes issue when using multiple verification * applies the comments from maintainers * Apply comment * Refactor/cleanup initial TLS client auth implementation | |||
2019-08-21 | Refactor Caddyfile adapter and module registration | Matthew Holt | |
Use piles from which to draw config values. Module values can return their name, so now we can do two-way mapping from value to name and name to value; whereas before we could only map name to value. This was problematic with the Caddyfile adapter since it receives values and needs to know the name to put in the config. | |||
2019-08-09 | Implement config adapters and beginning of Caddyfile adapter | Matthew Holt | |
Along with several other changes, such as renaming caddyhttp.ServerRoute to caddyhttp.Route, exporting some types that were not exported before, and tweaking the caddytls TLS values to be more consistent. Notably, we also now disable automatic cert management for names which already have a cert (manually) loaded into the cache. These names no longer need to be specified in the "skip_certificates" field of the automatic HTTPS config, because they will be skipped automatically. | |||
2019-07-18 | tls: Use IANA-standard cipher suite names | Matthew Holt | |
2019-07-18 | Fix DNS provider module unmarshaling (closes #2676) | Matthew Holt | |
2019-07-05 | acmemanager: Use storage module key "module" instead of "system" | Matthew Holt | |
2019-07-02 | go.mod: Append /v2 to module name; update all import paths | Matthew Holt | |
See https://github.com/golang/go/wiki/Modules#semantic-import-versioning | |||
2019-07-01 | tls: Enable TLS 1.3 by default; set sane defaults on tls.Config structs | Matthew Holt | |
2019-06-30 | Add license | Matthew Holt | |
2019-06-26 | Optionally enforce strict TLS SNI + HTTP Host matching, & misc. cleanup | Matthew Holt | |
We should look into a way to enable this by default when TLS client auth is configured for a server | |||
2019-06-24 | caddytls: Support tags for manually-loaded certificates | Matthew Holt | |
2019-06-21 | Oops | Matthew Holt | |
2019-06-20 | tls: Improve (and fix) on-demand configuration | Matthew Holt | |
2019-06-18 | Implement templates handler; various minor cleanups and bug fixes | Matthew Holt | |
2019-06-14 | Rename caddy2 -> caddy | Matthew Holt | |
Removes the version from the package name | |||
2019-06-04 | Fix bugs related to auto HTTPS and alternate port configurations | Matthew Holt | |
2019-06-04 | Change import paths to GitHub package names | Matthew Holt | |
2019-06-03 | Customize admin endpoint address with -listen flag | Matthew Holt | |
This is a temporary holdover for development purposes | |||
2019-05-29 | Implement session ticket keys; default STEK module with rotation | Matthew Holt | |
2019-05-28 | Minor cleanups | Matthew Holt | |
2019-05-27 | Separate out certificate selection | Matthew Holt | |
2019-05-24 | Implement custom cert selection policies; optimize matching for SNI | Matthew Holt | |
2019-05-21 | Honor the configured CA value | Matthew Holt | |
2019-05-21 | Module.New() does not need to return an error | Matthew Holt | |
2019-05-16 | Architectural shift to using context for config and module state | Matthew Holt | |
2019-05-14 | Rename and export some types, other minor changes | Matthew Holt | |
2019-05-07 | Remove (unimplemented) enterprise TLS matchers | Matthew Holt | |
2019-04-29 | Instantiate apps that are needed but not explicitly configured | Matthew Holt | |
2019-04-26 | General cleanup and more godocs | Matthew Holt | |
2019-04-25 | Initial commit of Storage, TLS, and automatic HTTPS implementations | Matthew Holt | |