summaryrefslogtreecommitdiff
path: root/modules
AgeCommit message (Collapse)Author
2020-03-13v2: Implement 'pki' app powered by Smallstep for localhost certificates (#3125)Matt Holt
* pki: Initial commit of PKI app (WIP) (see #2502 and #3021) * pki: Ability to use root/intermediates, and sign with root * pki: Fix benign misnamings left over from copy+paste * pki: Only install root if not already trusted * Make HTTPS port the default; all names use auto-HTTPS; bug fixes * Fix build - what happened to our CI tests?? * Fix go.mod
2020-03-09caddyhttp: New algorithm for auto HTTP->HTTPS redirects (fix #3127) (#3128)Matt Holt
It's still not perfect but I think it should be more correct for slightly more complex configs. Might still fall apart for complex configs that use on-demand TLS or at a large scale (workarounds are to just implement your own redirects, very easy to do anyway).
2020-03-08caddytls: customizable client auth modes (#2913)evtr
* ability to specify that client cert must be present in SSL * changed the clientauthtype to string and make room for the values supported by go as in caddy1 * renamed the config parameter according to review comments and added documentation on allowed values * missed a reference * Minor cleanup; docs enhancements Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-03-07http_ntlm: fix panic due to unintialized embedded field (#3120)Mohammed Al Sahaf
2020-03-07tls: Couple of quick fixes for 4d18587192e4fffe5b34b714eaabcfc212914c1eMatthew Holt
2020-03-07tls: Auto-migrate cert assets to new path (details in #3124)Matthew Holt
2020-03-06Merge branch 'certmagic-refactor' into v2Matthew Holt
2020-03-06Refactor for CertMagic v0.10; prepare for PKI appMatthew Holt
This is a breaking change primarily in two areas: - Storage paths for certificates have changed - Slight changes to JSON config parameters Huge improvements in this commit, to be detailed more in the release notes. The upcoming PKI app will be powered by Smallstep libraries.
2020-02-28reverse_proxy, php_fastcgi: Fix upstream parsing regression (fix #3101)Matthew Holt
2020-02-27Couple of minor docs tweaksMatthew Holt
2020-02-27Refactor ExtractMatcherSet()Matthew Holt
2020-02-27reverse_proxy: Allow use of URL to specify schemeMatthew Holt
This makes it more convenient to configure quick proxies that use HTTPS but also introduces a lot of logical complexity. We have to do a lot of verification for consistency and errors. Path and query string is not supported (i.e. no rewriting). Scheme and port can be inferred from each other if HTTP(S)/80/443. If omitted, defaults to HTTP. Any explicit transport config must be consistent with the upstream schemes, and the upstream schemes must all match too. But, this change allows a config that used to require this: reverse_proxy example.com:443 { transport http { tls } } to be reduced to this: reverse_proxy https://example.com which is really nice syntactic sugar (and is reminiscent of Caddy 1).
2020-02-27cmd/reverse_proxy: Add --change-host-header flagMatthew Holt
"Transparent mode" is the default, just like the actual handler.
2020-02-27Fix typos (#3087)Success Go
* Fix typo * Fix typo, thanks for Spell Checker under VS Code
2020-02-27Revert "reverse_proxy: Add 'transparent' Caddyfile subdirective (closes #2873)"Matthew Holt
This reverts commit 86b785e51cccd5df18611c380962cbd4faf38af5.
2020-02-27reverse_proxy: Add 'transparent' Caddyfile subdirective (closes #2873)Matthew Holt
2020-02-27It might be HTTP->HTTPS in the comment (#3086)Success Go
2020-02-26Initial implementation of global default SNI option (#3047)Mark Sargent
* add global default sni * fixed grammar * httpcaddyfile: Reduce some duplicated code * Um, re-commit already-committed commit, I guess? (sigh) Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-02-25v2: 'log' directive for Caddyfile, and debug mode (#3052)Matt Holt
* httpcaddyfile: Begin implementing log directive, and debug mode For now, debug mode just sets the log level for all logs to DEBUG (unless a level is specified explicitly). * httpcaddyfile: Finish 'log' directive Also rename StringEncoder -> SingleFieldEncoder * Fix minor bug in replacer (when vals are empty)
2020-02-25Expose TLS placeholders (#2982)Cameron Moore
* caddytls: Add CipherSuiteName and ProtocolName functions The cipher_suites.go file is derived from a commit to the Go master branch that's slated for Go 1.14. Once Go 1.14 is released, this file can be removed. * caddyhttp: Use commonLogEmptyValue in common_log replacer * caddyhttp: Add TLS placeholders * caddytls: update unsupportedProtocols Don't export unsupportedProtocols and update its godoc to mention that it's used for logging only. * caddyhttp: simplify getRegTLSReplacement signature getRegTLSReplacement should receive a string instead of a pointer. * caddyhttp: Remove http.request.tls.client.cert replacer The previous behavior of printing the raw certificate bytes was ported from Caddy 1, but the usefulness of that approach is suspect. Remove the client cert replacer from v2 until a use case is presented. * caddyhttp: Use tls.CipherSuiteName from Go 1.14 Remove ported version of CipherSuiteName in the process.
2020-02-23reverse_proxy: Health checks: Don't cross the streamsMatthew Holt
Fixes https://caddy.community/t/v2-health-checks-are-going-to-the-wrong-upstream/7084?u=matt ... I think
2020-02-20caddyhttp: Add handler for unhandled errors in errorChain (#3063)Robin Lambertz
* Add handler for unhandled errors in errorChain Currently, when an error chain is defined, the default error handler is bypassed entirely - even if the error chain doesn't handle every error. This results in pages returning a blank 200 OK page. For instance, it's possible for an error chain to match on the error status code and only handle a certain subtype of errors (like 403s). In this case, we'd want any other errors to still go through the default handler and return an empty page with the status code. This PR changes the "suffix handler" passed to errorChain.Compile to set the status code of the response to the error status code. Fixes #3053 * Move the errorHandlerChain middleware to variable * Style fix
2020-02-20caddyhttp: Fixes for header and header_regexp directives (#3061)Gilbert Gilb's
* Fix crash when specifying "*" to header directive. Fixes #3060 * Look Host header in header and header_regexp. Also, if more than one header is provided, header_regexp now looks for extra headers values to reflect the behavior from header. Fixes #3059 * Fix parsing of named header_regexp in Caddyfile. See #3059
2020-02-18http: Close HTTP/3 servers and listeners; upstream bug irreproducibleMatthew Holt
See https://github.com/lucas-clemente/quic-go/issues/2103 and https://github.com/caddyserver/caddy/pull/2727
2020-02-18tls: Fix panic loading automation management modules (fix #3004)Matthew Holt
When AutomationPolicy was turned into a pointer, we continued passing a double pointer to LoadModule, oops.
2020-02-17basicauth: default hash to bcrypt (#3050)Robin Lambertz
The documentation specifies that the hash algorithm defaults to bcrypt. However, the implementation returns an error in provision if no hash is provided. Fix this inconsistency by *actually* defaulting to bcrypt.
2020-02-14tls: Avoid duplication AutomationPolicies for large quantities of namesMatthew Holt
This should greatly reduce memory usage at scale. Part of an overall effort between Caddy 2 and CertMagic to optimize for large numbers of names.
2020-02-14Minor tweaks to docs/commentsMatthew Holt
2020-02-14caddyfile: Refactor; NewFromNextSegment(); fix repeated matchersMatthew Holt
Now multiple instances of the same matcher can be used within a named matcher without overwriting previous ones.
2020-02-08browse: allow filter init via `filter` query param (#3027)Jeremy Lin
This allows creating links that display only a subset of files in a directory.
2020-02-08v2: Implement RegExp Vars Matcher (#2997)Mohammed Al Sahaf
* implement regexp var matcher * use subtests pattern for tests * be more consistent with naming: MatchVarRE -> MatchVarsRE, var_regexp -> vars_regexp
2020-02-07tls: Slight adjustment to how DNS provider modules are loadedMatthew Holt
We don't load the provider directly, because the lego provider types aren't designed for JSON configuration and they are not implemented as Caddy modules (there are some setup steps which a Provision call would need to do, but they do not have Provision methods, they have their own constructor functions that we have to wrap). Instead of loading the challenge providers directly, the modules are simple wrappers over the challenge providers, to facilitate the JSON config structure and to provide a consistent experience. This also lets us swap out the underlying challenge providers transparently if needed; it acts as a layer of abstraction.
2020-02-06Remove Starlark, for nowMatthew Holt
This is temporary as we prepare for a stable v2 release. We don't want to make promises we don't know we can keep, and the Starlark integration deserves much more focused attention which resources and funding do not currently permit. When the project is financially stable, I will be able to revisit this properly and add flexible, robust Starlark scripting support to Caddy 2.
2020-02-06caddyfile: tls: Tag manual certificates (#2588)Matthew Holt
This ensure that if there are multiple certs that match a particular ServerName or other parameter, then specifically the one the user provided in the Caddyfile will be used.
2020-02-05http: Split 2-phase auto-HTTPS into 3 phasesMatthew Holt
This is necessary to avoid a race for sockets. Both the HTTP servers and CertMagic solvers will try to bind the HTTP/HTTPS ports, but we need to make sure that our HTTP servers bind first. This is kind of a new thing now that management is async in Caddy 2. Also update to CertMagic 0.9.2, which fixes some async use cases at scale.
2020-02-04caddyhttp: Fix orig_uri placeholder docs (#3002)Francis Lavoie
Fixes #3001
2020-02-04header: caddyfile: Defer header operations for deletions or manuallyMatthew Holt
See https://caddy.community/t/caddy-server-that-returns-only-ip-address-as-text/6928/6?u=matt In most cases, we will want to apply header operations immediately, rather than waiting until the response is written. The exceptions are generally going to be if we are deleting a header field or if a field is to be overwritten. We now automatically defer header ops if deleting a header field, and allow the user to manually enable deferred mode with the defer subdirective.
2020-02-03v2: only compare TLS protocol versions if both are set (#3005)Mohammed Al Sahaf
2020-01-22http: Fix vars matcherMatthew Holt
2020-01-22rewrite: Prepend "/" if missing from strip path prefixMatthew Holt
Paths always begin with a slash, and omitting the leading slash could be convenient to avoid confusion with a path matcher in the Caddyfile. I do not think there would be any harm to implicitly add the leading slash.
2020-01-22reverseproxy: Fix casing of RootCAPEMFilesMatthew Holt
2020-01-22reverseproxy: Accept integer values for flush_interval (fix #2996)Matthew Holt
2020-01-22httpcaddyfile: Rename 'headers' directive to 'header'Matthew Holt
2020-01-22httpcaddyfile: Update directive docs; put root after rewriteMatthew Holt
2020-01-18Merge pull request #2980 from moorereason/bugfix-ciphersuite-loggingZaq? Wiedmann
v2: http: Fix ciphersuite logging
2020-01-18reverse_proxy: CB docs; rename type -> factor (#2986)Mohammed Al Sahaf
* v2: add documentation for circuit breaker config and "random selection" load balancing policy * v2: rename circuit breaker config inline key from `type` to `breaker` to avoid json key clash between the `circuit_breaker` type and the `type` field of the generic circuit breaker Config struct used by circuit breaking implementations * v2: restore the circuit breaker inline key to `type` and rename the name circuit breaker config field from `Type` to `Factor`
2020-01-17caddyhttp: Improve docs, and Caddyfile for respond directiveMatthew Holt
2020-01-16httpcaddyfile: Fix nested blocks; add handle directive; refactorMatthew Holt
The fix that was initially put forth in #2971 was good, but only for up to one layer of nesting. The real problem was that we forgot to increment nesting when already inside a block if we saw another open curly brace that opens another block (dispenser.go L157-158). The new 'handle' directive allows HTTP Caddyfiles to be designed more like nginx location blocks if the user prefers. Inside a handle block, directives are still ordered just like they are outside of them, but handler blocks at a given level of nesting are mutually exclusive. This work benefitted from some refactoring and cleanup.
2020-01-16http: Fix ciphersuite loggingCameron Moore
2020-01-16httpcaddyfile: Group try_files routes together (#2891)Matthew Holt
This ensures that only the first matching route is used.