| Age | Commit message (Collapse) | Author |
|---|
|
The TestFileListing test in tplcontext_test has one test that verifies
if directory traversal is not happening. The context root is set to
'/tmp' and then it tries to open '../../../../../etc', which gets
normalized to '/tmp/etc'.
The test then expects an error to be returned, assuming that '/tmp/etc'
does not exist on the system. When it does exist, it results in a test
failure:
```
--- FAIL: TestFileListing (0.00s)
tplcontext_test.go:422: Test 4: Expected error but had none
FAIL
FAIL
github.com/caddyserver/caddy/v2/modules/caddyhttp/templates 0.042s
```
Instead of using '/tmp' as root, use a dedicated directory created with
`os.MkdirTemp()` instead. That way, we know that the directory is empty.
|
|
* caddyhttp: Reject absurdly long methods
* Limit method to 32 chars and truncate
* Just reject the request and debug-log it
* Log remote address
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Potential fix for #4017 although the consensus is unclear.
Made change to return status code 421 instead of 403 when StrictSNIHost matching is on.
|
|
Best guess for https://caddy.community/t/on-fly-certificate-generation-based-on-sni/14639/4
|
|
* caddyhttp: Redirect HTTP requests on the HTTPS port to https://
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
|
|
Close caddyserver/website#91
|
|
|
|
|
|
|
|
This is a followup to #4407, in response to a report on the forums: https://caddy.community/t/php-fastcgi-phishing-redirection/14542
Turns out that doing `TrimRight` to remove trailing dots, _before_ cleaning the path, will cause double-dots at the end of the path to not be cleaned away as they should. We should instead remove the dots _after_ cleaning.
|
|
Fixes #4481
|
|
|
|
|
|
* caddyhttp: Enhance vars matcher
Enable "or" logic for multiple values.
Fall back to checking placeholders if not a var name.
* Fix tests (thanks @mohammed90 !)
|
|
* pki: Avoid provisioning the `local` CA when not necessary
* pki: Refactor CA loading to keep the logic in the PKI app
|
|
|
|
|
|
* logging: add support for hashing data
* Update modules/logging/filters.go
Co-authored-by: wiese <wiese@users.noreply.github.com>
* Update modules/logging/filters.go
Co-authored-by: wiese <wiese@users.noreply.github.com>
Co-authored-by: wiese <wiese@users.noreply.github.com>
|
|
|
|
* fastcgi: Fix a TODO, prevent zap using reflection for logging env
* Update modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
|
|
|
|
|
|
|
|
* reverseproxy: Adjust defaults, document defaults
Related to some of the issues in https://github.com/caddyserver/caddy/issues/4245, a complaint about the proxy transport defaults not being properly documented in https://caddy.community/t/default-values-for-directives/14254/6.
- Dug into the stdlib to find the actual defaults for some of the timeouts and buffer limits, documenting them in godoc so the JSON docs get them next release.
- Moved the keep-alive and dial-timeout defaults from `reverseproxy.go` to `httptransport.go`. It doesn't make sense to set defaults in the proxy, because then any time the transport is configured with non-defaults, the keep-alive and dial-timeout defaults are lost!
- Sped up the dial timeout from 10s to 3s, in practice it rarely makes sense to wait a whole 10s for dialing. A shorter timeout helps a lot with the load balancer retries, so using something lower helps with user experience.
* reverseproxy: Make keepalive interval configurable via Caddyfile
* fastcgi: DialTimeout default for fastcgi transport too
|
|
|
|
* feat(logging): add a filter for cookies
* Improve godoc and add validation
|
|
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
|
|
(#4410)
|
|
|
|
Fixes #4428
It's best to still log handler errors at debug level so that they're hidden by default, but still accessible if additional details are necessary.
|
|
Work around for common misconfiguration
|
|
This makes it easier for users to find the default browse template if they
want to create a custom template based on that. It also makes it easier to
view the template with proper syntax highlighting.
|
|
|
|
See discussion on 42b7134ffa3bf3e9e86514c82407979c2627a5ab
|
|
|
|
* caddyhttp: Sanitize scheme and host on incoming requests
* reverseproxy: Sanitize the URL scheme and host before proxying
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
|
|
|
|
|
|
|
|
|
|
It didn't really make sense how we were doing them before. See https://caddy.community/t/map-directive-and-regular-expressions/13866/6?u=matt
|
|
The question would only receive bad answers so it's better
to just say what the option actually does.
|
|
* client.certificate_pem_encoded in base64 format
* base64-encoding without pem encoding;naming change
* fix cert.Raw instead of block.bytes
|
|
|
