From 7846bc1e06b2de97906cd562d16db4b2aafbd74b Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 4 Jan 2021 11:25:29 -0700 Subject: httpcaddyfile: Adjust iterator when removing AP (fix #3953) --- caddyconfig/httpcaddyfile/tlsapp.go | 3 +- .../caddyfile_adapt/tls_automation_policies.txt | 86 ------------------- .../caddyfile_adapt/tls_automation_policies_1.txt | 86 +++++++++++++++++++ .../caddyfile_adapt/tls_automation_policies_2.txt | 96 ++++++++++++++++++++++ 4 files changed, 184 insertions(+), 87 deletions(-) delete mode 100644 caddytest/integration/caddyfile_adapt/tls_automation_policies.txt create mode 100644 caddytest/integration/caddyfile_adapt/tls_automation_policies_1.txt create mode 100644 caddytest/integration/caddyfile_adapt/tls_automation_policies_2.txt diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 6a6e3ca..1fabc45 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -453,7 +453,7 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon // ZeroSSL), the proper wrapper over acmeIssuer will be returned instead. func disambiguateACMEIssuer(acmeIssuer *caddytls.ACMEIssuer) certmagic.Issuer { // as a special case, we integrate with ZeroSSL's ACME endpoint if it looks like an - // implicit ZeroSSL configuration (this requires a wrapper type over ACMEIssuer + // implicit ZeroSSL configuration (this requires a wrapper type over ACMEIssuer // because of the EAB generation; if EAB is provided, we can use plain ACMEIssuer) if strings.Contains(acmeIssuer.CA, "acme.zerossl.com") && acmeIssuer.ExternalAccount == nil { return &caddytls.ZeroSSLIssuer{ACMEIssuer: acmeIssuer} @@ -518,6 +518,7 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls // '*.com', which might be different (yes we've seen this happen) if automationPolicyShadows(i, aps) >= j { aps = append(aps[:i], aps[i+1:]...) + i-- } } else { // avoid repeated subjects diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies.txt b/caddytest/integration/caddyfile_adapt/tls_automation_policies.txt deleted file mode 100644 index c3fd489..0000000 --- a/caddytest/integration/caddyfile_adapt/tls_automation_policies.txt +++ /dev/null @@ -1,86 +0,0 @@ -{ - local_certs -} - -*.tld, *.*.tld { - tls { - on_demand - } -} - -foo.tld, www.foo.tld { -} ----------- -{ - "apps": { - "http": { - "servers": { - "srv0": { - "listen": [ - ":443" - ], - "routes": [ - { - "match": [ - { - "host": [ - "foo.tld", - "www.foo.tld" - ] - } - ], - "terminal": true - }, - { - "match": [ - { - "host": [ - "*.tld", - "*.*.tld" - ] - } - ], - "terminal": true - } - ] - } - } - }, - "tls": { - "automation": { - "policies": [ - { - "subjects": [ - "foo.tld", - "www.foo.tld" - ], - "issuers": [ - { - "module": "internal" - } - ] - }, - { - "subjects": [ - "*.*.tld", - "*.tld" - ], - "issuers": [ - { - "module": "internal" - } - ], - "on_demand": true - }, - { - "issuers": [ - { - "module": "internal" - } - ] - } - ] - } - } - } -} \ No newline at end of file diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_1.txt b/caddytest/integration/caddyfile_adapt/tls_automation_policies_1.txt new file mode 100644 index 0000000..c3fd489 --- /dev/null +++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_1.txt @@ -0,0 +1,86 @@ +{ + local_certs +} + +*.tld, *.*.tld { + tls { + on_demand + } +} + +foo.tld, www.foo.tld { +} +---------- +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":443" + ], + "routes": [ + { + "match": [ + { + "host": [ + "foo.tld", + "www.foo.tld" + ] + } + ], + "terminal": true + }, + { + "match": [ + { + "host": [ + "*.tld", + "*.*.tld" + ] + } + ], + "terminal": true + } + ] + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "subjects": [ + "foo.tld", + "www.foo.tld" + ], + "issuers": [ + { + "module": "internal" + } + ] + }, + { + "subjects": [ + "*.*.tld", + "*.tld" + ], + "issuers": [ + { + "module": "internal" + } + ], + "on_demand": true + }, + { + "issuers": [ + { + "module": "internal" + } + ] + } + ] + } + } + } +} \ No newline at end of file diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_2.txt b/caddytest/integration/caddyfile_adapt/tls_automation_policies_2.txt new file mode 100644 index 0000000..db8e38b --- /dev/null +++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_2.txt @@ -0,0 +1,96 @@ +# issue #3953 + +{ + cert_issuer zerossl api_key +} + +example.com { + tls { + on_demand + } +} + +http://example.net { +} + +:1234 { +} +---------- +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":1234" + ] + }, + "srv1": { + "listen": [ + ":443" + ], + "routes": [ + { + "match": [ + { + "host": [ + "example.com" + ] + } + ], + "terminal": true + } + ] + }, + "srv2": { + "listen": [ + ":80" + ], + "routes": [ + { + "match": [ + { + "host": [ + "example.net" + ] + } + ], + "terminal": true + } + ], + "automatic_https": { + "skip": [ + "example.net" + ] + } + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "subjects": [ + "example.com" + ], + "issuers": [ + { + "api_key": "api_key", + "module": "zerossl" + } + ], + "on_demand": true + }, + { + "issuers": [ + { + "api_key": "api_key", + "module": "zerossl" + } + ] + } + ] + } + } + } +} \ No newline at end of file -- cgit v1.2.3