From fbd00e4b53226164a9aae5f44bd52328d4e59d96 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Tue, 16 Feb 2021 13:31:53 -0700 Subject: Improve security warnings --- modules/caddyhttp/app.go | 5 ++--- modules/caddytls/tls.go | 12 ++++++++++++ 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go index 42e7725..4f5bc84 100644 --- a/modules/caddyhttp/app.go +++ b/modules/caddyhttp/app.go @@ -176,8 +176,8 @@ func (app *App) Provision(ctx caddy.Context) error { // domain fronting is desired and access is not restricted // based on hostname if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() { - app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured", - zap.String("server_name", srvName), + app.logger.Warn("enabling strict SNI-Host enforcement because TLS client auth is configured", + zap.String("server_id", srvName), ) trueBool := true srv.StrictSNIHost = &trueBool @@ -283,7 +283,6 @@ func (app *App) Validate() error { } } } - return nil } diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 489d87f..fdff447 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -236,6 +236,18 @@ func (t *TLS) Validate() error { // Start activates the TLS module. func (t *TLS) Start() error { + // warn if on-demand TLS is enabled but no restrictions are in place + if t.Automation.OnDemand == nil || + (t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) { + for _, ap := range t.Automation.Policies { + if ap.OnDemand { + t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place", + zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls")) + break + } + } + } + // now that we are running, and all manual certificates have // been loaded, time to load the automated/managed certificates err := t.Manage(t.automateNames) -- cgit v1.2.3