From ff6ca577ec7196e2cf3991c817d3655754de4b24 Mon Sep 17 00:00:00 2001 From: Alban Lecocq Date: Thu, 29 Apr 2021 18:56:01 +0200 Subject: httpcaddyfile: Fix unexpectedly removed policy (#4128) * httpcaddyfile: Fix unexpectedly removed policy When user set on_demand tls option in a catch-all (:443) policy, we expect other policies to not have the on_demand enabled See ex in tls_automation_policies_5.txt Btw, we can remove policies if they are **all** empty. * Update caddyconfig/httpcaddyfile/tlsapp.go Co-authored-by: Matt Holt Co-authored-by: Matt Holt --- caddyconfig/httpcaddyfile/tlsapp.go | 10 ++-- .../caddyfile_adapt/tls_automation_policies_5.txt | 62 ++++++++++++++++++++++ 2 files changed, 69 insertions(+), 3 deletions(-) create mode 100644 caddytest/integration/caddyfile_adapt/tls_automation_policies_5.txt diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 1e32be0..72f99be 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -480,15 +480,19 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls return len(aps[i].Subjects) > len(aps[j].Subjects) }) - // remove any empty policies (except subjects, of course) + emptyAPCount := 0 + // compute the number of empty policies (disregarding subjects) - see #4128 emptyAP := new(caddytls.AutomationPolicy) for i := 0; i < len(aps); i++ { emptyAP.Subjects = aps[i].Subjects if reflect.DeepEqual(aps[i], emptyAP) { - aps = append(aps[:i], aps[i+1:]...) - i-- + emptyAPCount++ } } + // If all policies are empty, we can return nil, as there is no need to set any policy + if emptyAPCount == len(aps) { + return nil + } // remove or combine duplicate policies outer: diff --git a/caddytest/integration/caddyfile_adapt/tls_automation_policies_5.txt b/caddytest/integration/caddyfile_adapt/tls_automation_policies_5.txt new file mode 100644 index 0000000..87d278d --- /dev/null +++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_5.txt @@ -0,0 +1,62 @@ +a.example.com { +} + +b.example.com { +} + +:443 { + tls { + on_demand + } +} +---------- +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":443" + ], + "routes": [ + { + "match": [ + { + "host": [ + "a.example.com" + ] + } + ], + "terminal": true + }, + { + "match": [ + { + "host": [ + "b.example.com" + ] + } + ], + "terminal": true + } + ] + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "subjects": [ + "a.example.com", + "b.example.com" + ] + }, + { + "on_demand": true + } + ] + } + } + } +} \ No newline at end of file -- cgit v1.2.3