From ff6ca577ec7196e2cf3991c817d3655754de4b24 Mon Sep 17 00:00:00 2001
From: Alban Lecocq <alban@lempire.co>
Date: Thu, 29 Apr 2021 18:56:01 +0200
Subject: httpcaddyfile: Fix unexpectedly removed policy (#4128)

* httpcaddyfile: Fix unexpectedly removed policy

When user set on_demand tls option in a catch-all (:443) policy,
we expect other policies to not have the on_demand enabled
See ex in tls_automation_policies_5.txt

Btw, we can remove policies if they are **all** empty.

* Update caddyconfig/httpcaddyfile/tlsapp.go

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---
 caddyconfig/httpcaddyfile/tlsapp.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'caddyconfig/httpcaddyfile/tlsapp.go')

diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index 1e32be0..72f99be 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -480,15 +480,19 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls
 		return len(aps[i].Subjects) > len(aps[j].Subjects)
 	})
 
-	// remove any empty policies (except subjects, of course)
+	emptyAPCount := 0
+	// compute the number of empty policies (disregarding subjects) - see #4128
 	emptyAP := new(caddytls.AutomationPolicy)
 	for i := 0; i < len(aps); i++ {
 		emptyAP.Subjects = aps[i].Subjects
 		if reflect.DeepEqual(aps[i], emptyAP) {
-			aps = append(aps[:i], aps[i+1:]...)
-			i--
+			emptyAPCount++
 		}
 	}
+	// If all policies are empty, we can return nil, as there is no need to set any policy
+	if emptyAPCount == len(aps) {
+		return nil
+	}
 
 	// remove or combine duplicate policies
 outer:
-- 
cgit v1.2.3