From 6ea121ddf8c5be6de892971782d6f0fe2938ebbf Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Fri, 13 Dec 2019 16:32:27 -0700
Subject: tls: Ensure conn policy is created when providing certs in Caddyfile

Fixes #2929
---
 caddyconfig/httpcaddyfile/builtins.go | 39 ++++++++++++++++++++++++++++-------
 caddyconfig/httpcaddyfile/httptype.go | 21 +++++++++++--------
 2 files changed, 44 insertions(+), 16 deletions(-)

(limited to 'caddyconfig')

diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index e92aa9d..b523d95 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -81,7 +81,7 @@ func parseRoot(h Helper) ([]ConfigValue, error) {
 func parseTLS(h Helper) ([]ConfigValue, error) {
 	var configVals []ConfigValue
 
-	cp := new(caddytls.ConnectionPolicy)
+	var cp *caddytls.ConnectionPolicy
 	var fileLoader caddytls.FileLoader
 	var folderLoader caddytls.FolderLoader
 	var mgr caddytls.ACMEManagerMaker
@@ -131,12 +131,18 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 					if _, ok := caddytls.SupportedProtocols[args[0]]; !ok {
 						return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[0])
 					}
+					if cp == nil {
+						cp = new(caddytls.ConnectionPolicy)
+					}
 					cp.ProtocolMin = args[0]
 				}
 				if len(args) > 1 {
 					if _, ok := caddytls.SupportedProtocols[args[1]]; !ok {
 						return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[1])
 					}
+					if cp == nil {
+						cp = new(caddytls.ConnectionPolicy)
+					}
 					cp.ProtocolMax = args[1]
 				}
 			case "ciphers":
@@ -144,6 +150,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 					if _, ok := caddytls.SupportedCipherSuites[h.Val()]; !ok {
 						return nil, h.Errf("Wrong cipher suite name or cipher suite not supported: '%s'", h.Val())
 					}
+					if cp == nil {
+						cp = new(caddytls.ConnectionPolicy)
+					}
 					cp.CipherSuites = append(cp.CipherSuites, h.Val())
 				}
 			case "curves":
@@ -151,6 +160,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 					if _, ok := caddytls.SupportedCurves[h.Val()]; !ok {
 						return nil, h.Errf("Wrong curve name or curve not supported: '%s'", h.Val())
 					}
+					if cp == nil {
+						cp = new(caddytls.ConnectionPolicy)
+					}
 					cp.Curves = append(cp.Curves, h.Val())
 				}
 			case "alpn":
@@ -158,6 +170,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 				if len(args) == 0 {
 					return nil, h.ArgErr()
 				}
+				if cp == nil {
+					cp = new(caddytls.ConnectionPolicy)
+				}
 				cp.ALPN = args
 
 			// certificate folder loader
@@ -183,24 +198,34 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 		}
 	}
 
-	// connection policy
-	configVals = append(configVals, ConfigValue{
-		Class: "tls.connection_policy",
-		Value: cp,
-	})
-
 	// certificate loaders
 	if len(fileLoader) > 0 {
 		configVals = append(configVals, ConfigValue{
 			Class: "tls.certificate_loader",
 			Value: fileLoader,
 		})
+		// ensure server uses HTTPS by setting non-nil conn policy
+		if cp == nil {
+			cp = new(caddytls.ConnectionPolicy)
+		}
 	}
 	if len(folderLoader) > 0 {
 		configVals = append(configVals, ConfigValue{
 			Class: "tls.certificate_loader",
 			Value: folderLoader,
 		})
+		// ensure server uses HTTPS by setting non-nil conn policy
+		if cp == nil {
+			cp = new(caddytls.ConnectionPolicy)
+		}
+	}
+
+	// connection policy
+	if cp != nil {
+		configVals = append(configVals, ConfigValue{
+			Class: "tls.connection_policy",
+			Value: cp,
+		})
 	}
 
 	// automation policy
diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go
index 2b2855d..d8fde46 100644
--- a/caddyconfig/httpcaddyfile/httptype.go
+++ b/caddyconfig/httpcaddyfile/httptype.go
@@ -275,6 +275,9 @@ func (st *ServerType) hostsFromServerBlockKeys(sb caddyfile.ServerBlock) ([]stri
 			return nil, fmt.Errorf("parsing server block key: %v", err)
 		}
 		addr = addr.Normalize()
+		if addr.Host == "" {
+			continue
+		}
 		hostMap[addr.Host] = struct{}{}
 	}
 
@@ -328,20 +331,20 @@ func (st *ServerType) serversFromPairings(
 				// tls connection policies
 				for _, cpVal := range cpVals {
 					cp := cpVal.Value.(*caddytls.ConnectionPolicy)
-					// only create if there is a non-empty policy
-					if !reflect.DeepEqual(cp, new(caddytls.ConnectionPolicy)) {
-						// make sure the policy covers all hostnames from the block
-						hosts, err := st.hostsFromServerBlockKeys(sblock.block)
-						if err != nil {
-							return nil, err
-						}
 
-						// TODO: are matchers needed if every hostname of the config is matched?
+					// make sure the policy covers all hostnames from the block
+					hosts, err := st.hostsFromServerBlockKeys(sblock.block)
+					if err != nil {
+						return nil, err
+					}
+
+					// TODO: are matchers needed if every hostname of the config is matched?
+					if len(hosts) > 0 {
 						cp.MatchersRaw = caddy.ModuleMap{
 							"sni": caddyconfig.JSON(hosts, warnings), // make sure to match all hosts, not just auto-HTTPS-qualified ones
 						}
-						srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp)
 					}
+					srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp)
 				}
 				// TODO: consolidate equal conn policies
 			}
-- 
cgit v1.2.3