From e42514ad4af007799374aeb6eeea3bd884aac55b Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Sun, 15 Mar 2020 21:28:42 -0600 Subject: caddyhttp: Clean up; move some code around --- modules/caddyhttp/caddyhttp.go | 412 +---------------------------------------- 1 file changed, 3 insertions(+), 409 deletions(-) (limited to 'modules/caddyhttp/caddyhttp.go') diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go index 718025e..4fd09a2 100644 --- a/modules/caddyhttp/caddyhttp.go +++ b/modules/caddyhttp/caddyhttp.go @@ -16,10 +16,7 @@ package caddyhttp import ( "bytes" - "context" - "crypto/tls" "encoding/json" - "fmt" "io" weakrand "math/rand" "net" @@ -28,412 +25,15 @@ import ( "time" "github.com/caddyserver/caddy/v2" - "github.com/caddyserver/caddy/v2/modules/caddytls" - "github.com/lucas-clemente/quic-go/http3" - "go.uber.org/zap" ) func init() { weakrand.Seed(time.Now().UnixNano()) - err := caddy.RegisterModule(App{}) + err := caddy.RegisterModule(tlsPlaceholderWrapper{}) if err != nil { caddy.Log().Fatal(err.Error()) } - - err = caddy.RegisterModule(tlsPlaceholderWrapper{}) - if err != nil { - caddy.Log().Fatal(err.Error()) - } -} - -// App is a robust, production-ready HTTP server. -// -// HTTPS is enabled by default if host matchers with qualifying names are used -// in any of routes; certificates are automatically provisioned and renewed. -// Additionally, automatic HTTPS will also enable HTTPS for servers that listen -// only on the HTTPS port but which do not have any TLS connection policies -// defined by adding a good, default TLS connection policy. -// -// In HTTP routes, additional placeholders are available (replace any `*`): -// -// Placeholder | Description -// ------------|--------------- -// `{http.request.cookie.*}` | HTTP request cookie -// `{http.request.header.*}` | Specific request header field -// `{http.request.host.labels.*}` | Request host labels (0-based from right); e.g. for foo.example.com: 0=com, 1=example, 2=foo -// `{http.request.host}` | The host part of the request's Host header -// `{http.request.hostport}` | The host and port from the request's Host header -// `{http.request.method}` | The request method -// `{http.request.orig_method}` | The request's original method -// `{http.request.orig_uri.path.dir}` | The request's original directory -// `{http.request.orig_uri.path.file}` | The request's original filename -// `{http.request.orig_uri.path}` | The request's original path -// `{http.request.orig_uri.query}` | The request's original query string (without `?`) -// `{http.request.orig_uri}` | The request's original URI -// `{http.request.port}` | The port part of the request's Host header -// `{http.request.proto}` | The protocol of the request -// `{http.request.remote.host}` | The host part of the remote client's address -// `{http.request.remote.port}` | The port part of the remote client's address -// `{http.request.remote}` | The address of the remote client -// `{http.request.scheme}` | The request scheme -// `{http.request.tls.version}` | The TLS version name -// `{http.request.tls.cipher_suite}` | The TLS cipher suite -// `{http.request.tls.resumed}` | The TLS connection resumed a previous connection -// `{http.request.tls.proto}` | The negotiated next protocol -// `{http.request.tls.proto_mutual}` | The negotiated next protocol was advertised by the server -// `{http.request.tls.server_name}` | The server name requested by the client, if any -// `{http.request.tls.client.fingerprint}` | The SHA256 checksum of the client certificate -// `{http.request.tls.client.issuer}` | The issuer DN of the client certificate -// `{http.request.tls.client.serial}` | The serial number of the client certificate -// `{http.request.tls.client.subject}` | The subject DN of the client certificate -// `{http.request.uri.path.*}` | Parts of the path, split by `/` (0-based from left) -// `{http.request.uri.path.dir}` | The directory, excluding leaf filename -// `{http.request.uri.path.file}` | The filename of the path, excluding directory -// `{http.request.uri.path}` | The path component of the request URI -// `{http.request.uri.query.*}` | Individual query string value -// `{http.request.uri.query}` | The query string (without `?`) -// `{http.request.uri}` | The full request URI -// `{http.response.header.*}` | Specific response header field -// `{http.vars.*}` | Custom variables in the HTTP handler chain -type App struct { - // HTTPPort specifies the port to use for HTTP (as opposed to HTTPS), - // which is used when setting up HTTP->HTTPS redirects or ACME HTTP - // challenge solvers. Default: 80. - HTTPPort int `json:"http_port,omitempty"` - - // HTTPSPort specifies the port to use for HTTPS, which is used when - // solving the ACME TLS-ALPN challenges, or whenever HTTPS is needed - // but no specific port number is given. Default: 443. - HTTPSPort int `json:"https_port,omitempty"` - - // GracePeriod is how long to wait for active connections when shutting - // down the server. Once the grace period is over, connections will - // be forcefully closed. - GracePeriod caddy.Duration `json:"grace_period,omitempty"` - - // Servers is the list of servers, keyed by arbitrary names chosen - // at your discretion for your own convenience; the keys do not - // affect functionality. - Servers map[string]*Server `json:"servers,omitempty"` - - servers []*http.Server - h3servers []*http3.Server - h3listeners []net.PacketConn - - ctx caddy.Context - logger *zap.Logger - tlsApp *caddytls.TLS - - // used temporarily between phases 1 and 2 of auto HTTPS - allCertDomains []string -} - -// CaddyModule returns the Caddy module information. -func (App) CaddyModule() caddy.ModuleInfo { - return caddy.ModuleInfo{ - ID: "http", - New: func() caddy.Module { return new(App) }, - } -} - -// Provision sets up the app. -func (app *App) Provision(ctx caddy.Context) error { - // store some references - tlsAppIface, err := ctx.App("tls") - if err != nil { - return fmt.Errorf("getting tls app: %v", err) - } - app.tlsApp = tlsAppIface.(*caddytls.TLS) - app.ctx = ctx - app.logger = ctx.Logger(app) - - repl := caddy.NewReplacer() - - // this provisions the matchers for each route, - // and prepares auto HTTP->HTTPS redirects, and - // is required before we provision each server - err = app.automaticHTTPSPhase1(ctx, repl) - if err != nil { - return err - } - - // prepare each server - for srvName, srv := range app.Servers { - srv.tlsApp = app.tlsApp - srv.logger = app.logger.Named("log") - srv.errorLogger = app.logger.Named("log.error") - - // only enable access logs if configured - if srv.Logs != nil { - srv.accessLogger = app.logger.Named("log.access") - } - - // if not explicitly configured by the user, disallow TLS - // client auth bypass (domain fronting) which could - // otherwise be exploited by sending an unprotected SNI - // value during a TLS handshake, then putting a protected - // domain in the Host header after establishing connection; - // this is a safe default, but we allow users to override - // it for example in the case of running a proxy where - // domain fronting is desired and access is not restricted - // based on hostname - if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() { - app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured", - zap.String("server_name", srvName), - ) - trueBool := true - srv.StrictSNIHost = &trueBool - } - - // process each listener address - for i := range srv.Listen { - lnOut, err := repl.ReplaceOrErr(srv.Listen[i], true, true) - if err != nil { - return fmt.Errorf("server %s, listener %d: %v", - srvName, i, err) - } - srv.Listen[i] = lnOut - } - - // set up each listener modifier - if srv.ListenerWrappersRaw != nil { - vals, err := ctx.LoadModule(srv, "ListenerWrappersRaw") - if err != nil { - return fmt.Errorf("loading listener wrapper modules: %v", err) - } - var hasTLSPlaceholder bool - for i, val := range vals.([]interface{}) { - if _, ok := val.(*tlsPlaceholderWrapper); ok { - if i == 0 { - // putting the tls placeholder wrapper first is nonsensical because - // that is the default, implicit setting: without it, all wrappers - // will go after the TLS listener anyway - return fmt.Errorf("it is unnecessary to specify the TLS listener wrapper in the first position because that is the default") - } - if hasTLSPlaceholder { - return fmt.Errorf("TLS listener wrapper can only be specified once") - } - hasTLSPlaceholder = true - } - srv.listenerWrappers = append(srv.listenerWrappers, val.(caddy.ListenerWrapper)) - } - // if any wrappers were configured but the TLS placeholder wrapper is - // absent, prepend it so all defined wrappers come after the TLS - // handshake; this simplifies logic when starting the server, since we - // can simply assume the TLS placeholder will always be there - if !hasTLSPlaceholder && len(srv.listenerWrappers) > 0 { - srv.listenerWrappers = append([]caddy.ListenerWrapper{new(tlsPlaceholderWrapper)}, srv.listenerWrappers...) - } - } - - // pre-compile the primary handler chain, and be sure to wrap it in our - // route handler so that important security checks are done, etc. - primaryRoute := emptyHandler - if srv.Routes != nil { - err := srv.Routes.ProvisionHandlers(ctx) - if err != nil { - return fmt.Errorf("server %s: setting up route handlers: %v", srvName, err) - } - primaryRoute = srv.Routes.Compile(emptyHandler) - } - srv.primaryHandlerChain = srv.wrapPrimaryRoute(primaryRoute) - - // pre-compile the error handler chain - if srv.Errors != nil { - err := srv.Errors.Routes.Provision(ctx) - if err != nil { - return fmt.Errorf("server %s: setting up server error handling routes: %v", srvName, err) - } - srv.errorHandlerChain = srv.Errors.Routes.Compile(errorEmptyHandler) - } - - // prepare the TLS connection policies - err = srv.TLSConnPolicies.Provision(ctx) - if err != nil { - return fmt.Errorf("server %s: setting up TLS connection policies: %v", srvName, err) - } - } - - return nil -} - -// Validate ensures the app's configuration is valid. -func (app *App) Validate() error { - // each server must use distinct listener addresses - lnAddrs := make(map[string]string) - for srvName, srv := range app.Servers { - for _, addr := range srv.Listen { - listenAddr, err := caddy.ParseNetworkAddress(addr) - if err != nil { - return fmt.Errorf("invalid listener address '%s': %v", addr, err) - } - // check that every address in the port range is unique to this server; - // we do not use <= here because PortRangeSize() adds 1 to EndPort for us - for i := uint(0); i < listenAddr.PortRangeSize(); i++ { - addr := caddy.JoinNetworkAddress(listenAddr.Network, listenAddr.Host, strconv.Itoa(int(listenAddr.StartPort+i))) - if sn, ok := lnAddrs[addr]; ok { - return fmt.Errorf("server %s: listener address repeated: %s (already claimed by server '%s')", srvName, addr, sn) - } - lnAddrs[addr] = srvName - } - } - } - - return nil -} - -// Start runs the app. It finishes automatic HTTPS if enabled, -// including management of certificates. -func (app *App) Start() error { - for srvName, srv := range app.Servers { - s := &http.Server{ - ReadTimeout: time.Duration(srv.ReadTimeout), - ReadHeaderTimeout: time.Duration(srv.ReadHeaderTimeout), - WriteTimeout: time.Duration(srv.WriteTimeout), - IdleTimeout: time.Duration(srv.IdleTimeout), - MaxHeaderBytes: srv.MaxHeaderBytes, - Handler: srv, - } - - for _, lnAddr := range srv.Listen { - listenAddr, err := caddy.ParseNetworkAddress(lnAddr) - if err != nil { - return fmt.Errorf("%s: parsing listen address '%s': %v", srvName, lnAddr, err) - } - for portOffset := uint(0); portOffset < listenAddr.PortRangeSize(); portOffset++ { - // create the listener for this socket - hostport := listenAddr.JoinHostPort(portOffset) - ln, err := caddy.Listen(listenAddr.Network, hostport) - if err != nil { - return fmt.Errorf("%s: listening on %s: %v", listenAddr.Network, hostport, err) - } - - // wrap listener before TLS (up to the TLS placeholder wrapper) - var lnWrapperIdx int - for i, lnWrapper := range srv.listenerWrappers { - if _, ok := lnWrapper.(*tlsPlaceholderWrapper); ok { - lnWrapperIdx = i + 1 // mark the next wrapper's spot - break - } - ln = lnWrapper.WrapListener(ln) - } - - // enable TLS if there is a policy and if this is not the HTTP port - useTLS := len(srv.TLSConnPolicies) > 0 && int(listenAddr.StartPort+portOffset) != app.httpPort() - if useTLS { - // create TLS listener - tlsCfg := srv.TLSConnPolicies.TLSConfig(app.ctx) - ln = tls.NewListener(ln, tlsCfg) - - ///////// - // TODO: HTTP/3 support is experimental for now - if srv.ExperimentalHTTP3 { - app.logger.Info("enabling experimental HTTP/3 listener", - zap.String("addr", hostport), - ) - h3ln, err := caddy.ListenPacket("udp", hostport) - if err != nil { - return fmt.Errorf("getting HTTP/3 UDP listener: %v", err) - } - h3srv := &http3.Server{ - Server: &http.Server{ - Addr: hostport, - Handler: srv, - TLSConfig: tlsCfg, - }, - } - go h3srv.Serve(h3ln) - app.h3servers = append(app.h3servers, h3srv) - app.h3listeners = append(app.h3listeners, h3ln) - srv.h3server = h3srv - } - ///////// - } - - // finish wrapping listener where we left off before TLS - for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ { - ln = srv.listenerWrappers[i].WrapListener(ln) - } - - app.logger.Debug("starting server loop", - zap.String("address", lnAddr), - zap.Bool("http3", srv.ExperimentalHTTP3), - zap.Bool("tls", useTLS), - ) - - go s.Serve(ln) - app.servers = append(app.servers, s) - } - } - } - - // finish automatic HTTPS by finally beginning - // certificate management - err := app.automaticHTTPSPhase2() - if err != nil { - return fmt.Errorf("finalizing automatic HTTPS: %v", err) - } - - return nil -} - -// Stop gracefully shuts down the HTTP server. -func (app *App) Stop() error { - ctx := context.Background() - if app.GracePeriod > 0 { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, time.Duration(app.GracePeriod)) - defer cancel() - } - for _, s := range app.servers { - err := s.Shutdown(ctx) - if err != nil { - return err - } - } - - // close the http3 servers; it's unclear whether the bug reported in - // https://github.com/caddyserver/caddy/pull/2727#issuecomment-526856566 - // was ever truly fixed, since it seemed racey/nondeterministic; but - // recent tests in 2020 were unable to replicate the issue again after - // repeated attempts (the bug manifested after a config reload; i.e. - // reusing a http3 server or listener was problematic), but it seems - // to be working fine now - for _, s := range app.h3servers { - // TODO: CloseGracefully, once implemented upstream - // (see https://github.com/lucas-clemente/quic-go/issues/2103) - err := s.Close() - if err != nil { - return err - } - } - - // closing an http3.Server does not close their underlying listeners - // since apparently the listener can be used both by servers and - // clients at the same time; so we need to manually call Close() - // on the underlying h3 listeners (see lucas-clemente/quic-go#2103) - for _, pc := range app.h3listeners { - err := pc.Close() - if err != nil { - return err - } - } - return nil -} - -func (app *App) httpPort() int { - if app.HTTPPort == 0 { - return DefaultHTTPPort - } - return app.HTTPPort -} - -func (app *App) httpsPort() int { - if app.HTTPSPort == 0 { - return DefaultHTTPSPort - } - return app.HTTPSPort } // RequestMatcher is a type that can match to a request. @@ -618,11 +218,5 @@ const ( DefaultHTTPSPort = 443 ) -// Interface guards -var ( - _ caddy.App = (*App)(nil) - _ caddy.Provisioner = (*App)(nil) - _ caddy.Validator = (*App)(nil) - - _ caddy.ListenerWrapper = (*tlsPlaceholderWrapper)(nil) -) +// Interface guard +var _ caddy.ListenerWrapper = (*tlsPlaceholderWrapper)(nil) -- cgit v1.2.3