From 0cc49c053f77bf6efa8107fa50d2e256a91d0ff8 Mon Sep 17 00:00:00 2001 From: Matt Holt Date: Mon, 20 Mar 2023 12:06:00 -0600 Subject: caddytls: Zero out throttle window first (#5443) * caddytls: Zero out throttle window first * Don't error for on-demand Fixes https://github.com/caddyserver/caddy/commit/b97c76fb4789b8da0b80f5a2c1c1c5bebba163b5 --------- Co-authored-by: Francis Lavoie --- modules/caddytls/tls.go | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) (limited to 'modules/caddytls/tls.go') diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 92004b8..486a58c 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -22,7 +22,6 @@ import ( "log" "net/http" "runtime/debug" - "strings" "sync" "time" @@ -182,8 +181,8 @@ func (t *TLS) Provision(ctx caddy.Context) error { onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval)) } else { // remove any existing rate limiter - onDemandRateLimiter.SetMaxEvents(0) onDemandRateLimiter.SetWindow(0) + onDemandRateLimiter.SetMaxEvents(0) } // run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036) @@ -260,17 +259,7 @@ func (t *TLS) Start() error { if t.Automation.OnDemand == nil || (t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) { for _, ap := range t.Automation.Policies { - isWildcardOrDefault := false - if len(ap.Subjects) == 0 { - isWildcardOrDefault = true - } - for _, sub := range ap.Subjects { - if strings.HasPrefix(sub, "*") { - isWildcardOrDefault = true - break - } - } - if ap.OnDemand && isWildcardOrDefault { + if ap.OnDemand && ap.isWildcardOrDefault() { t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place", zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls")) break -- cgit v1.2.3