From be53e432fcac0a9b9accbc36885304639e8ca70b Mon Sep 17 00:00:00 2001
From: Francis Lavoie <lavofr@gmail.com>
Date: Wed, 22 Feb 2023 13:41:01 -0500
Subject: caddytls: Relax the warning for on-demand (#5384)

---
 modules/caddytls/tls.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'modules/caddytls')

diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 8051653..92004b8 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -22,6 +22,7 @@ import (
 	"log"
 	"net/http"
 	"runtime/debug"
+	"strings"
 	"sync"
 	"time"
 
@@ -259,7 +260,17 @@ func (t *TLS) Start() error {
 	if t.Automation.OnDemand == nil ||
 		(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
 		for _, ap := range t.Automation.Policies {
-			if ap.OnDemand {
+			isWildcardOrDefault := false
+			if len(ap.Subjects) == 0 {
+				isWildcardOrDefault = true
+			}
+			for _, sub := range ap.Subjects {
+				if strings.HasPrefix(sub, "*") {
+					isWildcardOrDefault = true
+					break
+				}
+			}
+			if ap.OnDemand && isWildcardOrDefault {
 				t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
 					zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
 				break
-- 
cgit v1.2.3