caddytls: Zero out throttle window first (#5443)

* caddytls: Zero out throttle window first

* Don't error for on-demand 

Fixes b97c76fb47

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
This commit is contained in:
Matt Holt 2023-03-20 12:06:00 -06:00 committed by GitHub
parent a7db0cfe55
commit 0cc49c053f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 23 additions and 15 deletions

View file

@ -19,6 +19,7 @@ import (
"errors"
"fmt"
"net/http"
"strings"
"time"
"github.com/caddyserver/caddy/v2"
@ -224,8 +225,10 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
// on-demand TLS
var ond *certmagic.OnDemandConfig
if ap.OnDemand {
// ask endpoint is now required after a number of negligence cases causing abuse
if !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") {
// ask endpoint is now required after a number of negligence cases causing abuse;
// but is still allowed for explicit subjects (non-wildcard, non-unbounded),
// and for the internal issuer since it doesn't cause ACME issuer pressure
if ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") {
return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details")
}
ond = &certmagic.OnDemandConfig{
@ -294,6 +297,22 @@ func (ap *AutomationPolicy) onlyInternalIssuer() bool {
return ok
}
// isWildcardOrDefault determines if the subjects include any wildcard domains,
// or is the "default" policy (i.e. no subjects) which is unbounded.
func (ap *AutomationPolicy) isWildcardOrDefault() bool {
isWildcardOrDefault := false
if len(ap.Subjects) == 0 {
isWildcardOrDefault = true
}
for _, sub := range ap.Subjects {
if strings.HasPrefix(sub, "*") {
isWildcardOrDefault = true
break
}
}
return isWildcardOrDefault
}
// DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults.
// This function is experimental and has no compatibility promises.
func DefaultIssuers() []certmagic.Issuer {

View file

@ -22,7 +22,6 @@ import (
"log"
"net/http"
"runtime/debug"
"strings"
"sync"
"time"
@ -182,8 +181,8 @@ func (t *TLS) Provision(ctx caddy.Context) error {
onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
} else {
// remove any existing rate limiter
onDemandRateLimiter.SetMaxEvents(0)
onDemandRateLimiter.SetWindow(0)
onDemandRateLimiter.SetMaxEvents(0)
}
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
@ -260,17 +259,7 @@ func (t *TLS) Start() error {
if t.Automation.OnDemand == nil ||
(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
for _, ap := range t.Automation.Policies {
isWildcardOrDefault := false
if len(ap.Subjects) == 0 {
isWildcardOrDefault = true
}
for _, sub := range ap.Subjects {
if strings.HasPrefix(sub, "*") {
isWildcardOrDefault = true
break
}
}
if ap.OnDemand && isWildcardOrDefault {
if ap.OnDemand && ap.isWildcardOrDefault() {
t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
break