diff --git a/caddyconfig/httpcaddyfile/directives.go b/caddyconfig/httpcaddyfile/directives.go index 8fa48cd07..ff248bfed 100644 --- a/caddyconfig/httpcaddyfile/directives.go +++ b/caddyconfig/httpcaddyfile/directives.go @@ -393,23 +393,30 @@ type serverBlock struct { } // hostsFromKeys returns a list of all the non-empty hostnames found in -// the keys of the server block sb, unless allowEmpty is true, in which -// case a key with no host (e.g. ":443") will be added to the list as an -// empty string. Otherwise, if allowEmpty is false, and if sb has a key -// that omits the hostname (i.e. is a catch-all/empty host), then the returned -// list is empty, because the server block effectively matches ALL hosts. -// The list may not be in a consistent order. If includePorts is true, then -// any non-empty, non-standard ports will be included. -func (sb serverBlock) hostsFromKeys(allowEmpty, includePorts bool) []string { - // first get each unique hostname +// the keys of the server block sb. If logger mode is false, a key with +// an empty hostname portion will return an empty slice, since that +// server block is interpreted to effectively match all hosts. An empty +// string is never added to the slice. +// +// If loggerMode is true, then the non-standard ports of keys will be +// joined to the hostnames. This is to effectively match the Host +// header of requests that come in for that key. +// +// The resulting slice is not sorted but will never have duplicates. +func (sb serverBlock) hostsFromKeys(loggerMode bool) []string { + // ensure each entry in our list is unique hostMap := make(map[string]struct{}) for _, addr := range sb.keys { - if addr.Host == "" && !allowEmpty { - // server block contains a key like ":443", i.e. the host portion - // is empty / catch-all, which means to match all hosts - return []string{} + if addr.Host == "" { + if !loggerMode { + // server block contains a key like ":443", i.e. the host portion + // is empty / catch-all, which means to match all hosts + return []string{} + } + // never append an empty string + continue } - if includePorts && + if loggerMode && addr.Port != "" && addr.Port != strconv.Itoa(caddyhttp.DefaultHTTPPort) && addr.Port != strconv.Itoa(caddyhttp.DefaultHTTPSPort) { @@ -428,6 +435,17 @@ func (sb serverBlock) hostsFromKeys(allowEmpty, includePorts bool) []string { return sblockHosts } +// hasHostCatchAllKey returns true if sb has a key that +// omits a host portion, i.e. it "catches all" hosts. +func (sb serverBlock) hasHostCatchAllKey() bool { + for _, addr := range sb.keys { + if addr.Host == "" { + return true + } + } + return false +} + type ( // UnmarshalFunc is a function which can unmarshal Caddyfile // tokens into zero or more config values using a Helper type. diff --git a/caddyconfig/httpcaddyfile/directives_test.go b/caddyconfig/httpcaddyfile/directives_test.go new file mode 100644 index 000000000..03768ac98 --- /dev/null +++ b/caddyconfig/httpcaddyfile/directives_test.go @@ -0,0 +1,94 @@ +package httpcaddyfile + +import ( + "reflect" + "sort" + "testing" +) + +func TestHostsFromKeys(t *testing.T) { + for i, tc := range []struct { + keys []Address + expectNormalMode []string + expectLoggerMode []string + }{ + { + []Address{ + Address{Original: "foo", Host: "foo"}, + }, + []string{"foo"}, + []string{"foo"}, + }, + { + []Address{ + Address{Original: "foo", Host: "foo"}, + Address{Original: "bar", Host: "bar"}, + }, + []string{"bar", "foo"}, + []string{"bar", "foo"}, + }, + { + []Address{ + Address{Original: ":2015", Port: "2015"}, + }, + []string{}, []string{}, + }, + { + []Address{ + Address{Original: ":443", Port: "443"}, + }, + []string{}, []string{}, + }, + { + []Address{ + Address{Original: "foo", Host: "foo"}, + Address{Original: ":2015", Port: "2015"}, + }, + []string{}, []string{"foo"}, + }, + { + []Address{ + Address{Original: "example.com:2015", Host: "example.com", Port: "2015"}, + }, + []string{"example.com"}, + []string{"example.com:2015"}, + }, + { + []Address{ + Address{Original: "example.com:80", Host: "example.com", Port: "80"}, + }, + []string{"example.com"}, + []string{"example.com"}, + }, + { + []Address{ + Address{Original: "https://:2015/foo", Scheme: "https", Port: "2015", Path: "/foo"}, + }, + []string{}, + []string{}, + }, + { + []Address{ + Address{Original: "https://example.com:2015/foo", Scheme: "https", Host: "example.com", Port: "2015", Path: "/foo"}, + }, + []string{"example.com"}, + []string{"example.com:2015"}, + }, + } { + sb := serverBlock{keys: tc.keys} + + // test in normal mode + actual := sb.hostsFromKeys(false) + sort.Strings(actual) + if !reflect.DeepEqual(tc.expectNormalMode, actual) { + t.Errorf("Test %d (loggerMode=false): Expected: %v Actual: %v", i, tc.expectNormalMode, actual) + } + + // test in logger mode + actual = sb.hostsFromKeys(true) + sort.Strings(actual) + if !reflect.DeepEqual(tc.expectLoggerMode, actual) { + t.Errorf("Test %d (loggerMode=true): Expected: %v Actual: %v", i, tc.expectLoggerMode, actual) + } + } +} diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go index a73816611..4c5f445fd 100644 --- a/caddyconfig/httpcaddyfile/httptype.go +++ b/caddyconfig/httpcaddyfile/httptype.go @@ -378,7 +378,7 @@ func (st *ServerType) serversFromPairings( return nil, fmt.Errorf("server block %v: compiling matcher sets: %v", sblock.block.Keys, err) } - hosts := sblock.hostsFromKeys(false, false) + hosts := sblock.hostsFromKeys(false) // tls: connection policies if cpVals, ok := sblock.pile["tls.connection_policy"]; ok { @@ -450,9 +450,13 @@ func (st *ServerType) serversFromPairings( LoggerNames: make(map[string]string), } } - for _, h := range sblock.hostsFromKeys(true, true) { - if ncl.name != "" { - srv.Logs.LoggerNames[h] = ncl.name + if sblock.hasHostCatchAllKey() { + srv.Logs.LoggerName = ncl.name + } else { + for _, h := range sblock.hostsFromKeys(true) { + if ncl.name != "" { + srv.Logs.LoggerNames[h] = ncl.name + } } } } diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 2ce7ea3bb..b31bdc5a0 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -16,6 +16,7 @@ package httpcaddyfile import ( "bytes" + "encoding/json" "fmt" "reflect" "sort" @@ -53,7 +54,7 @@ func (st ServerType) buildTLSApp( continue } if otherAddr.Host != "" { - hostsSharedWithHostlessKey[addr.Host] = struct{}{} + hostsSharedWithHostlessKey[otherAddr.Host] = struct{}{} } } break @@ -72,7 +73,7 @@ func (st ServerType) buildTLSApp( // get values that populate an automation policy for this block var ap *caddytls.AutomationPolicy - sblockHosts := sblock.hostsFromKeys(false, false) + sblockHosts := sblock.hostsFromKeys(false) if len(sblockHosts) == 0 { ap = catchAllAP } @@ -263,6 +264,33 @@ func (st ServerType) buildTLSApp( tlsApp.Automation.OnDemand = onDemand } + // if any hostnames appear on the same server block as a key with + // no host, they will not be used with route matchers because the + // hostless key matches all hosts, therefore, it wouldn't be + // considered for auto-HTTPS, so we need to make sure those hosts + // are manually considered for managed certificates; we also need + // to make sure that any of these names which are internal-only + // get internal certificates by default rather than ACME + var al caddytls.AutomateLoader + internalAP := &caddytls.AutomationPolicy{ + IssuerRaw: json.RawMessage(`{"module":"internal"}`), + } + for h := range hostsSharedWithHostlessKey { + al = append(al, h) + if !certmagic.SubjectQualifiesForPublicCert(h) { + internalAP.Subjects = append(internalAP.Subjects, h) + } + } + if len(al) > 0 { + tlsApp.CertificatesRaw["automate"] = caddyconfig.JSON(al, &warnings) + } + if len(internalAP.Subjects) > 0 { + if tlsApp.Automation == nil { + tlsApp.Automation = new(caddytls.AutomationConfig) + } + tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, internalAP) + } + // if there is a global/catch-all automation policy, ensure it goes last if catchAllAP != nil { // first, encode its issuer @@ -276,19 +304,6 @@ func (st ServerType) buildTLSApp( tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, catchAllAP) } - // if any hostnames appear on the same server block as a key with - // no host, they will not be used with route matchers because the - // hostless key matches all hosts, therefore, it wouldn't be - // considered for auto-HTTPS, so we need to make sure those hosts - // are manually considered for managed certificates - var al caddytls.AutomateLoader - for h := range hostsSharedWithHostlessKey { - al = append(al, h) - } - if len(al) > 0 { - tlsApp.CertificatesRaw["automate"] = caddyconfig.JSON(al, &warnings) - } - // do a little verification & cleanup if tlsApp.Automation != nil { // ensure automation policies don't overlap subjects (this should be diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index 22cf20be1..87e6b28a5 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -53,7 +53,8 @@ type AutomationConfig struct { // a low value. RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"` - defaultAutomationPolicy *AutomationPolicy + defaultPublicAutomationPolicy *AutomationPolicy + defaultInternalAutomationPolicy *AutomationPolicy } // AutomationPolicy designates the policy for automating the @@ -67,7 +68,8 @@ type AutomationPolicy struct { // Which subjects (hostnames or IP addresses) this policy applies to. Subjects []string `json:"subjects,omitempty"` - // The module that will issue certificates. Default: acme + // The module that will issue certificates. Default: internal if all + // subjects do not qualify for public certificates; othewise acme. IssuerRaw json.RawMessage `json:"issuer,omitempty" caddy:"namespace=tls.issuance inline_key=module"` // If true, certificates will be requested with MustStaple. Not all diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 54f0e2356..1255d3df6 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -93,10 +93,17 @@ func (t *TLS) Provision(ctx caddy.Context) error { if t.Automation == nil { t.Automation = new(AutomationConfig) } - t.Automation.defaultAutomationPolicy = new(AutomationPolicy) - err := t.Automation.defaultAutomationPolicy.Provision(t) + t.Automation.defaultPublicAutomationPolicy = new(AutomationPolicy) + err := t.Automation.defaultPublicAutomationPolicy.Provision(t) if err != nil { - return fmt.Errorf("provisioning default automation policy: %v", err) + return fmt.Errorf("provisioning default public automation policy: %v", err) + } + t.Automation.defaultInternalAutomationPolicy = &AutomationPolicy{ + IssuerRaw: json.RawMessage(`{"module":"internal"}`), + } + err = t.Automation.defaultInternalAutomationPolicy.Provision(t) + if err != nil { + return fmt.Errorf("provisioning default internal automation policy: %v", err) } for i, ap := range t.Automation.Policies { err := ap.Provision(t) @@ -318,6 +325,10 @@ func (t *TLS) getConfigForName(name string) *certmagic.Config { return ap.magic } +// getAutomationPolicyForName returns the first matching automation policy +// for the given subject name. If no matching policy can be found, the +// default policy is used, depending on whether the name qualifies for a +// public certificate or not. func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy { for _, ap := range t.Automation.Policies { if len(ap.Subjects) == 0 { @@ -329,7 +340,10 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy { } } } - return t.Automation.defaultAutomationPolicy + if certmagic.SubjectQualifiesForPublicCert(name) { + return t.Automation.defaultPublicAutomationPolicy + } + return t.Automation.defaultInternalAutomationPolicy } // AllMatchingCertificates returns the list of all certificates in