http: Enable TLS for servers listening only on HTTPS port

It seems silly to have to add a single, empty TLS connection policy to
a server to enable TLS when it's only listening on the HTTPS port. We
now do this for the user as part of automatic HTTPS (thus, it can be
disabled / overridden).

See https://caddy.community/t/v2-catch-all-server-with-automatic-tls/6692/2?u=matt
This commit is contained in:
Matthew Holt 2019-12-28 23:56:08 -07:00
parent 5c8b502964
commit 2b33d9a5e5
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
2 changed files with 13 additions and 0 deletions

View file

@ -326,6 +326,18 @@ func (app *App) automaticHTTPS() error {
continue
}
// if all listeners are on the HTTPS port, make sure
// there is at least one TLS connection policy; it
// should be obvious that they want to use TLS without
// needing to specify one empty policy to enable it
if !srv.listenersUseAnyPortOtherThan(app.httpsPort()) && len(srv.TLSConnPolicies) == 0 {
app.logger.Info("server is only listening on the HTTPS port but has no TLS connection policies; adding one to enable TLS",
zap.String("server_name", srvName),
zap.Int("https_port", app.httpsPort()),
)
srv.TLSConnPolicies = append(srv.TLSConnPolicies, new(caddytls.ConnectionPolicy))
}
// find all qualifying domain names, de-duplicated
domainSet := make(map[string]struct{})
for routeIdx, route := range srv.Routes {

View file

@ -106,6 +106,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) (*tls.Config, error) {
}
// ConnectionPolicy specifies the logic for handling a TLS handshake.
// An empty policy is valid; safe and sensible defaults will be used.
type ConnectionPolicy struct {
// How to match this policy with a TLS ClientHello. If
// this policy is the first to match, it will be used.