serv/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-27 06:03:48 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

tls: Ensure conn policy is created when providing certs in Caddyfile

Browse source 
Fixes #2929
This commit is contained in:
Matthew Holt 2019-12-13 16:32:27 -07:00
parent 8005b7ab73
commit 6ea121ddf8
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
2 changed files with 44 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
caddyconfig/httpcaddyfile/builtins.go
View file

@ -81,7 +81,7 @@ func parseRoot(h Helper) ([]ConfigValue, error) {
func parseTLS(h Helper) ([]ConfigValue, error) { func parseTLS(h Helper) ([]ConfigValue, error) {
var configVals []ConfigValue var configVals []ConfigValue
cp := new(caddytls.ConnectionPolicy) var cp *caddytls.ConnectionPolicy
var fileLoader caddytls.FileLoader var fileLoader caddytls.FileLoader
var folderLoader caddytls.FolderLoader var folderLoader caddytls.FolderLoader
var mgr caddytls.ACMEManagerMaker var mgr caddytls.ACMEManagerMaker
@ -131,12 +131,18 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
if _, ok := caddytls.SupportedProtocols[args[0]]; !ok { if _, ok := caddytls.SupportedProtocols[args[0]]; !ok {
return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[0]) return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[0])
} }
if cp == nil {
cp = new(caddytls.ConnectionPolicy)
}
cp.ProtocolMin = args[0] cp.ProtocolMin = args[0]
} }
if len(args) > 1 { if len(args) > 1 {
if _, ok := caddytls.SupportedProtocols[args[1]]; !ok { if _, ok := caddytls.SupportedProtocols[args[1]]; !ok {
return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[1]) return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[1])
} }
if cp == nil {
cp = new(caddytls.ConnectionPolicy)
}
cp.ProtocolMax = args[1] cp.ProtocolMax = args[1]
} }
case "ciphers": case "ciphers":
@ -144,6 +150,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
if _, ok := caddytls.SupportedCipherSuites[h.Val()]; !ok { if _, ok := caddytls.SupportedCipherSuites[h.Val()]; !ok {
return nil, h.Errf("Wrong cipher suite name or cipher suite not supported: '%s'", h.Val()) return nil, h.Errf("Wrong cipher suite name or cipher suite not supported: '%s'", h.Val())
} }
if cp == nil {
cp = new(caddytls.ConnectionPolicy)
}
cp.CipherSuites = append(cp.CipherSuites, h.Val()) cp.CipherSuites = append(cp.CipherSuites, h.Val())
} }
case "curves": case "curves":
@ -151,6 +160,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
if _, ok := caddytls.SupportedCurves[h.Val()]; !ok { if _, ok := caddytls.SupportedCurves[h.Val()]; !ok {
return nil, h.Errf("Wrong curve name or curve not supported: '%s'", h.Val()) return nil, h.Errf("Wrong curve name or curve not supported: '%s'", h.Val())
} }
if cp == nil {
cp = new(caddytls.ConnectionPolicy)
}
cp.Curves = append(cp.Curves, h.Val()) cp.Curves = append(cp.Curves, h.Val())
} }
case "alpn": case "alpn":
@ -158,6 +170,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
if len(args) == 0 { if len(args) == 0 {
return nil, h.ArgErr() return nil, h.ArgErr()
} }
if cp == nil {
cp = new(caddytls.ConnectionPolicy)
}
cp.ALPN = args cp.ALPN = args
// certificate folder loader // certificate folder loader
@ -183,24 +198,34 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
} }
} }
// connection policy
configVals = append(configVals, ConfigValue{
Class: "tls.connection_policy",
Value: cp,
})
// certificate loaders // certificate loaders
if len(fileLoader) > 0 { if len(fileLoader) > 0 {
configVals = append(configVals, ConfigValue{ configVals = append(configVals, ConfigValue{
Class: "tls.certificate_loader", Class: "tls.certificate_loader",
Value: fileLoader, Value: fileLoader,
}) })
// ensure server uses HTTPS by setting non-nil conn policy
if cp == nil {
cp = new(caddytls.ConnectionPolicy)
}
} }
if len(folderLoader) > 0 { if len(folderLoader) > 0 {
configVals = append(configVals, ConfigValue{ configVals = append(configVals, ConfigValue{
Class: "tls.certificate_loader", Class: "tls.certificate_loader",
Value: folderLoader, Value: folderLoader,
}) })
// ensure server uses HTTPS by setting non-nil conn policy
if cp == nil {
cp = new(caddytls.ConnectionPolicy)
}
}
// connection policy
if cp != nil {
configVals = append(configVals, ConfigValue{
Class: "tls.connection_policy",
Value: cp,
})
} }
// automation policy // automation policy

21
caddyconfig/httpcaddyfile/httptype.go
View file

@ -275,6 +275,9 @@ func (st *ServerType) hostsFromServerBlockKeys(sb caddyfile.ServerBlock) ([]stri
return nil, fmt.Errorf("parsing server block key: %v", err) return nil, fmt.Errorf("parsing server block key: %v", err)
} }
addr = addr.Normalize() addr = addr.Normalize()
if addr.Host == "" {
continue
}
hostMap[addr.Host] = struct{}{} hostMap[addr.Host] = struct{}{}
} }
@ -328,20 +331,20 @@ func (st *ServerType) serversFromPairings(
// tls connection policies // tls connection policies
for _, cpVal := range cpVals { for _, cpVal := range cpVals {
cp := cpVal.Value.(*caddytls.ConnectionPolicy) cp := cpVal.Value.(*caddytls.ConnectionPolicy)
// only create if there is a non-empty policy
if !reflect.DeepEqual(cp, new(caddytls.ConnectionPolicy)) {
// make sure the policy covers all hostnames from the block
hosts, err := st.hostsFromServerBlockKeys(sblock.block)
if err != nil {
return nil, err
}
// TODO: are matchers needed if every hostname of the config is matched? // make sure the policy covers all hostnames from the block
hosts, err := st.hostsFromServerBlockKeys(sblock.block)
if err != nil {
return nil, err
}
// TODO: are matchers needed if every hostname of the config is matched?
if len(hosts) > 0 {
cp.MatchersRaw = caddy.ModuleMap{ cp.MatchersRaw = caddy.ModuleMap{
"sni": caddyconfig.JSON(hosts, warnings), // make sure to match all hosts, not just auto-HTTPS-qualified ones "sni": caddyconfig.JSON(hosts, warnings), // make sure to match all hosts, not just auto-HTTPS-qualified ones
} }
srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp)
} }
srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp)
} }
// TODO: consolidate equal conn policies // TODO: consolidate equal conn policies
} }