From a524bcfe78e8067b8224b1794c6842d9c2c7e8cf Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Wed, 26 Jun 2019 10:57:18 -0600 Subject: [PATCH] Enable skipping just certificate management for some auto HTTPS names --- modules/caddyhttp/caddyhttp.go | 16 +++++++++++----- modules/caddyhttp/server.go | 14 ++++++++++---- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go index 850501fb..9c80992b 100644 --- a/modules/caddyhttp/caddyhttp.go +++ b/modules/caddyhttp/caddyhttp.go @@ -210,7 +210,8 @@ func (app *App) automaticHTTPS() error { for _, m := range matcherSet { if hm, ok := m.(*MatchHost); ok { for _, d := range *hm { - if certmagic.HostQualifies(d) && !srv.AutoHTTPS.HostSkipped(d) { + if certmagic.HostQualifies(d) && + !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) { domainSet[d] = struct{}{} } } @@ -221,9 +222,12 @@ func (app *App) automaticHTTPS() error { if len(domainSet) > 0 { // marshal the domains into a slice - var domains []string + var domains, domainsForCerts []string for d := range domainSet { domains = append(domains, d) + if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.SkipCerts) { + domainsForCerts = append(domainsForCerts, d) + } } // ensure that these certificates are managed properly; @@ -245,13 +249,13 @@ func (app *App) automaticHTTPS() error { acmeManager.SetDefaults() tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, caddytls.AutomationPolicy{ - Hosts: domains, + Hosts: domainsForCerts, Management: acmeManager, }) // manage their certificates - log.Printf("[INFO] Enabling automatic HTTPS for %v", domains) - err := tlsApp.Manage(domains) + log.Printf("[INFO] Enabling automatic HTTPS certificates for %v", domainsForCerts) + err := tlsApp.Manage(domainsForCerts) if err != nil { return fmt.Errorf("%s: managing certificate for %s: %s", srvName, domains, err) } @@ -267,6 +271,8 @@ func (app *App) automaticHTTPS() error { continue } + log.Printf("[INFO] Enabling automatic HTTP->HTTPS redirects for %v", domains) + // create HTTP->HTTPS redirects for _, addr := range srv.Listen { netw, host, port, err := splitListenAddr(addr) diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go index be46d6da..05763ba7 100644 --- a/modules/caddyhttp/server.go +++ b/modules/caddyhttp/server.go @@ -133,12 +133,18 @@ type AutoHTTPSConfig struct { // in automatic HTTPS (they will not have certificates // loaded nor redirects applied). Skip []string `json:"skip,omitempty"` + + // Hosts/domain names listed here will still be enabled + // for automatic HTTPS (unless in the Skip list), except + // that certificates will not be provisioned and managed + // for these names. + SkipCerts []string `json:"skip_certificates,omitempty"` } -// HostSkipped returns true if name is supposed to be skipped -// when setting up automatic HTTPS. -func (ahc AutoHTTPSConfig) HostSkipped(name string) bool { - for _, n := range ahc.Skip { +// Skipped returns true if name is in skipSlice, which +// should be one of the Skip* fields on ahc. +func (ahc AutoHTTPSConfig) Skipped(name string, skipSlice []string) bool { + for _, n := range skipSlice { if name == n { return true }