mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-25 13:13:47 +03:00
httpcaddyfile: Implement experimental force_automate
option (#6712)
Some checks are pending
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Waiting to run
Tests / test (s390x on IBM Z) (push) Waiting to run
Tests / goreleaser-check (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, aix) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, linux) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, windows) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, aix) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, linux) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, windows) (push) Waiting to run
Lint / lint (push) Waiting to run
Lint / govulncheck (push) Waiting to run
Some checks are pending
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Waiting to run
Tests / test (s390x on IBM Z) (push) Waiting to run
Tests / goreleaser-check (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, aix) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, linux) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, windows) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, aix) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, linux) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, windows) (push) Waiting to run
Lint / lint (push) Waiting to run
Lint / govulncheck (push) Waiting to run
This commit is contained in:
parent
5ba1e06fd6
commit
afa778ae05
5 changed files with 334 additions and 3 deletions
|
@ -84,7 +84,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
|
||||||
|
|
||||||
// parseTLS parses the tls directive. Syntax:
|
// parseTLS parses the tls directive. Syntax:
|
||||||
//
|
//
|
||||||
// tls [<email>|internal]|[<cert_file> <key_file>] {
|
// tls [<email>|internal|force_automate]|[<cert_file> <key_file>] {
|
||||||
// protocols <min> [<max>]
|
// protocols <min> [<max>]
|
||||||
// ciphers <cipher_suites...>
|
// ciphers <cipher_suites...>
|
||||||
// curves <curves...>
|
// curves <curves...>
|
||||||
|
@ -107,6 +107,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
|
||||||
// dns_challenge_override_domain <domain>
|
// dns_challenge_override_domain <domain>
|
||||||
// on_demand
|
// on_demand
|
||||||
// reuse_private_keys
|
// reuse_private_keys
|
||||||
|
// force_automate
|
||||||
// eab <key_id> <mac_key>
|
// eab <key_id> <mac_key>
|
||||||
// issuer <module_name> [...]
|
// issuer <module_name> [...]
|
||||||
// get_certificate <module_name> [...]
|
// get_certificate <module_name> [...]
|
||||||
|
@ -126,6 +127,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
|
||||||
var certManagers []certmagic.Manager
|
var certManagers []certmagic.Manager
|
||||||
var onDemand bool
|
var onDemand bool
|
||||||
var reusePrivateKeys bool
|
var reusePrivateKeys bool
|
||||||
|
var forceAutomate bool
|
||||||
|
|
||||||
firstLine := h.RemainingArgs()
|
firstLine := h.RemainingArgs()
|
||||||
switch len(firstLine) {
|
switch len(firstLine) {
|
||||||
|
@ -133,8 +135,10 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
|
||||||
case 1:
|
case 1:
|
||||||
if firstLine[0] == "internal" {
|
if firstLine[0] == "internal" {
|
||||||
internalIssuer = new(caddytls.InternalIssuer)
|
internalIssuer = new(caddytls.InternalIssuer)
|
||||||
|
} else if firstLine[0] == "force_automate" {
|
||||||
|
forceAutomate = true
|
||||||
} else if !strings.Contains(firstLine[0], "@") {
|
} else if !strings.Contains(firstLine[0], "@") {
|
||||||
return nil, h.Err("single argument must either be 'internal' or an email address")
|
return nil, h.Err("single argument must either be 'internal', 'force_automate', or an email address")
|
||||||
} else {
|
} else {
|
||||||
acmeIssuer = &caddytls.ACMEIssuer{
|
acmeIssuer = &caddytls.ACMEIssuer{
|
||||||
Email: firstLine[0],
|
Email: firstLine[0],
|
||||||
|
@ -569,6 +573,15 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// if enabled, the names in the site addresses will be
|
||||||
|
// added to the automation policies
|
||||||
|
if forceAutomate {
|
||||||
|
configVals = append(configVals, ConfigValue{
|
||||||
|
Class: "tls.force_automate",
|
||||||
|
Value: true,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
// custom certificate selection
|
// custom certificate selection
|
||||||
if len(certSelector.AnyTag) > 0 {
|
if len(certSelector.AnyTag) > 0 {
|
||||||
cp.CertSelection = &certSelector
|
cp.CertSelection = &certSelector
|
||||||
|
|
|
@ -763,6 +763,14 @@ func (st *ServerType) serversFromPairings(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// collect hosts that are forced to be automated
|
||||||
|
forceAutomatedNames := make(map[string]struct{})
|
||||||
|
if _, ok := sblock.pile["tls.force_automate"]; ok {
|
||||||
|
for _, host := range hosts {
|
||||||
|
forceAutomatedNames[host] = struct{}{}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// tls: connection policies
|
// tls: connection policies
|
||||||
if cpVals, ok := sblock.pile["tls.connection_policy"]; ok {
|
if cpVals, ok := sblock.pile["tls.connection_policy"]; ok {
|
||||||
// tls connection policies
|
// tls connection policies
|
||||||
|
@ -794,7 +802,7 @@ func (st *ServerType) serversFromPairings(
|
||||||
}
|
}
|
||||||
|
|
||||||
// only append this policy if it actually changes something
|
// only append this policy if it actually changes something
|
||||||
if !cp.SettingsEmpty() {
|
if !cp.SettingsEmpty() || mapContains(forceAutomatedNames, hosts) {
|
||||||
srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp)
|
srv.TLSConnPolicies = append(srv.TLSConnPolicies, cp)
|
||||||
hasCatchAllTLSConnPolicy = len(hosts) == 0
|
hasCatchAllTLSConnPolicy = len(hosts) == 0
|
||||||
}
|
}
|
||||||
|
@ -1661,6 +1669,18 @@ func listenersUseAnyPortOtherThan(addresses []string, otherPort string) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func mapContains[K comparable, V any](m map[K]V, keys []K) bool {
|
||||||
|
if len(m) == 0 || len(keys) == 0 {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
for _, key := range keys {
|
||||||
|
if _, ok := m[key]; ok {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
// specificity returns len(s) minus any wildcards (*) and
|
// specificity returns len(s) minus any wildcards (*) and
|
||||||
// placeholders ({...}). Basically, it's a length count
|
// placeholders ({...}). Basically, it's a length count
|
||||||
// that penalizes the use of wildcards and placeholders.
|
// that penalizes the use of wildcards and placeholders.
|
||||||
|
|
|
@ -94,6 +94,9 @@ func (st ServerType) buildTLSApp(
|
||||||
|
|
||||||
// collect all hosts that have a wildcard in them, and arent HTTP
|
// collect all hosts that have a wildcard in them, and arent HTTP
|
||||||
wildcardHosts := []string{}
|
wildcardHosts := []string{}
|
||||||
|
// hosts that have been explicitly marked to be automated,
|
||||||
|
// even if covered by another wildcard
|
||||||
|
forcedAutomatedNames := make(map[string]struct{})
|
||||||
for _, p := range pairings {
|
for _, p := range pairings {
|
||||||
var addresses []string
|
var addresses []string
|
||||||
for _, addressWithProtocols := range p.addressesWithProtocols {
|
for _, addressWithProtocols := range p.addressesWithProtocols {
|
||||||
|
@ -150,6 +153,13 @@ func (st ServerType) buildTLSApp(
|
||||||
ap.OnDemand = true
|
ap.OnDemand = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// collect hosts that are forced to be automated
|
||||||
|
if _, ok := sblock.pile["tls.force_automate"]; ok {
|
||||||
|
for _, host := range sblockHosts {
|
||||||
|
forcedAutomatedNames[host] = struct{}{}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// reuse private keys tls
|
// reuse private keys tls
|
||||||
if _, ok := sblock.pile["tls.reuse_private_keys"]; ok {
|
if _, ok := sblock.pile["tls.reuse_private_keys"]; ok {
|
||||||
ap.ReusePrivateKeys = true
|
ap.ReusePrivateKeys = true
|
||||||
|
@ -407,6 +417,12 @@ func (st ServerType) buildTLSApp(
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
for name := range forcedAutomatedNames {
|
||||||
|
if slices.Contains(al, name) {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
al = append(al, name)
|
||||||
|
}
|
||||||
if len(al) > 0 {
|
if len(al) > 0 {
|
||||||
tlsApp.CertificatesRaw["automate"] = caddyconfig.JSON(al, &warnings)
|
tlsApp.CertificatesRaw["automate"] = caddyconfig.JSON(al, &warnings)
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,180 @@
|
||||||
|
automated1.example.com {
|
||||||
|
tls force_automate
|
||||||
|
respond "Automated!"
|
||||||
|
}
|
||||||
|
|
||||||
|
automated2.example.com {
|
||||||
|
tls force_automate
|
||||||
|
respond "Automated!"
|
||||||
|
}
|
||||||
|
|
||||||
|
shadowed.example.com {
|
||||||
|
respond "Shadowed!"
|
||||||
|
}
|
||||||
|
|
||||||
|
*.example.com {
|
||||||
|
tls cert.pem key.pem
|
||||||
|
respond "Wildcard!"
|
||||||
|
}
|
||||||
|
----------
|
||||||
|
{
|
||||||
|
"apps": {
|
||||||
|
"http": {
|
||||||
|
"servers": {
|
||||||
|
"srv0": {
|
||||||
|
"listen": [
|
||||||
|
":443"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": [
|
||||||
|
{
|
||||||
|
"host": [
|
||||||
|
"automated1.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"handler": "subroute",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"body": "Automated!",
|
||||||
|
"handler": "static_response"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"terminal": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"match": [
|
||||||
|
{
|
||||||
|
"host": [
|
||||||
|
"automated2.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"handler": "subroute",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"body": "Automated!",
|
||||||
|
"handler": "static_response"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"terminal": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"match": [
|
||||||
|
{
|
||||||
|
"host": [
|
||||||
|
"shadowed.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"handler": "subroute",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"body": "Shadowed!",
|
||||||
|
"handler": "static_response"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"terminal": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"match": [
|
||||||
|
{
|
||||||
|
"host": [
|
||||||
|
"*.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"handler": "subroute",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"body": "Wildcard!",
|
||||||
|
"handler": "static_response"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"terminal": true
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"tls_connection_policies": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"sni": [
|
||||||
|
"automated1.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"sni": [
|
||||||
|
"automated2.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"sni": [
|
||||||
|
"*.example.com"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"certificate_selection": {
|
||||||
|
"any_tag": [
|
||||||
|
"cert0"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"tls": {
|
||||||
|
"certificates": {
|
||||||
|
"automate": [
|
||||||
|
"automated1.example.com",
|
||||||
|
"automated2.example.com"
|
||||||
|
],
|
||||||
|
"load_files": [
|
||||||
|
{
|
||||||
|
"certificate": "cert.pem",
|
||||||
|
"key": "key.pem",
|
||||||
|
"tags": [
|
||||||
|
"cert0"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,102 @@
|
||||||
|
subdomain.example.com {
|
||||||
|
respond "Subdomain!"
|
||||||
|
}
|
||||||
|
|
||||||
|
*.example.com {
|
||||||
|
tls cert.pem key.pem
|
||||||
|
respond "Wildcard!"
|
||||||
|
}
|
||||||
|
----------
|
||||||
|
{
|
||||||
|
"apps": {
|
||||||
|
"http": {
|
||||||
|
"servers": {
|
||||||
|
"srv0": {
|
||||||
|
"listen": [
|
||||||
|
":443"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": [
|
||||||
|
{
|
||||||
|
"host": [
|
||||||
|
"subdomain.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"handler": "subroute",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"body": "Subdomain!",
|
||||||
|
"handler": "static_response"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"terminal": true
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"match": [
|
||||||
|
{
|
||||||
|
"host": [
|
||||||
|
"*.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"handler": "subroute",
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"handle": [
|
||||||
|
{
|
||||||
|
"body": "Wildcard!",
|
||||||
|
"handler": "static_response"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"terminal": true
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"tls_connection_policies": [
|
||||||
|
{
|
||||||
|
"match": {
|
||||||
|
"sni": [
|
||||||
|
"*.example.com"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"certificate_selection": {
|
||||||
|
"any_tag": [
|
||||||
|
"cert0"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"tls": {
|
||||||
|
"certificates": {
|
||||||
|
"load_files": [
|
||||||
|
{
|
||||||
|
"certificate": "cert.pem",
|
||||||
|
"key": "key.pem",
|
||||||
|
"tags": [
|
||||||
|
"cert0"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue