diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go new file mode 100644 index 00000000..97290f41 --- /dev/null +++ b/modules/caddyhttp/app.go @@ -0,0 +1,433 @@ +// Copyright 2015 Matthew Holt and The Caddy Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package caddyhttp + +import ( + "context" + "crypto/tls" + "fmt" + "net" + "net/http" + "strconv" + "time" + + "github.com/caddyserver/caddy/v2" + "github.com/caddyserver/caddy/v2/modules/caddytls" + "github.com/lucas-clemente/quic-go/http3" + "go.uber.org/zap" +) + +func init() { + err := caddy.RegisterModule(App{}) + if err != nil { + caddy.Log().Fatal(err.Error()) + } +} + +// App is a robust, production-ready HTTP server. +// +// HTTPS is enabled by default if host matchers with qualifying names are used +// in any of routes; certificates are automatically provisioned and renewed. +// Additionally, automatic HTTPS will also enable HTTPS for servers that listen +// only on the HTTPS port but which do not have any TLS connection policies +// defined by adding a good, default TLS connection policy. +// +// In HTTP routes, additional placeholders are available (replace any `*`): +// +// Placeholder | Description +// ------------|--------------- +// `{http.request.cookie.*}` | HTTP request cookie +// `{http.request.header.*}` | Specific request header field +// `{http.request.host.labels.*}` | Request host labels (0-based from right); e.g. for foo.example.com: 0=com, 1=example, 2=foo +// `{http.request.host}` | The host part of the request's Host header +// `{http.request.hostport}` | The host and port from the request's Host header +// `{http.request.method}` | The request method +// `{http.request.orig_method}` | The request's original method +// `{http.request.orig_uri.path.dir}` | The request's original directory +// `{http.request.orig_uri.path.file}` | The request's original filename +// `{http.request.orig_uri.path}` | The request's original path +// `{http.request.orig_uri.query}` | The request's original query string (without `?`) +// `{http.request.orig_uri}` | The request's original URI +// `{http.request.port}` | The port part of the request's Host header +// `{http.request.proto}` | The protocol of the request +// `{http.request.remote.host}` | The host part of the remote client's address +// `{http.request.remote.port}` | The port part of the remote client's address +// `{http.request.remote}` | The address of the remote client +// `{http.request.scheme}` | The request scheme +// `{http.request.tls.version}` | The TLS version name +// `{http.request.tls.cipher_suite}` | The TLS cipher suite +// `{http.request.tls.resumed}` | The TLS connection resumed a previous connection +// `{http.request.tls.proto}` | The negotiated next protocol +// `{http.request.tls.proto_mutual}` | The negotiated next protocol was advertised by the server +// `{http.request.tls.server_name}` | The server name requested by the client, if any +// `{http.request.tls.client.fingerprint}` | The SHA256 checksum of the client certificate +// `{http.request.tls.client.issuer}` | The issuer DN of the client certificate +// `{http.request.tls.client.serial}` | The serial number of the client certificate +// `{http.request.tls.client.subject}` | The subject DN of the client certificate +// `{http.request.uri.path.*}` | Parts of the path, split by `/` (0-based from left) +// `{http.request.uri.path.dir}` | The directory, excluding leaf filename +// `{http.request.uri.path.file}` | The filename of the path, excluding directory +// `{http.request.uri.path}` | The path component of the request URI +// `{http.request.uri.query.*}` | Individual query string value +// `{http.request.uri.query}` | The query string (without `?`) +// `{http.request.uri}` | The full request URI +// `{http.response.header.*}` | Specific response header field +// `{http.vars.*}` | Custom variables in the HTTP handler chain +type App struct { + // HTTPPort specifies the port to use for HTTP (as opposed to HTTPS), + // which is used when setting up HTTP->HTTPS redirects or ACME HTTP + // challenge solvers. Default: 80. + HTTPPort int `json:"http_port,omitempty"` + + // HTTPSPort specifies the port to use for HTTPS, which is used when + // solving the ACME TLS-ALPN challenges, or whenever HTTPS is needed + // but no specific port number is given. Default: 443. + HTTPSPort int `json:"https_port,omitempty"` + + // GracePeriod is how long to wait for active connections when shutting + // down the server. Once the grace period is over, connections will + // be forcefully closed. + GracePeriod caddy.Duration `json:"grace_period,omitempty"` + + // Servers is the list of servers, keyed by arbitrary names chosen + // at your discretion for your own convenience; the keys do not + // affect functionality. + Servers map[string]*Server `json:"servers,omitempty"` + + servers []*http.Server + h3servers []*http3.Server + h3listeners []net.PacketConn + + ctx caddy.Context + logger *zap.Logger + tlsApp *caddytls.TLS + + // used temporarily between phases 1 and 2 of auto HTTPS + allCertDomains []string +} + +// CaddyModule returns the Caddy module information. +func (App) CaddyModule() caddy.ModuleInfo { + return caddy.ModuleInfo{ + ID: "http", + New: func() caddy.Module { return new(App) }, + } +} + +// Provision sets up the app. +func (app *App) Provision(ctx caddy.Context) error { + // store some references + tlsAppIface, err := ctx.App("tls") + if err != nil { + return fmt.Errorf("getting tls app: %v", err) + } + app.tlsApp = tlsAppIface.(*caddytls.TLS) + app.ctx = ctx + app.logger = ctx.Logger(app) + + repl := caddy.NewReplacer() + + // this provisions the matchers for each route, + // and prepares auto HTTP->HTTPS redirects, and + // is required before we provision each server + err = app.automaticHTTPSPhase1(ctx, repl) + if err != nil { + return err + } + + // prepare each server + for srvName, srv := range app.Servers { + srv.tlsApp = app.tlsApp + srv.logger = app.logger.Named("log") + srv.errorLogger = app.logger.Named("log.error") + + // only enable access logs if configured + if srv.Logs != nil { + srv.accessLogger = app.logger.Named("log.access") + } + + // if not explicitly configured by the user, disallow TLS + // client auth bypass (domain fronting) which could + // otherwise be exploited by sending an unprotected SNI + // value during a TLS handshake, then putting a protected + // domain in the Host header after establishing connection; + // this is a safe default, but we allow users to override + // it for example in the case of running a proxy where + // domain fronting is desired and access is not restricted + // based on hostname + if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() { + app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured", + zap.String("server_name", srvName), + ) + trueBool := true + srv.StrictSNIHost = &trueBool + } + + // process each listener address + for i := range srv.Listen { + lnOut, err := repl.ReplaceOrErr(srv.Listen[i], true, true) + if err != nil { + return fmt.Errorf("server %s, listener %d: %v", + srvName, i, err) + } + srv.Listen[i] = lnOut + } + + // set up each listener modifier + if srv.ListenerWrappersRaw != nil { + vals, err := ctx.LoadModule(srv, "ListenerWrappersRaw") + if err != nil { + return fmt.Errorf("loading listener wrapper modules: %v", err) + } + var hasTLSPlaceholder bool + for i, val := range vals.([]interface{}) { + if _, ok := val.(*tlsPlaceholderWrapper); ok { + if i == 0 { + // putting the tls placeholder wrapper first is nonsensical because + // that is the default, implicit setting: without it, all wrappers + // will go after the TLS listener anyway + return fmt.Errorf("it is unnecessary to specify the TLS listener wrapper in the first position because that is the default") + } + if hasTLSPlaceholder { + return fmt.Errorf("TLS listener wrapper can only be specified once") + } + hasTLSPlaceholder = true + } + srv.listenerWrappers = append(srv.listenerWrappers, val.(caddy.ListenerWrapper)) + } + // if any wrappers were configured but the TLS placeholder wrapper is + // absent, prepend it so all defined wrappers come after the TLS + // handshake; this simplifies logic when starting the server, since we + // can simply assume the TLS placeholder will always be there + if !hasTLSPlaceholder && len(srv.listenerWrappers) > 0 { + srv.listenerWrappers = append([]caddy.ListenerWrapper{new(tlsPlaceholderWrapper)}, srv.listenerWrappers...) + } + } + + // pre-compile the primary handler chain, and be sure to wrap it in our + // route handler so that important security checks are done, etc. + primaryRoute := emptyHandler + if srv.Routes != nil { + err := srv.Routes.ProvisionHandlers(ctx) + if err != nil { + return fmt.Errorf("server %s: setting up route handlers: %v", srvName, err) + } + primaryRoute = srv.Routes.Compile(emptyHandler) + } + srv.primaryHandlerChain = srv.wrapPrimaryRoute(primaryRoute) + + // pre-compile the error handler chain + if srv.Errors != nil { + err := srv.Errors.Routes.Provision(ctx) + if err != nil { + return fmt.Errorf("server %s: setting up server error handling routes: %v", srvName, err) + } + srv.errorHandlerChain = srv.Errors.Routes.Compile(errorEmptyHandler) + } + + // prepare the TLS connection policies + err = srv.TLSConnPolicies.Provision(ctx) + if err != nil { + return fmt.Errorf("server %s: setting up TLS connection policies: %v", srvName, err) + } + } + + return nil +} + +// Validate ensures the app's configuration is valid. +func (app *App) Validate() error { + // each server must use distinct listener addresses + lnAddrs := make(map[string]string) + for srvName, srv := range app.Servers { + for _, addr := range srv.Listen { + listenAddr, err := caddy.ParseNetworkAddress(addr) + if err != nil { + return fmt.Errorf("invalid listener address '%s': %v", addr, err) + } + // check that every address in the port range is unique to this server; + // we do not use <= here because PortRangeSize() adds 1 to EndPort for us + for i := uint(0); i < listenAddr.PortRangeSize(); i++ { + addr := caddy.JoinNetworkAddress(listenAddr.Network, listenAddr.Host, strconv.Itoa(int(listenAddr.StartPort+i))) + if sn, ok := lnAddrs[addr]; ok { + return fmt.Errorf("server %s: listener address repeated: %s (already claimed by server '%s')", srvName, addr, sn) + } + lnAddrs[addr] = srvName + } + } + } + + return nil +} + +// Start runs the app. It finishes automatic HTTPS if enabled, +// including management of certificates. +func (app *App) Start() error { + for srvName, srv := range app.Servers { + s := &http.Server{ + ReadTimeout: time.Duration(srv.ReadTimeout), + ReadHeaderTimeout: time.Duration(srv.ReadHeaderTimeout), + WriteTimeout: time.Duration(srv.WriteTimeout), + IdleTimeout: time.Duration(srv.IdleTimeout), + MaxHeaderBytes: srv.MaxHeaderBytes, + Handler: srv, + } + + for _, lnAddr := range srv.Listen { + listenAddr, err := caddy.ParseNetworkAddress(lnAddr) + if err != nil { + return fmt.Errorf("%s: parsing listen address '%s': %v", srvName, lnAddr, err) + } + for portOffset := uint(0); portOffset < listenAddr.PortRangeSize(); portOffset++ { + // create the listener for this socket + hostport := listenAddr.JoinHostPort(portOffset) + ln, err := caddy.Listen(listenAddr.Network, hostport) + if err != nil { + return fmt.Errorf("%s: listening on %s: %v", listenAddr.Network, hostport, err) + } + + // wrap listener before TLS (up to the TLS placeholder wrapper) + var lnWrapperIdx int + for i, lnWrapper := range srv.listenerWrappers { + if _, ok := lnWrapper.(*tlsPlaceholderWrapper); ok { + lnWrapperIdx = i + 1 // mark the next wrapper's spot + break + } + ln = lnWrapper.WrapListener(ln) + } + + // enable TLS if there is a policy and if this is not the HTTP port + useTLS := len(srv.TLSConnPolicies) > 0 && int(listenAddr.StartPort+portOffset) != app.httpPort() + if useTLS { + // create TLS listener + tlsCfg := srv.TLSConnPolicies.TLSConfig(app.ctx) + ln = tls.NewListener(ln, tlsCfg) + + ///////// + // TODO: HTTP/3 support is experimental for now + if srv.ExperimentalHTTP3 { + app.logger.Info("enabling experimental HTTP/3 listener", + zap.String("addr", hostport), + ) + h3ln, err := caddy.ListenPacket("udp", hostport) + if err != nil { + return fmt.Errorf("getting HTTP/3 UDP listener: %v", err) + } + h3srv := &http3.Server{ + Server: &http.Server{ + Addr: hostport, + Handler: srv, + TLSConfig: tlsCfg, + }, + } + go h3srv.Serve(h3ln) + app.h3servers = append(app.h3servers, h3srv) + app.h3listeners = append(app.h3listeners, h3ln) + srv.h3server = h3srv + } + ///////// + } + + // finish wrapping listener where we left off before TLS + for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ { + ln = srv.listenerWrappers[i].WrapListener(ln) + } + + app.logger.Debug("starting server loop", + zap.String("address", lnAddr), + zap.Bool("http3", srv.ExperimentalHTTP3), + zap.Bool("tls", useTLS), + ) + + go s.Serve(ln) + app.servers = append(app.servers, s) + } + } + } + + // finish automatic HTTPS by finally beginning + // certificate management + err := app.automaticHTTPSPhase2() + if err != nil { + return fmt.Errorf("finalizing automatic HTTPS: %v", err) + } + + return nil +} + +// Stop gracefully shuts down the HTTP server. +func (app *App) Stop() error { + ctx := context.Background() + if app.GracePeriod > 0 { + var cancel context.CancelFunc + ctx, cancel = context.WithTimeout(ctx, time.Duration(app.GracePeriod)) + defer cancel() + } + for _, s := range app.servers { + err := s.Shutdown(ctx) + if err != nil { + return err + } + } + + // close the http3 servers; it's unclear whether the bug reported in + // https://github.com/caddyserver/caddy/pull/2727#issuecomment-526856566 + // was ever truly fixed, since it seemed racey/nondeterministic; but + // recent tests in 2020 were unable to replicate the issue again after + // repeated attempts (the bug manifested after a config reload; i.e. + // reusing a http3 server or listener was problematic), but it seems + // to be working fine now + for _, s := range app.h3servers { + // TODO: CloseGracefully, once implemented upstream + // (see https://github.com/lucas-clemente/quic-go/issues/2103) + err := s.Close() + if err != nil { + return err + } + } + + // closing an http3.Server does not close their underlying listeners + // since apparently the listener can be used both by servers and + // clients at the same time; so we need to manually call Close() + // on the underlying h3 listeners (see lucas-clemente/quic-go#2103) + for _, pc := range app.h3listeners { + err := pc.Close() + if err != nil { + return err + } + } + return nil +} + +func (app *App) httpPort() int { + if app.HTTPPort == 0 { + return DefaultHTTPPort + } + return app.HTTPPort +} + +func (app *App) httpsPort() int { + if app.HTTPSPort == 0 { + return DefaultHTTPSPort + } + return app.HTTPSPort +} + +// Interface guards +var ( + _ caddy.App = (*App)(nil) + _ caddy.Provisioner = (*App)(nil) + _ caddy.Validator = (*App)(nil) +) diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go index 718025eb..4fd09a23 100644 --- a/modules/caddyhttp/caddyhttp.go +++ b/modules/caddyhttp/caddyhttp.go @@ -16,10 +16,7 @@ package caddyhttp import ( "bytes" - "context" - "crypto/tls" "encoding/json" - "fmt" "io" weakrand "math/rand" "net" @@ -28,412 +25,15 @@ import ( "time" "github.com/caddyserver/caddy/v2" - "github.com/caddyserver/caddy/v2/modules/caddytls" - "github.com/lucas-clemente/quic-go/http3" - "go.uber.org/zap" ) func init() { weakrand.Seed(time.Now().UnixNano()) - err := caddy.RegisterModule(App{}) + err := caddy.RegisterModule(tlsPlaceholderWrapper{}) if err != nil { caddy.Log().Fatal(err.Error()) } - - err = caddy.RegisterModule(tlsPlaceholderWrapper{}) - if err != nil { - caddy.Log().Fatal(err.Error()) - } -} - -// App is a robust, production-ready HTTP server. -// -// HTTPS is enabled by default if host matchers with qualifying names are used -// in any of routes; certificates are automatically provisioned and renewed. -// Additionally, automatic HTTPS will also enable HTTPS for servers that listen -// only on the HTTPS port but which do not have any TLS connection policies -// defined by adding a good, default TLS connection policy. -// -// In HTTP routes, additional placeholders are available (replace any `*`): -// -// Placeholder | Description -// ------------|--------------- -// `{http.request.cookie.*}` | HTTP request cookie -// `{http.request.header.*}` | Specific request header field -// `{http.request.host.labels.*}` | Request host labels (0-based from right); e.g. for foo.example.com: 0=com, 1=example, 2=foo -// `{http.request.host}` | The host part of the request's Host header -// `{http.request.hostport}` | The host and port from the request's Host header -// `{http.request.method}` | The request method -// `{http.request.orig_method}` | The request's original method -// `{http.request.orig_uri.path.dir}` | The request's original directory -// `{http.request.orig_uri.path.file}` | The request's original filename -// `{http.request.orig_uri.path}` | The request's original path -// `{http.request.orig_uri.query}` | The request's original query string (without `?`) -// `{http.request.orig_uri}` | The request's original URI -// `{http.request.port}` | The port part of the request's Host header -// `{http.request.proto}` | The protocol of the request -// `{http.request.remote.host}` | The host part of the remote client's address -// `{http.request.remote.port}` | The port part of the remote client's address -// `{http.request.remote}` | The address of the remote client -// `{http.request.scheme}` | The request scheme -// `{http.request.tls.version}` | The TLS version name -// `{http.request.tls.cipher_suite}` | The TLS cipher suite -// `{http.request.tls.resumed}` | The TLS connection resumed a previous connection -// `{http.request.tls.proto}` | The negotiated next protocol -// `{http.request.tls.proto_mutual}` | The negotiated next protocol was advertised by the server -// `{http.request.tls.server_name}` | The server name requested by the client, if any -// `{http.request.tls.client.fingerprint}` | The SHA256 checksum of the client certificate -// `{http.request.tls.client.issuer}` | The issuer DN of the client certificate -// `{http.request.tls.client.serial}` | The serial number of the client certificate -// `{http.request.tls.client.subject}` | The subject DN of the client certificate -// `{http.request.uri.path.*}` | Parts of the path, split by `/` (0-based from left) -// `{http.request.uri.path.dir}` | The directory, excluding leaf filename -// `{http.request.uri.path.file}` | The filename of the path, excluding directory -// `{http.request.uri.path}` | The path component of the request URI -// `{http.request.uri.query.*}` | Individual query string value -// `{http.request.uri.query}` | The query string (without `?`) -// `{http.request.uri}` | The full request URI -// `{http.response.header.*}` | Specific response header field -// `{http.vars.*}` | Custom variables in the HTTP handler chain -type App struct { - // HTTPPort specifies the port to use for HTTP (as opposed to HTTPS), - // which is used when setting up HTTP->HTTPS redirects or ACME HTTP - // challenge solvers. Default: 80. - HTTPPort int `json:"http_port,omitempty"` - - // HTTPSPort specifies the port to use for HTTPS, which is used when - // solving the ACME TLS-ALPN challenges, or whenever HTTPS is needed - // but no specific port number is given. Default: 443. - HTTPSPort int `json:"https_port,omitempty"` - - // GracePeriod is how long to wait for active connections when shutting - // down the server. Once the grace period is over, connections will - // be forcefully closed. - GracePeriod caddy.Duration `json:"grace_period,omitempty"` - - // Servers is the list of servers, keyed by arbitrary names chosen - // at your discretion for your own convenience; the keys do not - // affect functionality. - Servers map[string]*Server `json:"servers,omitempty"` - - servers []*http.Server - h3servers []*http3.Server - h3listeners []net.PacketConn - - ctx caddy.Context - logger *zap.Logger - tlsApp *caddytls.TLS - - // used temporarily between phases 1 and 2 of auto HTTPS - allCertDomains []string -} - -// CaddyModule returns the Caddy module information. -func (App) CaddyModule() caddy.ModuleInfo { - return caddy.ModuleInfo{ - ID: "http", - New: func() caddy.Module { return new(App) }, - } -} - -// Provision sets up the app. -func (app *App) Provision(ctx caddy.Context) error { - // store some references - tlsAppIface, err := ctx.App("tls") - if err != nil { - return fmt.Errorf("getting tls app: %v", err) - } - app.tlsApp = tlsAppIface.(*caddytls.TLS) - app.ctx = ctx - app.logger = ctx.Logger(app) - - repl := caddy.NewReplacer() - - // this provisions the matchers for each route, - // and prepares auto HTTP->HTTPS redirects, and - // is required before we provision each server - err = app.automaticHTTPSPhase1(ctx, repl) - if err != nil { - return err - } - - // prepare each server - for srvName, srv := range app.Servers { - srv.tlsApp = app.tlsApp - srv.logger = app.logger.Named("log") - srv.errorLogger = app.logger.Named("log.error") - - // only enable access logs if configured - if srv.Logs != nil { - srv.accessLogger = app.logger.Named("log.access") - } - - // if not explicitly configured by the user, disallow TLS - // client auth bypass (domain fronting) which could - // otherwise be exploited by sending an unprotected SNI - // value during a TLS handshake, then putting a protected - // domain in the Host header after establishing connection; - // this is a safe default, but we allow users to override - // it for example in the case of running a proxy where - // domain fronting is desired and access is not restricted - // based on hostname - if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() { - app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured", - zap.String("server_name", srvName), - ) - trueBool := true - srv.StrictSNIHost = &trueBool - } - - // process each listener address - for i := range srv.Listen { - lnOut, err := repl.ReplaceOrErr(srv.Listen[i], true, true) - if err != nil { - return fmt.Errorf("server %s, listener %d: %v", - srvName, i, err) - } - srv.Listen[i] = lnOut - } - - // set up each listener modifier - if srv.ListenerWrappersRaw != nil { - vals, err := ctx.LoadModule(srv, "ListenerWrappersRaw") - if err != nil { - return fmt.Errorf("loading listener wrapper modules: %v", err) - } - var hasTLSPlaceholder bool - for i, val := range vals.([]interface{}) { - if _, ok := val.(*tlsPlaceholderWrapper); ok { - if i == 0 { - // putting the tls placeholder wrapper first is nonsensical because - // that is the default, implicit setting: without it, all wrappers - // will go after the TLS listener anyway - return fmt.Errorf("it is unnecessary to specify the TLS listener wrapper in the first position because that is the default") - } - if hasTLSPlaceholder { - return fmt.Errorf("TLS listener wrapper can only be specified once") - } - hasTLSPlaceholder = true - } - srv.listenerWrappers = append(srv.listenerWrappers, val.(caddy.ListenerWrapper)) - } - // if any wrappers were configured but the TLS placeholder wrapper is - // absent, prepend it so all defined wrappers come after the TLS - // handshake; this simplifies logic when starting the server, since we - // can simply assume the TLS placeholder will always be there - if !hasTLSPlaceholder && len(srv.listenerWrappers) > 0 { - srv.listenerWrappers = append([]caddy.ListenerWrapper{new(tlsPlaceholderWrapper)}, srv.listenerWrappers...) - } - } - - // pre-compile the primary handler chain, and be sure to wrap it in our - // route handler so that important security checks are done, etc. - primaryRoute := emptyHandler - if srv.Routes != nil { - err := srv.Routes.ProvisionHandlers(ctx) - if err != nil { - return fmt.Errorf("server %s: setting up route handlers: %v", srvName, err) - } - primaryRoute = srv.Routes.Compile(emptyHandler) - } - srv.primaryHandlerChain = srv.wrapPrimaryRoute(primaryRoute) - - // pre-compile the error handler chain - if srv.Errors != nil { - err := srv.Errors.Routes.Provision(ctx) - if err != nil { - return fmt.Errorf("server %s: setting up server error handling routes: %v", srvName, err) - } - srv.errorHandlerChain = srv.Errors.Routes.Compile(errorEmptyHandler) - } - - // prepare the TLS connection policies - err = srv.TLSConnPolicies.Provision(ctx) - if err != nil { - return fmt.Errorf("server %s: setting up TLS connection policies: %v", srvName, err) - } - } - - return nil -} - -// Validate ensures the app's configuration is valid. -func (app *App) Validate() error { - // each server must use distinct listener addresses - lnAddrs := make(map[string]string) - for srvName, srv := range app.Servers { - for _, addr := range srv.Listen { - listenAddr, err := caddy.ParseNetworkAddress(addr) - if err != nil { - return fmt.Errorf("invalid listener address '%s': %v", addr, err) - } - // check that every address in the port range is unique to this server; - // we do not use <= here because PortRangeSize() adds 1 to EndPort for us - for i := uint(0); i < listenAddr.PortRangeSize(); i++ { - addr := caddy.JoinNetworkAddress(listenAddr.Network, listenAddr.Host, strconv.Itoa(int(listenAddr.StartPort+i))) - if sn, ok := lnAddrs[addr]; ok { - return fmt.Errorf("server %s: listener address repeated: %s (already claimed by server '%s')", srvName, addr, sn) - } - lnAddrs[addr] = srvName - } - } - } - - return nil -} - -// Start runs the app. It finishes automatic HTTPS if enabled, -// including management of certificates. -func (app *App) Start() error { - for srvName, srv := range app.Servers { - s := &http.Server{ - ReadTimeout: time.Duration(srv.ReadTimeout), - ReadHeaderTimeout: time.Duration(srv.ReadHeaderTimeout), - WriteTimeout: time.Duration(srv.WriteTimeout), - IdleTimeout: time.Duration(srv.IdleTimeout), - MaxHeaderBytes: srv.MaxHeaderBytes, - Handler: srv, - } - - for _, lnAddr := range srv.Listen { - listenAddr, err := caddy.ParseNetworkAddress(lnAddr) - if err != nil { - return fmt.Errorf("%s: parsing listen address '%s': %v", srvName, lnAddr, err) - } - for portOffset := uint(0); portOffset < listenAddr.PortRangeSize(); portOffset++ { - // create the listener for this socket - hostport := listenAddr.JoinHostPort(portOffset) - ln, err := caddy.Listen(listenAddr.Network, hostport) - if err != nil { - return fmt.Errorf("%s: listening on %s: %v", listenAddr.Network, hostport, err) - } - - // wrap listener before TLS (up to the TLS placeholder wrapper) - var lnWrapperIdx int - for i, lnWrapper := range srv.listenerWrappers { - if _, ok := lnWrapper.(*tlsPlaceholderWrapper); ok { - lnWrapperIdx = i + 1 // mark the next wrapper's spot - break - } - ln = lnWrapper.WrapListener(ln) - } - - // enable TLS if there is a policy and if this is not the HTTP port - useTLS := len(srv.TLSConnPolicies) > 0 && int(listenAddr.StartPort+portOffset) != app.httpPort() - if useTLS { - // create TLS listener - tlsCfg := srv.TLSConnPolicies.TLSConfig(app.ctx) - ln = tls.NewListener(ln, tlsCfg) - - ///////// - // TODO: HTTP/3 support is experimental for now - if srv.ExperimentalHTTP3 { - app.logger.Info("enabling experimental HTTP/3 listener", - zap.String("addr", hostport), - ) - h3ln, err := caddy.ListenPacket("udp", hostport) - if err != nil { - return fmt.Errorf("getting HTTP/3 UDP listener: %v", err) - } - h3srv := &http3.Server{ - Server: &http.Server{ - Addr: hostport, - Handler: srv, - TLSConfig: tlsCfg, - }, - } - go h3srv.Serve(h3ln) - app.h3servers = append(app.h3servers, h3srv) - app.h3listeners = append(app.h3listeners, h3ln) - srv.h3server = h3srv - } - ///////// - } - - // finish wrapping listener where we left off before TLS - for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ { - ln = srv.listenerWrappers[i].WrapListener(ln) - } - - app.logger.Debug("starting server loop", - zap.String("address", lnAddr), - zap.Bool("http3", srv.ExperimentalHTTP3), - zap.Bool("tls", useTLS), - ) - - go s.Serve(ln) - app.servers = append(app.servers, s) - } - } - } - - // finish automatic HTTPS by finally beginning - // certificate management - err := app.automaticHTTPSPhase2() - if err != nil { - return fmt.Errorf("finalizing automatic HTTPS: %v", err) - } - - return nil -} - -// Stop gracefully shuts down the HTTP server. -func (app *App) Stop() error { - ctx := context.Background() - if app.GracePeriod > 0 { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, time.Duration(app.GracePeriod)) - defer cancel() - } - for _, s := range app.servers { - err := s.Shutdown(ctx) - if err != nil { - return err - } - } - - // close the http3 servers; it's unclear whether the bug reported in - // https://github.com/caddyserver/caddy/pull/2727#issuecomment-526856566 - // was ever truly fixed, since it seemed racey/nondeterministic; but - // recent tests in 2020 were unable to replicate the issue again after - // repeated attempts (the bug manifested after a config reload; i.e. - // reusing a http3 server or listener was problematic), but it seems - // to be working fine now - for _, s := range app.h3servers { - // TODO: CloseGracefully, once implemented upstream - // (see https://github.com/lucas-clemente/quic-go/issues/2103) - err := s.Close() - if err != nil { - return err - } - } - - // closing an http3.Server does not close their underlying listeners - // since apparently the listener can be used both by servers and - // clients at the same time; so we need to manually call Close() - // on the underlying h3 listeners (see lucas-clemente/quic-go#2103) - for _, pc := range app.h3listeners { - err := pc.Close() - if err != nil { - return err - } - } - return nil -} - -func (app *App) httpPort() int { - if app.HTTPPort == 0 { - return DefaultHTTPPort - } - return app.HTTPPort -} - -func (app *App) httpsPort() int { - if app.HTTPSPort == 0 { - return DefaultHTTPSPort - } - return app.HTTPSPort } // RequestMatcher is a type that can match to a request. @@ -618,11 +218,5 @@ const ( DefaultHTTPSPort = 443 ) -// Interface guards -var ( - _ caddy.App = (*App)(nil) - _ caddy.Provisioner = (*App)(nil) - _ caddy.Validator = (*App)(nil) - - _ caddy.ListenerWrapper = (*tlsPlaceholderWrapper)(nil) -) +// Interface guard +var _ caddy.ListenerWrapper = (*tlsPlaceholderWrapper)(nil)