mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-27 06:03:48 +03:00
Improve security warnings
This commit is contained in:
parent
bafb562991
commit
fbd00e4b53
2 changed files with 14 additions and 3 deletions
|
@ -176,8 +176,8 @@ func (app *App) Provision(ctx caddy.Context) error {
|
|||
// domain fronting is desired and access is not restricted
|
||||
// based on hostname
|
||||
if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() {
|
||||
app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured",
|
||||
zap.String("server_name", srvName),
|
||||
app.logger.Warn("enabling strict SNI-Host enforcement because TLS client auth is configured",
|
||||
zap.String("server_id", srvName),
|
||||
)
|
||||
trueBool := true
|
||||
srv.StrictSNIHost = &trueBool
|
||||
|
@ -283,7 +283,6 @@ func (app *App) Validate() error {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -236,6 +236,18 @@ func (t *TLS) Validate() error {
|
|||
|
||||
// Start activates the TLS module.
|
||||
func (t *TLS) Start() error {
|
||||
// warn if on-demand TLS is enabled but no restrictions are in place
|
||||
if t.Automation.OnDemand == nil ||
|
||||
(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
|
||||
for _, ap := range t.Automation.Policies {
|
||||
if ap.OnDemand {
|
||||
t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
|
||||
zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// now that we are running, and all manual certificates have
|
||||
// been loaded, time to load the automated/managed certificates
|
||||
err := t.Manage(t.automateNames)
|
||||
|
|
Loading…
Reference in a new issue