* reverseproxy: active health check allows configurable health_passes and health_fails
* Need to reset counters after recovery
* rename methods to be more clear that these are coming from active health checks
* do not export methods
* Implemented basic uri query operations
* Added support for query operations block
* Applied Replacer on all query keys and values
* Implemented rename query key opration
* Rewrite struct: Changed QueryOperations field to Query and comments cleanup
* Cleaned up comments, changed the order of operations and added more tests
* Changed order of fields in queryOps struct to match the operations order
* acmeserver: support specifying the allowed challenge types
* add caddyfile adapt tests
* acmeserver: add `policy` field to define allow/deny rules
* allow `omitempty` to work
* add caddyfile support for `policy`
* remove "uri domain" policy
* fmt the files
* add docs
* do not support `CommonName`; the field is deprecated
* r/DNSDomains/Domains/g
* Caddyfile docs
* add tests
* move `Policy` to top of file
* acmeserver: support specifying the allowed challenge types
* add caddyfile adapt tests
* introduce basic acme_server test
* skip acme test on unsuitable environments
* skip integration tests of ACME
* documentation
* add negative-scenario test for mismatched allowed challenges
* a bit more docs
* fix tests for ACME challenges
* appease the linter
* skip ACME tests on s390x
* enable ACME challenge tests on all machines
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddytls: Make on-demand 'ask' permission modular
This makes the 'ask' endpoint a module, which means that developers can
write custom plugins for granting permission for on-demand certificates.
Kicking myself that we didn't do it this way at the beginning, but who coulda known...
* Lint
* Error on conflicting config
* Fix bad merge
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* tls: modularize client authentication trusted CA
* add `omitempty` to `CARaw`
* docs
* initial caddyfile support
* revert anything related to leaf cert validation
The certs are used differently than the CA pool flow
* complete caddyfile unmarshalling implementation
* Caddyfile syntax documentation
* enhance caddyfile parsing and documentation
Apply suggestions from code review
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* add client_auth caddyfile tests
* add caddyfile unmarshalling tests
* fix and add missed adapt tests
* fix rebase issue
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* httpcaddyfile: Sort skip_hosts for deterministic JSON
* Update caddyconfig/httpcaddyfile/httptype.go
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* Fix test
* Bah
---------
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* use gofmput to format code
* use gci to format imports
* reconfigure gci
* linter autofixes
* rearrange imports a little
* export GOOS=windows golangci-lint run ./... --fix
* reverseproxy: do not parse upstream address too early if it contains replaceble parts
* remove unused method
* cleanup
* accommodate partially replaceable port
* caddyhttp: Make use of http.ResponseController
Also syncs the reverseproxy implementation with stdlib's which now uses ResponseController as well 2449bbb5e6
* Enable full-duplex for HTTP/1.1
* Appease linter
* Add warning for builds with Go 1.20, so it's less surprising to users
* Improved godoc for EnableFullDuplex, copied text from stdlib
* Only wrap in encode if not already wrapped
* added weighted round robin algorithm to load balancer
* added an adapt integration test for wrr and fixed a typo
* changed args format to Caddyfile args convention
* added provisioner and validator for wrr
* simplified the code and improved doc
* caddyhttp: Determine real client IP if trusted proxies configured
* Support customizing client IP header
* Implement client_ip matcher, deprecate remote_ip's forwarded option
* Incresed sleep between retries to reduce flakey tests in CI
* Also changed wait time for admin
* Modified time to make it more reliable
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* httpcaddyfile: Skip some logic if auto_https off
* Try removing this check altogether...
* Refine test timeouts slightly, sigh
* caddyhttp: Assume udp for unrecognized network type
Seems like the reasonable thing to do if a plugin registers its own
network type.
* Add comment to document my lack of knowledge
* Clean up and prepare to merge
Add comments to try to explain what happened
* httpcaddyfile: Fix `protocols` global option parsing
When checking for a block, the current nesting must be used, otherwise it returns the wrong thing.
* Adjust adapt test to cover the broken behaviour that is now fixed
* Fix some admin tests which suddenly run even with -short
* caddyhttp: Honor grace period in background
This avoids blocking during config reloads.
* Don't quit process until servers shut down
* Make tests more likely to pass on fast CI (#5045)
* caddyhttp: Even faster shutdowns
Simultaneously shut down all HTTP servers, rather than one at a time.
In practice there usually won't be more than 1 that lingers. But this
code ensures that they all Shutdown() in their own goroutine
and then we wait for them at the end (if exiting).
We also wait for them to start up so we can be fairly confident the
shutdowns have begun; i.e. old servers no longer
accepting new connections.
* Fix comment typo
* Pull functions out of loop, for readability
Previously, our "duplicate key in server block" logic was flawed because
it did not account for the site's bind address. We defer this check to
when the listener addresses have been assigned, but before we commit
a server block to its listener.
Also refined how network address parsing and joining works, which was
necessary for a less convoluted fix.
* reverseproxy: Implement retry count, alternative to try_duration
* Add Caddyfile support for `retry_match`
* Refactor to deduplicate matcher parsing logic
* Fix lint
* Make reverse proxy TLS server name replaceable for SNI upstreams.
* Reverted previous TLS server name replacement, and implemented thread safe version.
* Move TLS servername replacement into it's own function
* Moved SNI servername replacement into httptransport.
* Solve issue when dynamic upstreams use wrong protocol upstream.
* Revert previous commit.
Old commit was: Solve issue when dynamic upstreams use wrong protocol upstream.
Id: 3c9806ccb6
* Added SkipTLSPorts option to http transport.
* Fix typo in test config file.
* Rename config option as suggested by Matt
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Update code to match renamed config option.
* Fix typo in config option name.
* Fix another typo that I missed.
* Tests not completing because of apparent wrong ordering of options.
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* httpcaddyfile: Add `{vars.*}` placeholder shortcut
I'm yoinking this from my https://github.com/caddyserver/caddy/pull/4657 PR because I think we should get this in ASAP for v2.5.0 along with the new `vars` directive.
* Sort vars by matchers in reverse
Guh, this is complicated.
Fixes#4640
This also follows up on #4398 (reverting it) which made a change that technically worked, but was incorrect. It changed the condition in `hostsFromKeysNotHTTP` from `&&` to `||`, but then the function no longer did what its name said it would do, and it would return hosts even if they were marked with `http://`, if they used a non-HTTP port. That wasn't the intent of it. The test added in there was kept though, because it is a valid usecase.
The actual fix is to check _earlier_ whether all the addresses explicitly have `http://`, and if so we can short circuit and skip considering the rest.
