* caddyfile: Populate regexp matcher names by default
* Some lint cleanup that my VSCode complained about
* Pass down matcher name through expression matcher
* Compat with #6113: fix adapt test, set both styles in replacer
* caddyhttp: Support multiple logger names per host
* Lint
* Add adapt test
* Implement "string or array" parsing, keep original `logger_names`
* Rewrite adapter test to be more representative of the usecase
* added new modular ca providers to caddy tls HttpTransport
* reverse-proxy, httptransport: added tests and caddyfile support for ca module
---------
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* caddyhttp: add `http.request.local{,.host,.port}` placeholder
This is the counterpart of `http.request.remote{,.host,.port}`.
`http.request.remote` operates on the remote client's address, while
`http.request.local` operates on the address the connection arrived on.
Take the following example:
- Caddy serving on `203.0.113.1:80`
- Client on `203.0.113.2`
`http.request.remote.host` would return `203.0.113.2` (client IP)
`http.request.local.host` would return `203.0.113.1` (server IP)
`http.request.local.port` would return `80` (server port)
I find this helpful for debugging setups with multiple servers and/or
multiple network paths (multiple IPs, AnyIP, Anycast).
Co-authored-by: networkException <git@nwex.de>
* caddyhttp: add unit test for `http.request.local{,.host,.port}`
* caddyhttp: add integration test for `http.request.local.port`
* caddyhttp: fix `http.request.local.host` placeholder handling with unix sockets
The implementation matches the one of `http.request.remote.host` now and
returns the unix socket path (just like `http.request.local` already did)
instead of an empty string.
---------
Co-authored-by: networkException <git@nwex.de>
* reverseproxy: active health check allows configurable health_passes and health_fails
* Need to reset counters after recovery
* rename methods to be more clear that these are coming from active health checks
* do not export methods
* Implemented basic uri query operations
* Added support for query operations block
* Applied Replacer on all query keys and values
* Implemented rename query key opration
* Rewrite struct: Changed QueryOperations field to Query and comments cleanup
* Cleaned up comments, changed the order of operations and added more tests
* Changed order of fields in queryOps struct to match the operations order
* acmeserver: support specifying the allowed challenge types
* add caddyfile adapt tests
* acmeserver: add `policy` field to define allow/deny rules
* allow `omitempty` to work
* add caddyfile support for `policy`
* remove "uri domain" policy
* fmt the files
* add docs
* do not support `CommonName`; the field is deprecated
* r/DNSDomains/Domains/g
* Caddyfile docs
* add tests
* move `Policy` to top of file
* acmeserver: support specifying the allowed challenge types
* add caddyfile adapt tests
* introduce basic acme_server test
* skip acme test on unsuitable environments
* skip integration tests of ACME
* documentation
* add negative-scenario test for mismatched allowed challenges
* a bit more docs
* fix tests for ACME challenges
* appease the linter
* skip ACME tests on s390x
* enable ACME challenge tests on all machines
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddytls: Make on-demand 'ask' permission modular
This makes the 'ask' endpoint a module, which means that developers can
write custom plugins for granting permission for on-demand certificates.
Kicking myself that we didn't do it this way at the beginning, but who coulda known...
* Lint
* Error on conflicting config
* Fix bad merge
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* tls: modularize client authentication trusted CA
* add `omitempty` to `CARaw`
* docs
* initial caddyfile support
* revert anything related to leaf cert validation
The certs are used differently than the CA pool flow
* complete caddyfile unmarshalling implementation
* Caddyfile syntax documentation
* enhance caddyfile parsing and documentation
Apply suggestions from code review
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* add client_auth caddyfile tests
* add caddyfile unmarshalling tests
* fix and add missed adapt tests
* fix rebase issue
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* httpcaddyfile: Sort skip_hosts for deterministic JSON
* Update caddyconfig/httpcaddyfile/httptype.go
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* Fix test
* Bah
---------
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* use gofmput to format code
* use gci to format imports
* reconfigure gci
* linter autofixes
* rearrange imports a little
* export GOOS=windows golangci-lint run ./... --fix
* reverseproxy: do not parse upstream address too early if it contains replaceble parts
* remove unused method
* cleanup
* accommodate partially replaceable port
* caddyhttp: Make use of http.ResponseController
Also syncs the reverseproxy implementation with stdlib's which now uses ResponseController as well 2449bbb5e6
* Enable full-duplex for HTTP/1.1
* Appease linter
* Add warning for builds with Go 1.20, so it's less surprising to users
* Improved godoc for EnableFullDuplex, copied text from stdlib
* Only wrap in encode if not already wrapped
* added weighted round robin algorithm to load balancer
* added an adapt integration test for wrr and fixed a typo
* changed args format to Caddyfile args convention
* added provisioner and validator for wrr
* simplified the code and improved doc
* caddyhttp: Determine real client IP if trusted proxies configured
* Support customizing client IP header
* Implement client_ip matcher, deprecate remote_ip's forwarded option
* Incresed sleep between retries to reduce flakey tests in CI
* Also changed wait time for admin
* Modified time to make it more reliable
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* httpcaddyfile: Skip some logic if auto_https off
* Try removing this check altogether...
* Refine test timeouts slightly, sigh
* caddyhttp: Assume udp for unrecognized network type
Seems like the reasonable thing to do if a plugin registers its own
network type.
* Add comment to document my lack of knowledge
* Clean up and prepare to merge
Add comments to try to explain what happened
* httpcaddyfile: Fix `protocols` global option parsing
When checking for a block, the current nesting must be used, otherwise it returns the wrong thing.
* Adjust adapt test to cover the broken behaviour that is now fixed
* Fix some admin tests which suddenly run even with -short
* caddyhttp: Honor grace period in background
This avoids blocking during config reloads.
* Don't quit process until servers shut down
* Make tests more likely to pass on fast CI (#5045)
* caddyhttp: Even faster shutdowns
Simultaneously shut down all HTTP servers, rather than one at a time.
In practice there usually won't be more than 1 that lingers. But this
code ensures that they all Shutdown() in their own goroutine
and then we wait for them at the end (if exiting).
We also wait for them to start up so we can be fairly confident the
shutdowns have begun; i.e. old servers no longer
accepting new connections.
* Fix comment typo
* Pull functions out of loop, for readability
Previously, our "duplicate key in server block" logic was flawed because
it did not account for the site's bind address. We defer this check to
when the listener addresses have been assigned, but before we commit
a server block to its listener.
Also refined how network address parsing and joining works, which was
necessary for a less convoluted fix.
* reverseproxy: Implement retry count, alternative to try_duration
* Add Caddyfile support for `retry_match`
* Refactor to deduplicate matcher parsing logic
* Fix lint
* Make reverse proxy TLS server name replaceable for SNI upstreams.
* Reverted previous TLS server name replacement, and implemented thread safe version.
* Move TLS servername replacement into it's own function
* Moved SNI servername replacement into httptransport.
* Solve issue when dynamic upstreams use wrong protocol upstream.
* Revert previous commit.
Old commit was: Solve issue when dynamic upstreams use wrong protocol upstream.
Id: 3c9806ccb6
* Added SkipTLSPorts option to http transport.
* Fix typo in test config file.
* Rename config option as suggested by Matt
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Update code to match renamed config option.
* Fix typo in config option name.
* Fix another typo that I missed.
* Tests not completing because of apparent wrong ordering of options.
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
