SanitizePathJoin protects against directory traversal attacks by
checking for requests whose URL path look like they are trying to
request something other than a local file, and returns the root
directory in those cases.
The method is also careful to ensure that requests which contain a
trailing slash include a trailing slash in the returned value. However,
for requests that contain only a slash (requests for the root path), the
IsLocal check returns early before the matching trailing slash is
re-added.
This change updates SanitizePathJoin to only perform the
filepath.IsLocal check if the cleaned request URL path is non-empty.
---
This change also updates the existing SanitizePathJoin tests to use
filepath.FromSlash rather than filepath.Join. This makes the expected
value a little easier to read, but also has the advantage of not being
processed by filepath.Clean like filepath.Join is. This means that the
exact expect value will be compared, not the result of first cleaning
it.
Fixes#6352
Certificate automation has permission modules that are designed to
prevent inappropriate issuance of unbounded or wildcard certificates.
When an explicit cert manager is used, no additional permission should
be necessary. For example, this should be a valid caddyfile:
https:// {
tls {
get_certificate tailscale
}
respond OK
}
This is accomplished when provisioning an AutomationPolicy by tracking
whether there were explicit managers configured directly on the policy
(in the ManagersRaw field). Only when a number of potentially unsafe
conditions are present AND no explicit cert managers are configured is
an error returned.
The problem arises from the fact that ctx.LoadModule deletes the raw
bytes after loading in order to save memory. The first time an
AutomationPolicy is provisioned, the ManagersRaw field is populated, and
everything is fine.
An AutomationPolicy with no subjects is treated as a special "catch-all"
policy. App.createAutomationPolicies ensures that this catch-all policy
has an ACME issuer, and then calls its Provision method again because it
may have changed. This second time Provision is called, ManagesRaw is no
longer populated, and the permission check fails because it appears as
though the policy has no explicit managers.
Address this by storing a new boolean on AutomationPolicy recording
whether it had explicit cert managers configured on it.
Also fix an inverted boolean check on this value when setting
failClosed.
Updates #6060
Updates #6229
Updates #6327
Signed-off-by: Will Norris <will@tailscale.com>
* use url.PathEscape in file-server browse template
- add `pathEscape` to c.tpl.Funcs, using `url.PathEscape`
- use `pathEscape` in browse.html in place of `replace`
* document `pathEscape`
* Remove unnecessary pipe of img src to `html`
Set the requested server name in a context value for CertGetter
implementations to use. Pass ctx to tscert.GetCertificateWithContext.
Signed-off-by: Will Norris <will@tailscale.com>
* added health_follow_redirect in active health checks
* chore: code format
* chore: refactore reversproxy healthcheck redirect variable name and description of the same
* chore: formatting
* changed reverse proxy health check status code range to be between 200-299
* chore: formatting
---------
Co-authored-by: aliasgar <joancena1268@mail.com>
* Allow usage of root CA without a key. Fixes#6290
* Update modules/caddypki/crypto.go
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddytls: Evict internal certs from cache based on issuer
During a config reload, we would keep certs in the cache fi they were used by the next config. If one config uses InternalIssuer and the other uses a public CA, this behavior is problematic / unintuitive, because there is a big difference between private/public CAs.
This change should ensure that internal issuers are considered when deciding whether to keep or evict from the cache during a reload, by making them distinct from each other and certs from public CAs.
* Make sure new TLS app manages configured certs
* Actually make it work
* Add option to configure certificate lifetime
* Bump CertMagic dep to latest master commit
* Apply suggestions and ran go mod tidy
* Update modules/caddytls/acmeissuer.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Before this change, a read of size (let's say) < 10, into a buffer of size 10, will return EOF because we're using CopyN to limit to the size of the buffer. That resulted in the body being read from later, which should only happen if it couldn't fit in the buffer.
With this change, the body is properly NOT set when it can all fit in the buffer.
* caddyfile: Populate regexp matcher names by default
* Some lint cleanup that my VSCode complained about
* Pass down matcher name through expression matcher
* Compat with #6113: fix adapt test, set both styles in replacer
* caddyhttp: Support multiple logger names per host
* Lint
* Add adapt test
* Implement "string or array" parsing, keep original `logger_names`
* Rewrite adapter test to be more representative of the usecase
* Add zstd compression level support
* Refactored zstd levels to string arguments
fastest, default, better, best
* Add comment with list of all available levels
* Corrected data types for config
---------
Co-authored-by: Evgeny Blinov <e.a.blinov@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* added new modular ca providers to caddy tls HttpTransport
* reverse-proxy, httptransport: added tests and caddyfile support for ca module
---------
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* Added plaintext support to file_server browser
This commit is twofold: First it adds a new optional
field, `return_type`, to `browser` for setting the
default format of the returned index (html, json or plaintext).
This is used when the `Accept` header is set to `/*`.
Second, it adds a preliminary `text/plain`
support to the `file_server` browser that
returns a text representation of the file
system, when an `Accept: text/plain` header
is present, with the behavior discussed above.
* Added more details and better formatting to plaintext browser
* Replaced returnType conditions with a switch statement
* Simplify
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddyhttp: add `http.request.local{,.host,.port}` placeholder
This is the counterpart of `http.request.remote{,.host,.port}`.
`http.request.remote` operates on the remote client's address, while
`http.request.local` operates on the address the connection arrived on.
Take the following example:
- Caddy serving on `203.0.113.1:80`
- Client on `203.0.113.2`
`http.request.remote.host` would return `203.0.113.2` (client IP)
`http.request.local.host` would return `203.0.113.1` (server IP)
`http.request.local.port` would return `80` (server port)
I find this helpful for debugging setups with multiple servers and/or
multiple network paths (multiple IPs, AnyIP, Anycast).
Co-authored-by: networkException <git@nwex.de>
* caddyhttp: add unit test for `http.request.local{,.host,.port}`
* caddyhttp: add integration test for `http.request.local.port`
* caddyhttp: fix `http.request.local.host` placeholder handling with unix sockets
The implementation matches the one of `http.request.remote.host` now and
returns the unix socket path (just like `http.request.local` already did)
instead of an empty string.
---------
Co-authored-by: networkException <git@nwex.de>
* update quic-go to v0.42.0
* use a rate limiter to control QUIC source address verification
* Lint
* remove deprecated ListenQUIC
* remove number of requests tracking
* increase the number of handshakes before source address verification is needed
* remove references to request counters
* remove deprecated listen*
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: WeidiDeng <weidi_deng@icloud.com>
* reverseproxy: active health check allows configurable health_passes and health_fails
* Need to reset counters after recovery
* rename methods to be more clear that these are coming from active health checks
* do not export methods
* upgrade to cel v0.20.0
* Attempt to address feedback and fix linter
* Let's try this
* Take that, you linter!
* Oh there's more
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Tristan Swadell @TristonianJones
* Implemented basic uri query operations
* Added support for query operations block
* Applied Replacer on all query keys and values
* Implemented rename query key opration
* Rewrite struct: Changed QueryOperations field to Query and comments cleanup
* Cleaned up comments, changed the order of operations and added more tests
* Changed order of fields in queryOps struct to match the operations order
* acmeserver: support specifying the allowed challenge types
* add caddyfile adapt tests
* acmeserver: add `policy` field to define allow/deny rules
* allow `omitempty` to work
* add caddyfile support for `policy`
* remove "uri domain" policy
* fmt the files
* add docs
* do not support `CommonName`; the field is deprecated
* r/DNSDomains/Domains/g
* Caddyfile docs
* add tests
* move `Policy` to top of file
* reverseproxy: cookie should be Secure and SameSite=None when TLS
* Update modules/caddyhttp/reverseproxy/selectionpolicies_test.go
Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>
---------
Co-authored-by: Mohammed Al Sahaf <mohammed@caffeinatedwonders.com>
* acmeserver: support specifying the allowed challenge types
* add caddyfile adapt tests
* introduce basic acme_server test
* skip acme test on unsuitable environments
* skip integration tests of ACME
* documentation
* add negative-scenario test for mismatched allowed challenges
* a bit more docs
* fix tests for ACME challenges
* appease the linter
* skip ACME tests on s390x
* enable ACME challenge tests on all machines
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddytls: Make on-demand 'ask' permission modular
This makes the 'ask' endpoint a module, which means that developers can
write custom plugins for granting permission for on-demand certificates.
Kicking myself that we didn't do it this way at the beginning, but who coulda known...
* Lint
* Error on conflicting config
* Fix bad merge
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* tls: modularize client authentication trusted CA
* add `omitempty` to `CARaw`
* docs
* initial caddyfile support
* revert anything related to leaf cert validation
The certs are used differently than the CA pool flow
* complete caddyfile unmarshalling implementation
* Caddyfile syntax documentation
* enhance caddyfile parsing and documentation
Apply suggestions from code review
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* add client_auth caddyfile tests
* add caddyfile unmarshalling tests
* fix and add missed adapt tests
* fix rebase issue
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
previously the `caddy respond` command would treat the argument
passed to --listen as a TCP socket address, iterating over a possible
port range.
this patch factors the server creation out into a separate function,
allowing this to be reused in case the listen address is a unix network
address.
* browse: Add total file size to directory listing
* Apply suggestion to remove "in "
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* templates: Offically make templates extensible
This supercedes #4757 (and #4568) by making template extensions
configurable.
The previous implementation was never documented AFAIK and had only
1 consumer, which I'll notify as a courtesy.
* templates: Add 'maybe' function for optional components
* Try to fix lint error
This commit upgrades the router used in the acmeserver to
github.com/go-chi/chi/v5. In the latest release of step-ca, the router
used by certificates was upgraded to that version.
Fixes#5911
Signed-off-by: Mariano Cano <mariano.cano@gmail.com>