Commit graph

459 commits

Author SHA1 Message Date
NWHirschfeld
1dfb11486e
httpcaddyfile: Add client_auth options to tls directive (#3335)
* reading client certificate config from Caddyfile

Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>

* Update caddyconfig/httpcaddyfile/builtins.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* added adapt test for parsing client certificate configuration from Caddyfile

Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>

* read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844

Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>

* Update modules/caddytls/connpolicy.go

* Make review adjustments

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-06-05 12:19:36 -06:00
Matthew Holt
11a132d48b
caddytls: Configurable cache size limit 2020-06-05 11:14:39 -06:00
Matthew Holt
7a99835dab
reverseproxy: Enable changing only the status code (close #2920) 2020-06-04 12:06:38 -06:00
Matthew Holt
7b0962ba4d
caddyhttp: Default to error status if found in context
This is just a convenience if using a static_response handler in an
error route, by setting the default status code to the same one as
the error status.
2020-06-04 10:32:01 -06:00
Matthew Holt
2d1f7b9da8
caddyhttp: Auto-redirects from all bind addresses (fix #3443) 2020-06-03 10:56:26 -06:00
Matthew Holt
a285fe4129
caddypki: Add 'acme_server' Caddyfile directive 2020-06-03 09:59:36 -06:00
Matthew Holt
e18c373064
caddytls: Actually use configured test CA 2020-06-02 11:13:44 -06:00
Matt Holt
9a7756c6e4
caddyauth: Cache basicauth results (fixes #3462) (#3465)
Cache capacity is currently hard-coded at 1000 with random eviction.
It is enabled by default from Caddyfile configurations because I assume
this is the most common preference.
2020-06-01 23:56:47 -06:00
Matthew Holt
d5d7fb5954
go.mod: Update dependencies 2020-06-01 09:31:08 -06:00
Matthew Holt
6c051cd27d caddyconfig: Minor internal and godoc tweaks 2020-05-29 11:49:25 -06:00
Matt Holt
9415feca7c
logging: Net writer redials if write fails (#3453)
* logging: Net writer redials if write fails

https://caddy.community/t/v2-log-output-net-does-not-reconnect-after-lost-connection/8386?u=matt

* Only replace connection if redial succeeds

* Fix error handling
2020-05-28 10:40:14 -06:00
Matthew Holt
881b826fb5
reverseproxy: Pool copy buffers (minor optimization) 2020-05-27 11:42:19 -06:00
Matthew Holt
538ddb8587 reverseproxy: Enable response interception (#1447, #2920)
It's a raw, low-level implementation for now, but it's very flexible.
More sugar-coating can be added after error handling is more developed.
2020-05-27 10:17:45 -06:00
Matthew Holt
e5bbed1046
caddyhttp: Refactor header matching
This allows response matchers to benefit from the same matching logic
as the request header matchers (mainly prefix/suffix wildcards).
2020-05-26 17:35:27 -06:00
Matthew Holt
294910c68c caddyhttp: Add client.public_key(_sha256) placeholders 2020-05-26 15:52:53 -06:00
Francis Lavoie
8c5d00b2bc
httpcaddyfile: New handle_path directive (#3281)
* caddyconfig: WIP implementation of handle_path

* caddyconfig: Complete the implementation - h.NewRoute was key

* caddyconfig: Add handle_path integration test

* caddyhttp: Use the path matcher as-is, strip the trailing *, update test
2020-05-26 15:27:51 -06:00
Rui Lopes
aa20878887
cmd: file-server: add --access-log flag (#3454) 2020-05-26 15:04:04 -06:00
Francis Lavoie
c1e5c09294
reverseproxy: Improve error message when using scheme+placeholder (#3393)
* reverseproxy: Improve error message when using scheme+placeholder

* reverseproxy: Simplify error message

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-05-26 14:13:15 -06:00
AndyBan
22055c5e0f
reverseproxy: Fix https active health checks #3450 (#3451) 2020-05-26 12:40:57 -06:00
Mohammed Al Sahaf
dfe802aed3
chore: forego the use of deprecated cel func NewIdent in favor of NewVar (#3444) 2020-05-25 03:59:38 +00:00
Matthew Holt
0cbf467b3f
caddyhttp: Add time.now placeholder and update cel-go (closes #2594) 2020-05-21 18:19:01 -06:00
Francis Lavoie
bb67e19d7b
cmd: hash-password: Fix broken terminal state on SIGINT (#3416)
* caddyauth: Fix hash-password broken terminal state on SIGINT

* caddycmd: Move TrapSignals calls to only subcommands that run long
2020-05-21 13:09:49 -06:00
Matthew Holt
2a8a198568
reverseproxy: Don't overwrite existing X-Forwarded-Proto header
Correct behavior is not well defined because this is a non-standard
header field. This could be a "hop-by-hop" field much like
X-Forwarded-For is, but even our X-Forwarded-For implementation
preserves prior entries. Or, it could be best to preserve the original
value from the first hop, representing the protocol as facing the
client.

Let's try it the other way for a bit and see how it goes.

See https://caddy.community/t/caddy2-w-wordpress-behind-nginx-reverse-proxy/8174/3?u=matt
2020-05-20 11:33:17 -06:00
Matthew Holt
9ee01dceac
reverseproxy: Make debug log safe if error occurs 2020-05-18 14:08:11 -06:00
Matthew Holt
812278acd8 reverseproxy: Emit debug log before checking error (#3425)
This way the upstream request will always be available even if it failed
2020-05-18 13:50:46 -06:00
Matthew Holt
c47ddbeffb pki: Add docs to some struct fields 2020-05-18 13:50:46 -06:00
Thorkild Gregersen
483e31b978
templates: trim windows whitespace in SplitFrontMatter; fix #3386 (#3387)
* add test case for SplitFrontMatter showing issue with windows newline

* fix issue with windows newline when using SplitFrontMatter

* Update modules/caddyhttp/templates/frontmatter.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* make it mere explicit what is trimmed from firstLine

* Update modules/caddyhttp/templates/frontmatter.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-05-18 13:01:04 -06:00
Francis Lavoie
41a682ddde
caddyauth: Add realm to basicauth Caddyfile directive (#3315) 2020-05-18 12:19:28 -06:00
Francis Lavoie
7243454a96
fastcgi: php_fastcgi subdirectives to override shortcut behaviour (#3255)
* fastcgi: Add new php_fastcgi subdirectives to override the shortcut

* fastcgi: Support "index off" to disable redir and try_files

* fastcgi: Remove whitespace to satisfy linter

* fastcgi: Run gofmt

* fastcgi: Make a new dispenser instead of using rewind

* fastcgi: Some fmt

* fastcgi: Add a couple adapt tests

* fastcgi: Clean up for loops

* fastcgi: Move adapt tests to separate files
2020-05-18 12:15:38 -06:00
Mohammed Al Sahaf
cee5589b98
docs: link to CEL standard definitions (#3407)
* docs: link to CEL standard definitions

* Rephrase the anchor to CEL standard definitions

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-05-13 17:11:31 +00:00
Matt Holt
90c7b4b0a1
reverseproxy: Apply response header ops before copying it (fix #3382) (#3401) 2020-05-13 09:52:20 -06:00
Matthew Holt
aef560c7fc
all: Recover from panics in goroutines 2020-05-12 11:36:20 -06:00
linquize
44536a7594
cmd: reverse-proxy: add --insecure flag (with warning) (#3389) 2020-05-12 10:43:18 -06:00
Francis Lavoie
ef6e53bb5f
core: Add support for d duration unit (#3323)
* caddy: Add support for `d` duration unit

* Improvements to ParseDuration; add unit tests

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-05-11 16:41:11 -06:00
Francis Lavoie
4c55d26f11
caddyhttp: Fix merging of Caddyfile matchers in not blocks (#3379) 2020-05-11 14:38:33 -06:00
Gregory Dosh
d534162556
caddyhttp: Match hostnames with wildcards to loggers (#3378)
* adding wildcard matching of logger names

* reordering precedence for more specific loggers to match first

* removing dependence on certmagic and extra loop

Co-authored-by: GregoryDosh <GregoryDosh@users.noreply.github.com>
2020-05-11 14:17:59 -06:00
Andrew Zhou
5bde8d705b
cmd: hash-password: Support reading from stdin (#3373)
Closes #3365 

* http: Add support in hash-password for reading from terminals/stdin

* FIXUP: Run gofmt -s

* FIXUP

* FIXUP: Apply suggestions from code review

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

* FIXUP

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-05-11 14:10:47 -06:00
Matthew Holt
7960b4259d
caddyhttp: Minor refactoring for preparing requests
While building a layer4 app for Caddy, I discovered that we need the
ability to fill a request's context just like the HTTP server does,
hence this exported function PrepareRequest().
2020-05-11 12:14:47 -06:00
Jeremy Lin
bf8c3c25c1
log: improve rounding logic for log rolling directives (#3367)
* For `roll_size` and `roll_keep_for` directives, round up instead of down.
  For example, if a user wants to be able to look back on 36 hours of logs,
  but you must round to a 24-hour multiple, then it's better to round up to
  48 hours (which includes the desired 36 hours) instead of down to 24 hours.

* `roll_size` had an off-by-one error that caused the size to be as much as
  1 MB larger than requested. For example, requests of `1MB` and `1.1MB`
  both became 2 MB. Now `1MB` means 1 MB, and `1.1MB` is rounded up to 2 MB.
2020-05-07 13:06:00 -06:00
Matthew Holt
8dbc5f70a5
Update dependencies and get rid of placeholder hacks in CA code
With the latest commit on smallstep/certificates, placeholders in config
are no longer needed.
2020-05-06 16:02:21 -06:00
Matthew Holt
1c17e6c6bb
reverseproxy: Allow using TLS for port 80 upstreams (see #3361)
An upstream like https://localhost:80 is still forbidden, but an addr of
localhost:80 can be used while explicitly enabling TLS as an override;
we just don't allow the implicit behavior to be ambiguous.
2020-05-06 12:37:44 -06:00
Karol Będkowski
b814c0af9c
tls/client auth: verify first certificates in client request (#3344)
When client certificate is enabled Caddy check only last certificate from
request. When this cert is not in list of trusted leaf certificates,
connection is rejected. According to RFC TLS1.x the sender's certificate
must come first in the list.  Each following certificate must directly
certify the one preceding it.

This patch fix this problem - first certificate is checked instead of last.
2020-05-06 10:07:13 -06:00
Francis Lavoie
afecd90a6c
reverseproxy: Add tls_server_name option to Caddyfile (#3322) 2020-05-05 12:39:39 -06:00
Matt Holt
2f59467ac3
httpcaddyfile: Only append TLS conn policy if it's non-empty (#3319)
This can lead to nicer, smaller JSON output for Caddyfiles like this:

	a {
		tls internal
	}
	b {
		tls foo@bar.com
	}

i.e. where the tls directive only configures automation policies, and
is merely meant to enable TLS on a server block (if it wasn't implied).
This helps keeps implicit config implicit.

Needs a little more testing to ensure it doesn't break anything
important.
2020-05-05 12:37:52 -06:00
Matt Holt
184e8e9f71
pki: Embedded ACME server (#3198)
* pki: Initial commit of embedded ACME server (#3021)

* reverseproxy: Support auto-managed TLS client certificates (#3021)

* A little cleanup after today's review session
2020-05-05 12:35:32 -06:00
Matt Holt
1e8c9764df
file_server: Accept files args in one-liner of Caddyfile matcher (#3298)
Previously, matching by trying files other than the actual path of the
URI was:

    file {
        try_files <files...>
    }

Now, the same can be done in one line:

    file <files...>

As before, an empty file matcher:

    file

still matches if the request URI exists as a file in the site root.
2020-05-05 12:34:58 -06:00
Matt Holt
41c7bd27b4
httpserver: Add experimental H2C support (#3289)
* reverse_proxy: Initial attempt at H2C transport/client support (#3218)

I have not tested this yet

* Experimentally enabling H2C server support (closes #3227)

See also #3218

I have not tested this

* reverseproxy: Clean up H2C transport a bit

* caddyhttp: Update godoc for h2c server; clarify experimental status

* caddyhttp: Fix trailers when recording responses (fixes #3236)

* caddyhttp: Tweak h2c config settings and docs
2020-05-05 12:33:21 -06:00
Matthew Holt
8e42661060
caddytls: Finish upgrading to libdns DNS providers for ACME challenges
Until we finish the migration to the new acme library, we have to bring
the solver type in-house. It's small and temporary.
2020-05-02 17:23:36 -06:00
Matthew Holt
86a4f2c9f4
caddytls: Fix namespace tls.dns -> dns.providers
Coulda sworn I did this already but I think I messed up my git commands
2020-05-02 16:28:10 -06:00
Matthew Holt
a507a5bbc7 reverseproxy: Remove circuitbreaker module (see #3331)
Moving to https://github.com/caddyserver/circuitbreaker

Nobody was using it anyway -- it works well, but something got fumbled
in a refactoring *months* ago. Turns out that we forgot the interface
guards AND botched a method name (my bad) - Ok() should have been OK().
So it would always have thrown a runtime panic if it tried to be loaded.
The module itself works well, but obviously nobody used it because
nobody reported the error. Fixing this while we move it to the new repo.

Removing this removes the last Bazaar/Launchpad dependency (I think).
2020-05-01 19:47:46 -06:00