* reverseproxy: construct active health-check transport from scratch (Fixes#3691)
* reverseproxy: do upstream health-check on the correct alternative port
* reverseproxy: add integration test for health-check on alternative port
* reverseproxy: put back the custom transport for health-check http client
* reverseproxy: cleanup health-check integration test
* reverseproxy: fix health-check of unix socket upstreams
* reverseproxy: skip unix socket tests on Windows
* tabs > spaces
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* make the linter (and @francislavoie) happy
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* One more lint fix
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* fileserver: Fix try_files for directories, windows fix
* fileserver: Add new file type placeholder, refactoring, tests
* fileserver: Review cleanup
* fileserver: Flip the return args order
* Fix-3585: added placeholder for a PEM encoded value of the certificate
* Update modules/caddyhttp/replacer.go
Change type of block and empty headers removed
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* fixed tests
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* logging: Implement Caddyfile support for filter encoder
* logging: Add support for parsing IP masks from strings
wip
* logging: Implement Caddyfile support for ip_mask
* logging: Get rid of unnecessary logic to allow strings, not that useful
* logging: Add adapt test
Now, a filename to hide that is specified without a path separator will
count as hidden if it appears in any component of the file path (not
only the last component); semantically, this means hiding a file by only
its name (without any part of a path) will hide both files and folders,
e.g. hiding ".git" will hide "/.git" and also "/.git/foo".
We also do prefix matching so that hiding "/.git" will hide "/.git"
and "/.git/foo" but not "/.gitignore".
The remaining logic is a globular match like before.
Update internal issuer for compatibility -- yay simpler code!
The .1 version also fixes non-critical SAN extensions that caused trust
issues on several clients.
* ci: Try Go 1.15 RC1 out of curiosity
* Go 1.15 was released; let's try it
* Update to latest quic-go
* Attempt at fixing broken test
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
* caddytls: Add support for ZeroSSL; add Caddyfile support for issuers
Configuring issuers explicitly in a Caddyfile is not easily compatible
with existing ACME-specific parameters such as email or acme_ca which
infer the kind of issuer it creates (this is complicated now because
the ZeroSSL issuer wraps the ACME issuer)... oh well, we can revisit
that later if we need to.
New Caddyfile global option:
{
cert_issuer <name> ...
}
Or, alternatively, as a tls subdirective:
tls {
issuer <name> ...
}
For example, to use ZeroSSL with an API key:
{
cert_issuser zerossl API_KEY
}
For now, that still uses ZeroSSL's ACME endpoint; it fetches EAB
credentials for you. You can also provide the EAB credentials directly
just like any other ACME endpoint:
{
cert_issuer acme {
eab KEY_ID MAC_KEY
}
}
All these examples use the new global option (or tls subdirective). You
can still use traditional/existing options with ZeroSSL, since it's
just another ACME endpoint:
{
acme_ca https://acme.zerossl.com/v2/DV90
acme_eab KEY_ID MAC_KEY
}
That's all there is to it. You just can't mix-and-match acme_* options
with cert_issuer, because it becomes confusing/ambiguous/complicated to
merge the settings.
* Fix broken test
This test was asserting buggy behavior, oops - glad this branch both
discovers and fixes the bug at the same time!
* Fix broken test (post-merge)
* Update modules/caddytls/acmeissuer.go
Fix godoc comment
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* Add support for ZeroSSL's EAB-by-email endpoint
Also transform the ACMEIssuer into ZeroSSLIssuer implicitly if set to
the ZeroSSL endpoint without EAB (the ZeroSSLIssuer is needed to
generate EAB if not already provided); this is now possible with either
an API key or an email address.
* go.mod: Use latest certmagic, acmez, and x/net
* Wrap underlying logic rather than repeating it
Oops, duh
* Form-encode email info into request body for EAB endpoint
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* fileserver: First attempt to fix failing test on Linux
I think I updated the wrong test case before
* Make new test function
I guess what we really are trying to test is the case insensitivity of
firstSplit. So a new test function is better for that.
We can't use a positional index on an original string that we got from
its lower-cased equivalent. Implement our own IndexFold() function b/c
the std lib does not have one.
* push: Implement HTTP/2 server push (close#3551)
* push: Abstract header ops by embedding into new struct type
This will allow us to add more fields to customize headers in
push-specific ways in the future.
* push: Ensure Link resources are pushed before response is written
* Change header name from X-Caddy-Push to Caddy-Push
* reverse proxy: Support more h2 stream scenarios (#3556)
* reverse proxy: add integration test for better h2 stream (#3556)
* reverse proxy: adjust comments as francislavoie suggests
* link to issue #3556 in the comments
* reverse proxy: add support for custom resolver
* reverse proxy: don't pollute the global resolver with bootstrap resolver setup
* Improve documentation of reverseproxy.UpstreamResolver fields
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* reverse proxy: clarify the name resolution conventions of upstream resolvers and bootstrap resolver
* remove support for bootstraper of resolver
* godoc and code-style changes
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
We already restore them within the retry loop, but after successful
proxy we didn't reset them, so as handlers bubble back up, they would
see the values used for proxying.
Thanks to @ziddey for identifying the cause.
* reverseproxy: Fix Caddyfile parsing for empty non-http transports
* Update modules/caddyhttp/reverseproxy/caddyfile.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Rename empty transport test
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* cel: fix validation of expression result type
The earlier code used the proto.Equals from github.com/gogo/protobuf, which failed to compare two messages of the same type for some reason. Switching to proto.Equal from the canonical github.com/golang/protobuf fixes the issue.
* deps: remove deprecated github.com/golang/protobuf in favor of google.golang.org/protobuf
* downgrade github.com/smallstep/nosql to resolve warning pb.proto warning
First try an exact lookup like before, but if it fails, strip the port
and try again. example.com:1234 should still use a logger keyed for
example.com if there is no key example.com:1234.
In commit f2ce81c, support for multiple path splitters was added. The
type of SplitPath changed from string to []string, and splitPos was
changed to loop through all values in SplitPath.
Before that commit, if SplitPath was empty, strings.Index returned 0 and
PATH_INFO was set correctly in buildEnv.
Currently, however, splitPos returns -1 for empty values of SplitPath,
behaving as if a split position could not be found at all. PATH_INFO is
then never set in buildEnv and remains empty.
Restore the old behaviour by explicitly checking whether SplitPath is
empty and returning 0 in splitPos.
Closes#3490
This is just a convenience if using a static_response handler in an
error route, by setting the default status code to the same one as
the error status.
Cache capacity is currently hard-coded at 1000 with random eviction.
It is enabled by default from Caddyfile configurations because I assume
this is the most common preference.
* caddyconfig: WIP implementation of handle_path
* caddyconfig: Complete the implementation - h.NewRoute was key
* caddyconfig: Add handle_path integration test
* caddyhttp: Use the path matcher as-is, strip the trailing *, update test
Correct behavior is not well defined because this is a non-standard
header field. This could be a "hop-by-hop" field much like
X-Forwarded-For is, but even our X-Forwarded-For implementation
preserves prior entries. Or, it could be best to preserve the original
value from the first hop, representing the protocol as facing the
client.
Let's try it the other way for a bit and see how it goes.
See https://caddy.community/t/caddy2-w-wordpress-behind-nginx-reverse-proxy/8174/3?u=matt
* add test case for SplitFrontMatter showing issue with windows newline
* fix issue with windows newline when using SplitFrontMatter
* Update modules/caddyhttp/templates/frontmatter.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* make it mere explicit what is trimmed from firstLine
* Update modules/caddyhttp/templates/frontmatter.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* fastcgi: Add new php_fastcgi subdirectives to override the shortcut
* fastcgi: Support "index off" to disable redir and try_files
* fastcgi: Remove whitespace to satisfy linter
* fastcgi: Run gofmt
* fastcgi: Make a new dispenser instead of using rewind
* fastcgi: Some fmt
* fastcgi: Add a couple adapt tests
* fastcgi: Clean up for loops
* fastcgi: Move adapt tests to separate files
* docs: link to CEL standard definitions
* Rephrase the anchor to CEL standard definitions
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddy: Add support for `d` duration unit
* Improvements to ParseDuration; add unit tests
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
