Before, if there was an error in the error handler, we would not write a
status code, which resulted in Go writing a 200 for us by default, which
does not make sense when there's an error. Now we write the second
error's status if available, otherwise 500.
* caddytls: Support multiple issuers
Defaults are Let's Encrypt and ZeroSSL.
There are probably bugs.
* Commit updated integration tests, d'oh
* Update go.mod
* nitpicks and small improvements in basicauth module
1:
roll two if statements into one, since err will be nil in the second case anyhow
2:
unlock cache mutex after reading the key, as this happens by-value and reduces code complexity
3:
switch cache sync.Mutex to sync.RWMutex for better concurrency on cache fast track
* allocate the right kind of mutex
* fileserver: Improve and clarify file hiding logic
* Oops, forgot to run integration tests
* Make this one integration test OS-agnostic
* See if this appeases the Windows gods
* D'oh
Always follow the code path of hashing and comparing a plaintext
password even if the account is not found by the given username; this
ensures that similar CPU cycles are spent for both valid and invalid
usernames.
Thanks to @tylerlm for helping and looking into this!
* httpcaddyfile: Revise automation policy generation
This should fix a frustrating edge case where wildcard subjects are
used, which potentially get shadowed by more specific versions of
themselves; see the new tests for an example. This change is motivated
by an actual customer requirement.
Although all the tests pass, this logic is incredibly complex and
nuanced, and I'm worried it is not correct. But it took me about 4 days
to get this far on a solution. I did my best.
* Fix typo
We have users that have site blocks like *.*.tld with on-demand TLS
enabled. While *.*.tld does not qualify for a publicly-trusted cert due
to its wildcards, On-Demand TLS does not actually obtain a cert with
those wildcards, since it uses the actual hostname on the handshake.
This improves on that logic, but I am still not 100% satisfied with the
result since I think we need to also check if another site block is more
specific, like foo.example.tld, which might not have on-demand TLS
enabled, and make sure an automation policy gets created before the
more general policy with on-demand...
* reverseproxy: Fix dial placeholders, SRV, active health checks
Supercedes #3776
Partially reverts or updates #3756, #3693, and #3695
* reverseproxy: add integration tests
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* reverseproxy: fix breakage in handling SRV lookup introduced by 3695
* reverseproxy: validate against incompatible config options with lookup_srv
* reverseproxy: add integration test cases for validations involving lookup_srv
* reverseproxy: clarify the reason for skipping an iteration
* grammar.. Oxford comma
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Fixes#3753
* admin: lower log level to Debug for /metrics requests
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Apply suggestions from code review
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddyfile: support vars and vars_regexp matchers in the caddyfile
* caddyfile: matchers: Brian Kernighan said printf is good debugging tool but didn't say keep them around
* metrics: Always track method label in uppercase
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Just use strings.ToUpper for clarity
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* metrics: Fixing panic while observing with bad exemplars
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
* Minor cleanup
The server is already added to the context. So, we can simply use that
to get the server name, which is a field on the server.
* Add integration test for auto HTTP->HTTPS redirects
A test like this would have caught the problem in the first place
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
* reverseproxy: construct active health-check transport from scratch (Fixes#3691)
* reverseproxy: do upstream health-check on the correct alternative port
* reverseproxy: add integration test for health-check on alternative port
* reverseproxy: put back the custom transport for health-check http client
* reverseproxy: cleanup health-check integration test
* reverseproxy: fix health-check of unix socket upstreams
* reverseproxy: skip unix socket tests on Windows
* tabs > spaces
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* make the linter (and @francislavoie) happy
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* One more lint fix
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* httpcaddyfile: Ensure handle_path is sorted as equal to handle
* httpcaddyfile: Make mutual exclusivity grouping deterministic (I hope)
* httpcaddyfile: Add comment linking to the issue being fixed
* httpcaddyfile: Typo fix, comment clarity
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* Update caddyconfig/httpcaddyfile/httptype.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>