Commit graph

221 commits

Author SHA1 Message Date
Francis Lavoie
5c8dc34418
caddytls: Allow disabling storage cleaning, avoids writing two files (#6593) 2024-11-05 10:47:41 -07:00
Francis Lavoie
09b2cbcf4d
caddyhttp: Add MatchWithError to replace SetVar hack (#6596)
* caddyhttp: Add `MatchWithError` to replace SetVar hack

* Error in IP matchers on TLS handshake not complete

* Use MatchWithError everywhere possible

* Move implementations to MatchWithError versions

* Looser interface checking to allow fallback

* CEL factories can return RequestMatcherWithError

* Clarifying comment since it's subtle that an err is returned

* Return 425 Too Early status in IP matchers

* Keep AnyMatch signature the same for now

* Apparently Deprecated can't be all-uppercase to get IDE linting

* Linter
2024-11-04 23:18:50 +00:00
Francis Lavoie
d7564d632f
caddytls: Drop rate_limit and burst, has been deprecated (#6611) 2024-10-07 17:39:47 -04:00
Matt Holt
c8adb1b553
cmd: Better error handling when reloading (#6601)
* caddyhttp: Limit auto-HTTPS error logs to 100 domains

* Improve error message and increase error size limit
2024-10-01 20:31:30 -06:00
Matt Holt
9b4acc2449
caddytls: Support new tls.context module (#6369)
* caddytls: Support new tls.context module

This allows modules to manipulate the context passed into CertMagic's GetCertificate function, which can be useful for tracing/metrics, or other
custom logic.

This is experimental and may resolve the request of a sponsor, so we'll see how it goes!

* Derpy derp
2024-10-01 17:18:17 -06:00
Mohammed Al Sahaf
1a345b4fa6
doc: remove docs of deprecated directives (#6566)
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-09-29 09:12:52 +00:00
Francis Lavoie
2faeac0a10
chore: Use slices package where possible (#6585)
* chore: Use slices package where possible

* More, mostly using ContainsFunc

* Even more slice operations
2024-09-25 14:30:56 -06:00
Francis Lavoie
9dda8fbf84
caddytls: Give a better error message when given encrypted private keys (#6591) 2024-09-25 06:00:48 -06:00
Kévin Dunglas
f4bf4e0097
perf: use zap's Check() to prevent useless allocs (#6560)
* perf: use zap's Check() to prevent useless allocs

* fix

* fix

* fix

* fix

* restore previous replacer behavior

* fix linter
2024-09-13 11:16:37 -06:00
vnxme
2d12fb7ac6
caddytls: Add sni_regexp matcher (#6569) 2024-09-11 20:51:59 -06:00
Bas Westerbaan
dcbf38d0b3
tls: use Go default kex for the moment that include PQC (#6542)
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement
method that is enabled by default on Chrome. Go 1.23 does not expose
the CurveID, so we cannot add it by specifying it in CurvePreferences.
The reason is that X25519Kyber768 is a preliminary key agreement that
will be supplanted by X25519MLKEM768. For the moment there is value
in enabling it.

A consequence of this is that by default Caddy will enable support
for P-384 and P-521.

This PR also removes the special code to add support for X25519Kyber768
via the Cloudflare Go branch.

Cf #6540
2024-08-27 17:08:16 -06:00
vnxme
7cf8376e63
matchers: fix a regression in #6480 (#6510)
The context may have no replacer
2024-08-12 10:01:09 +03:00
vnxme
59cbb2c83a
caddytls,caddyhttp: Placeholders for some TLS and HTTP matchers (#6480)
* Runtime placeholders for caddytls matchers (1/3):

- remove IPs validation in UnmarshalCaddyfile

* Runtime placeholders for caddytls matchers (2/3):

- add placeholder replacement for IPs in Provision

* Runtime placeholders for caddytls matchers (3/3):

- add placeholder replacement for other strings

* Runtime placeholders for caddyhttp matchers (1/1):

- add placeholder replacement for IPs in Provision

* Runtime placeholders for caddyhttp/caddytls matchers:

- move PrivateRandesCIDR under internal
2024-08-07 11:02:23 -06:00
vnxme
3579815a6c
caddytls: Caddyfile support for TLS conn and cert sel policies (#6462)
* Caddyfile support for TLS custom certificate selection policy

* Caddyfile support for TLS connection policy
2024-07-24 11:01:06 -06:00
vnxme
61fe152c60
caddytls: Caddyfile support for TLS handshake matchers (#6461)
* Caddyfile support for TLS handshake matchers:

- caddytls.MatchLocalIP
- caddytls.MatchRemoteIP
- caddytls.MatchServerName

* Caddyfile support for TLS handshake matchers:

- fix imports order

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-07-24 09:26:09 -06:00
Andreas Kohn
e7ecc7ede2
Make it possible to configure the DisableStorageCheck setting for certmagic (#6368)
See discussion about this setting in https://github.com/caddyserver/certmagic/issues/201
2024-06-04 07:00:15 -06:00
Matthew Holt
01308b4bae
I'm so tired of typos 2024-06-01 20:43:35 -06:00
Matthew Holt
b7280e6949 caddytls: Implement certmagic.RenewalInfoGetter
Fixes ARI errors reported here:
https://caddy.community/t/error-in-logs-with-updating-ari-after-upgrading-to-caddy-v2-8-1/24320
2024-06-01 18:02:49 -06:00
Francis Lavoie
a6a45ff6c5
context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292)
* context: Add new `AppStrict()` method to avoid instantiating empty apps

* Rename AppStrict -> AppIfConfigured

---------

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2024-05-20 11:14:58 -06:00
Matthew Holt
73e094e1dd
Fix lint error about deprecated method in smallstep/certificates/authority 2024-05-20 10:56:25 -06:00
Will Norris
db3e19b7b5
caddytls: fix permission requirement with AutomationPolicy (#6328)
Certificate automation has permission modules that are designed to
prevent inappropriate issuance of unbounded or wildcard certificates.
When an explicit cert manager is used, no additional permission should
be necessary. For example, this should be a valid caddyfile:

    https:// {
      tls {
        get_certificate tailscale
      }
      respond OK
    }

This is accomplished when provisioning an AutomationPolicy by tracking
whether there were explicit managers configured directly on the policy
(in the ManagersRaw field). Only when a number of potentially unsafe
conditions are present AND no explicit cert managers are configured is
an error returned.

The problem arises from the fact that ctx.LoadModule deletes the raw
bytes after loading in order to save memory. The first time an
AutomationPolicy is provisioned, the ManagersRaw field is populated, and
everything is fine.

An AutomationPolicy with no subjects is treated as a special "catch-all"
policy. App.createAutomationPolicies ensures that this catch-all policy
has an ACME issuer, and then calls its Provision method again because it
may have changed. This second time Provision is called, ManagesRaw is no
longer populated, and the permission check fails because it appears as
though the policy has no explicit managers.

Address this by storing a new boolean on AutomationPolicy recording
whether it had explicit cert managers configured on it.

Also fix an inverted boolean check on this value when setting
failClosed.

Updates #6060
Updates #6229
Updates #6327

Signed-off-by: Will Norris <will@tailscale.com>
2024-05-20 09:48:59 -06:00
Will Norris
1fc151faec
caddytls: remove ClientHelloSNICtxKey (#6326) 2024-05-18 22:47:46 -04:00
Will Norris
e66040a6f0
caddytls: set server name in context (#6324)
Set the requested server name in a context value for CertGetter
implementations to use. Pass ctx to tscert.GetCertificateWithContext.

Signed-off-by: Will Norris <will@tailscale.com>
2024-05-18 03:52:19 -06:00
Viktor Szépe
d7e3a1974b
Fix typos (#6311)
* Fix typos

* Revert

* Revert to "htlm"

* fix indentations
2024-05-10 08:08:54 -06:00
WeidiDeng
e60148ecc3
reverseproxy: Pointer to struct when loading modules; remove LazyCertPool (#6307)
* use pointer when loading modules

* change method to pointer type and remove LazyCertPool

* remove lazy pool test

* remove yet another lazy pool test
2024-05-08 19:13:37 -06:00
Matthew Holt
8d7ac18402
caddytls: Ability to drop connections (close #6294) 2024-05-06 19:59:42 -06:00
Matt Holt
d129ae6aec
caddytls: Evict internal certs from cache based on issuer (#6266)
* caddytls: Evict internal certs from cache based on issuer

During a config reload, we would keep certs in the cache fi they were used  by the next config. If one config uses InternalIssuer and the other uses a public CA, this behavior is problematic / unintuitive, because there is a big difference between private/public CAs.

This change should ensure that internal issuers are considered when deciding whether to keep or evict from the cache during a reload, by making them distinct from each other and certs from public CAs.

* Make sure new TLS app manages configured certs

* Actually make it work
2024-04-30 16:15:54 -06:00
Mohammed Al Sahaf
87c7127c28
chore: add warn logs when using deprecated fields (#6276) 2024-04-27 15:51:00 -04:00
Mohammed Al Sahaf
c6eb186064
run golangci-lint run --fix --fast (#6270) 2024-04-24 15:17:23 -06:00
clauverjat
76c4cf5a56
caddytls: Option to configure certificate lifetime (#6253)
* Add option to configure certificate lifetime

* Bump CertMagic dep to latest master commit

* Apply suggestions and ran go mod tidy

* Update modules/caddytls/acmeissuer.go

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

---------

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-04-24 14:35:14 -06:00
Mohammed Al Sahaf
d2668cdbb0
doc: add verifier in ClientAuthentication caddyfile marshaler doc (#6263) 2024-04-23 07:01:54 -06:00
Matthew Holt
6a02999054
caddytls: Add Caddyfile support for on-demand permission module (close #6260) 2024-04-22 15:47:09 -06:00
Aziz Rmadi
3609a4af75
caddytls: Remove shim code supporting deprecated lego-dns (#6231)
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-04-15 21:26:56 +00:00
Mohammed Al Sahaf
26748d06b4
connection policy: add local_ip matcher (#6074)
* connection policy: add `local_ip`

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

---------

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-04-15 21:13:24 +03:00
Matt Holt
81413caea2
caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229)
* WIP: acmez v2, CertMagic, and ZeroSSL issuer upgrades

* caddytls: ZeroSSLIssuer now uses ZeroSSL API instead of ACME

* Fix go.mod

* caddytls: Fix automation related to managers (fix #6060)

* Fix typo (appease linter)

* Fix HTTP validation with ZeroSSL API
2024-04-13 21:31:43 -04:00
Matthew Holt
dc9dd2e4b3
caddytls: Still provision permission module if ask is specified
Only needed for JSON configs, and only temporarily as the ask property is deprecated and will be removed.
2024-04-13 17:08:11 -06:00
reallylowest
e0bf179c1a
modules: fix some typo in conments (#6206)
Signed-off-by: reallylowest <sunjinping@outlook.com>
2024-03-30 02:45:42 +00:00
Aziz Rmadi
3ae07a73dc
caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050)
* Made trusted leaf certificates pluggable into the tls.client_auth.leaf
module

* Added leaf loaders modules: file, folder, pem aand storage

* Cleaned implementation of leaf cert loader modules

* Added tests for leaf certs file and folder loaders

* cmd: fix the output of the `Usage` section (#6138)

* core: OnExit hooks (#6128)

* core: OnExit callbacks

* core: Process-global OnExit callbacks

* ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Added more leaf certificate loaders tests and cleaned up code

* Modified leaf cert loaders json field names and cleaned up storage loader comment

* Update modules/caddytls/leaffileloader.go

* Update LeafStorageLoader certificates field name

* Upgraded  protobuf version

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-05 14:55:37 -07:00
Mohammed Al Sahaf
03f703a00e
caddytls: verifier: caddyfile: re-add Caddyfile support (#6127)
* caddytls: verifier: caddyfile: re-add Caddyfile support

* appease the linter

* caddytls: client_auth: verifier: change namespace to `tls.client_auth.verifier`
2024-02-26 00:13:48 +03:00
Matt Holt
57c5b921a4
caddytls: Make on-demand 'ask' permission modular (#6055)
* caddytls: Make on-demand 'ask' permission modular

This makes the 'ask' endpoint a module, which means that developers can
write custom plugins for granting permission for on-demand certificates.

Kicking myself that we didn't do it this way at the beginning, but who coulda known...

* Lint

* Error on conflicting config

* Fix bad merge

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-01-30 16:11:29 -07:00
Yolan Romailler
2fe69a828f
chore: enabling a few more linters (#5961)
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-01-25 15:24:58 +00:00
Mohammed Al Sahaf
e965b111cd
tls: modularize trusted CA providers (#5784)
* tls: modularize client authentication trusted CA

* add `omitempty` to `CARaw`

* docs

* initial caddyfile support

* revert anything related to leaf cert validation

The certs are used differently than the CA pool flow

* complete caddyfile unmarshalling implementation

* Caddyfile syntax documentation

* enhance caddyfile parsing and documentation

Apply suggestions from code review

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* add client_auth caddyfile tests

* add caddyfile unmarshalling tests

* fix and add missed adapt tests

* fix rebase issue

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-01-25 11:44:41 +03:00
Francis Lavoie
750d0b8331
caddyfile: Normalize & flatten all unmarshalers (#6037) 2024-01-23 19:36:59 -05:00
Rithvik Vibhu
ed41c924cf
tls: add reuse_private_keys (#6025) 2024-01-09 16:00:31 -07:00
Matt Holt
4a09cf0dc0
caddytls: Sync distributed storage cleaning (#5940)
* caddytls: Log out remote addr to detect abuse

* caddytls: Sync distributed storage cleaning

* Handle errors

* Update certmagic to fix tiny bug

* Split off port when logging remote IP

* Upgrade CertMagic
2023-12-07 11:00:02 -07:00
Andreas Kohn
b24ae63ea6
caddytls: Context to DecisionFunc (#5923)
See https://github.com/caddyserver/certmagic/pull/255
2023-12-07 10:40:13 -07:00
Mohammed Al Sahaf
4173e2c77a
tls: accept placeholders in string values of certificate loaders (#5963)
* tls: loader: accept placeholders in string values

* appease the linter
2023-12-04 09:23:15 -07:00
Bas Westerbaan
289934f3d1
tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (#5852)
… when compiled with cfgo (https://github.com/cloudflare/go).
2023-10-11 13:45:37 -06:00
Matt Holt
b377208ede
chore: Appease gosec linter (#5777)
These happen to be harmless memory aliasing
but I guess the linter can't know that and we
can't really prove it in general.
2023-08-23 20:47:54 -06:00
Jacob Gadikian
d6f86cccf5
ci: use gci linter (#5708)
* use gofmput to format code

* use gci to format imports

* reconfigure gci

* linter autofixes

* rearrange imports a little

* export GOOS=windows golangci-lint run ./... --fix
2023-08-14 09:41:15 -06:00