Commit graph

1298 commits

Author SHA1 Message Date
Mohammed Al Sahaf
41f5dd56e1
metrics: scope metrics to active config, add optional per-host metrics (#6531)
* Add per host config

* Pass host label when option is enabled

* Test per host enabled

* metrics: scope metrics per loaded config

* doc and linter

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* inject the custom registry into the admin handler

Co-Authored-By: Dave Henderson <dhenderson@gmail.com>

* remove `TODO` comment

* fixes

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* refactor to delay metrics admin handler provision

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

---------

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Hussam Almarzooq <me@hussam.io>
Co-authored-by: Dave Henderson <dhenderson@gmail.com>
2024-10-02 08:23:26 -06:00
Francis Lavoie
16724842d9
caddyhttp: Implement auto_https prefer_wildcard option (#6146)
* Allow specifying multiple `auto_https` options

* Implement `auto_https prefer_wildcard` option

* Adapt tests, add mock DNS module for config testing

* Rebase fix
2024-10-02 07:31:58 -06:00
Francis Lavoie
792f1c7ed7
caddyhttp: Escaping placeholders in CEL, add vars and vars_regexp (#6594)
* caddyhttp: Escaping placeholders in CEL

* Simplify some of the test cases

* Implement vars and vars_regexp in CEL

* dupl lint is dumb

* Better consts for the placeholder CEL shortcut

* Bump CEL version, register a few extensions

* Refactor s390x test script for readability

* Add retries for s390x to smooth over flakiness

* Switch to `ph` for the CEL shortcut (match it in templates cause why not)
2024-10-02 06:34:04 -06:00
Matt Holt
c8adb1b553
cmd: Better error handling when reloading (#6601)
* caddyhttp: Limit auto-HTTPS error logs to 100 domains

* Improve error message and increase error size limit
2024-10-01 20:31:30 -06:00
Matt Holt
9b4acc2449
caddytls: Support new tls.context module (#6369)
* caddytls: Support new tls.context module

This allows modules to manipulate the context passed into CertMagic's GetCertificate function, which can be useful for tracing/metrics, or other
custom logic.

This is experimental and may resolve the request of a sponsor, so we'll see how it goes!

* Derpy derp
2024-10-01 17:18:17 -06:00
WeidiDeng
f3aead0e4d
http: ReponseWriter prefer ReadFrom if available (#6565)
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-10-01 11:19:03 -06:00
Francis Lavoie
571f88d86f
chore: Adjust incorrect reverse_proxy Caddyfile comment (#6598) 2024-10-01 10:56:30 -06:00
Aaron Paterson
0e829bc418
caddyhttp: Fix listener wrapper regression from #6573 (#6599) 2024-10-01 01:47:21 -04:00
Aaron Paterson
4b1a9b6cc1
core: Implement socket activation listeners (#6573)
* caddy adapt for listen_protocols

* adapt listen_socket

* allow multiple listen sockets for port ranges and readd socket fd listen logic

* readd logic to start servers according to listener protocols

* gofmt

* adapt caddytest

* gosec

* fmt and rename listen to listenWithSocket

* fmt and rename listen to listenWithSocket

* more consistent error msg

* non unix listenReusableWithSocketFile

* remove unused func

* doc comment typo

* nonosec

* commit

* doc comments

* more doc comments

* comment was misleading, cardinality did not change

* addressesWithProtocols

* update test

* fd/ and fdgram/

* rm addr

* actually write...

* i guess we doin' "skip": now

* wrong var in placeholder

* wrong var in placeholder II

* update param name in comment

* dont save nil file pointers

* windows

* key -> parsedKey

* osx

* multiple default_bind with protocols

* check for h1 and h2 listener netw
2024-09-30 10:55:03 -06:00
Mohammed Al Sahaf
1a345b4fa6
doc: remove docs of deprecated directives (#6566)
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-09-29 09:12:52 +00:00
Alexander Stecher
22c98ea165
caddyhttp: Optimize logs using zap's WithLazy() (#6590)
* uses zap's .WithLazy with a cloned request

* fixes the cloning

* adds comment explaining why cloning is faster
2024-09-26 12:23:12 -06:00
Francis Lavoie
2faeac0a10
chore: Use slices package where possible (#6585)
* chore: Use slices package where possible

* More, mostly using ContainsFunc

* Even more slice operations
2024-09-25 14:30:56 -06:00
Francis Lavoie
9dda8fbf84
caddytls: Give a better error message when given encrypted private keys (#6591) 2024-09-25 06:00:48 -06:00
Marten Seemann
ff67b97126
caddyhttp: enable qlog, controlled by QLOGDIR env (#6581) 2024-09-21 05:47:18 +02:00
Mohammed Al Sahaf
6ab9fb6f74
ci: update the linter action version (#6575)
* ci: update the linter action version

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* exclude rule `G115`; disable deprecated linter

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

---------

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
2024-09-16 07:50:26 -06:00
Kévin Dunglas
f4bf4e0097
perf: use zap's Check() to prevent useless allocs (#6560)
* perf: use zap's Check() to prevent useless allocs

* fix

* fix

* fix

* fix

* restore previous replacer behavior

* fix linter
2024-09-13 11:16:37 -06:00
mister-turtle
21f9c20a04
rewrite: Avoid panic on bad arg count for uri (#6571) 2024-09-13 03:22:03 -04:00
vnxme
2d12fb7ac6
caddytls: Add sni_regexp matcher (#6569) 2024-09-11 20:51:59 -06:00
Jesper Brix Rosenkilde
91e62db666
caddyhttp: Make route provisioning idempotent (#6558)
ref: https://github.com/caddyserver/caddy/issues/6551
2024-09-03 11:57:55 -06:00
Steffen Busch
c050a37e1c
reverse_proxy: add placeholder http.reverse_proxy.retries (#6553)
* Add placeholder http.reverse_proxy.lb.retries

* Renamed placeholder to http.reverse_proxy.retries
2024-08-30 11:53:56 -06:00
lollipopkit🏳️‍⚧️
5c47c2f147
fileserver: browse: Configurable default sort (#6502)
* fileserver: add `sort` options

* fix: test

* fileserver: check options in `Provison`

* fileserver: more obvious err alerts in sort options

* fileserver: move `sort` to `browse`

---------

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-08-30 09:01:37 -06:00
Alexander Stecher
ffd28be90a
rewrite: Only serialize request if necessary (#6541)
* Prevents serializing the caddy request if log level is not debug.

* Extracts message to const.
2024-08-30 08:46:51 -06:00
Bas Westerbaan
dcbf38d0b3
tls: use Go default kex for the moment that include PQC (#6542)
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement
method that is enabled by default on Chrome. Go 1.23 does not expose
the CurveID, so we cannot add it by specifying it in CurvePreferences.
The reason is that X25519Kyber768 is a preliminary key agreement that
will be supplanted by X25519MLKEM768. For the moment there is value
in enabling it.

A consequence of this is that by default Caddy will enable support
for P-384 and P-521.

This PR also removes the special code to add support for X25519Kyber768
via the Cloudflare Go branch.

Cf #6540
2024-08-27 17:08:16 -06:00
Kévin Dunglas
2028da4e74
ci: build and test with Go 1.23 (#6526)
* chore: build and test with Go 1.23

* ci: bump golangci-lint to v1.60

* fix: make properly wrap errors

* ci: remove Go 1.21
2024-08-23 11:01:28 -06:00
Mohammed Al Sahaf
4ade967005
reverseproxy: allow user to define source address (#6504)
* reverseproxy: allow user to define source address

Closes #6503

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* reverse_proxy: caddyfile support for local_address

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

---------

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
2024-08-22 19:52:05 +00:00
Mohammed Al Sahaf
8af646730b
caddyhttp: run error (msg) through replacer (#6536)
* error: run `error` (msg) through replacer

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* fix integration test

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

---------

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
2024-08-22 11:32:44 -06:00
Cuckoo Chickoo
098897bdea
chore: Fix a typo (#6534)
Fixes Typo in Docs
2024-08-22 13:15:58 +03:00
Jens-Uwe Mager
2bb2ecc549
reverseproxy: Change errors writing the response to warning. (#6532)
Most of the errors that can be seen here are write errors due to clients
aborting the request from their side. Often seen ones include:

	* writing: ... write: broken pipe
	* writing: ... connection timed out
	* writing: http2: stream closed
	* writing: timeout...
	* writing: h3 error...

Most of these errors are beyond of the control of caddy on the client side,
probably nothing can be done on the server side. It still warrants
researching when these errors occur very often, so a change in level from
error to warn is better here to not polute the logs with errors in the
normal case.
2024-08-21 11:39:20 -06:00
Jesper Brix Rosenkilde
54a0c8f948
reverseproxy: Active health checks request body option (#6520)
* Add an option to specify the body used for active health checks

* Replacer on request body
2024-08-19 10:55:55 -06:00
vnxme
3a48b03369
Move PrivateRangesCIDR() back: add a pass-through function (#6514) 2024-08-12 05:47:05 -04:00
vnxme
7cf8376e63
matchers: fix a regression in #6480 (#6510)
The context may have no replacer
2024-08-12 10:01:09 +03:00
WeidiDeng
21af88fefc
reverseproxy: Disable keep alive for h2c requests (#6343) 2024-08-08 06:53:30 -06:00
vnxme
59cbb2c83a
caddytls,caddyhttp: Placeholders for some TLS and HTTP matchers (#6480)
* Runtime placeholders for caddytls matchers (1/3):

- remove IPs validation in UnmarshalCaddyfile

* Runtime placeholders for caddytls matchers (2/3):

- add placeholder replacement for IPs in Provision

* Runtime placeholders for caddytls matchers (3/3):

- add placeholder replacement for other strings

* Runtime placeholders for caddyhttp matchers (1/1):

- add placeholder replacement for IPs in Provision

* Runtime placeholders for caddyhttp/caddytls matchers:

- move PrivateRandesCIDR under internal
2024-08-07 11:02:23 -06:00
WeidiDeng
a8b0dfa8da
go.mod: update quic-go package (#6498) 2024-08-06 22:08:32 -06:00
lollipopkit🏳️‍⚧️
b198678174
browse: Customizable default sort options (#6468)
* fileserver: add `sort` options

* fix: test

* fileserver: check options in `Provison`

* fileserver: more obvious err alerts in sort options
2024-08-05 08:27:45 -06:00
Prakhar Awasthi
840094ac65
proxyprotocol: Update WrapListener to use ConnPolicyFunc for PROXY protocol (#6485)
* proxyprotocol : Update WrapListener to use ConnPolicyFunc for PROXY protocol support

* proxyprotocol : Updated dependency pires/go-proxyproto to pseudo latest version
2024-08-03 19:51:50 +03:00
WeidiDeng
976469ca0d
encode: flush already compressed data from the encoder (#6471) 2024-07-27 17:46:56 -06:00
vnxme
3579815a6c
caddytls: Caddyfile support for TLS conn and cert sel policies (#6462)
* Caddyfile support for TLS custom certificate selection policy

* Caddyfile support for TLS connection policy
2024-07-24 11:01:06 -06:00
vnxme
61fe152c60
caddytls: Caddyfile support for TLS handshake matchers (#6461)
* Caddyfile support for TLS handshake matchers:

- caddytls.MatchLocalIP
- caddytls.MatchRemoteIP
- caddytls.MatchServerName

* Caddyfile support for TLS handshake matchers:

- fix imports order

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-07-24 09:26:09 -06:00
Matthew Holt
806f5b1117
reverseproxy: Fix panic when using header-related flags (fix #6464) 2024-07-18 21:31:07 -06:00
schultzie
b2492f8567
reverseproxy: add health_upstream subdirective (#6451)
* Add health_upstream

Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com>

* Add health_upstream to caddyfile parsing

* Add Active Upstream case for health checks

* Update ignore health port comment

Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com>

* Update Upstream json doc

Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com>

* Update modules/caddyhttp/reverseproxy/healthchecks.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* Use error rather than log for health_port override

Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com>

* Add comment about port being ignore if using upstream

Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com>

---------

Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-07-15 17:00:12 +00:00
Jesper Brix Rosenkilde
07c863637d
reverseproxy: Caddyfile support for health_method (#6454)
* Add Caddyfile support of setting active health check request method

* Add integration test for active health check request method
2024-07-12 17:01:58 -04:00
Jesper Brix Rosenkilde
dc2a5d5c52
reverseproxy: Configurable method for active health checks (#6453)
* Add option to set which HTTP method to use for active health checks

* Default Method to GET if not set
2024-07-11 09:24:13 -04:00
schultzie
4943a4fc52
reverseproxy: Add placeholder for networkAddr in active health check headers (#6450)
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-07-09 18:08:25 +00:00
Aziz Rmadi
630c62b313
fixed bug in resolving ip version in dynamic upstreams (#6448) 2024-07-09 03:06:30 -04:00
Francis Lavoie
9338741ca7
browse: Exclude symlink target size from total, show arrow on size (#6412)
* fileserver: Exclude symlink target size from total, show arrow on size

* Keep both totals

* Linter doesn't like my spelling :(

* Stop parallelizing tests for now

* Update modules/caddyhttp/fileserver/browse.html

* Minor renamings

---------

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2024-07-07 07:01:07 -06:00
Steffen Busch
88c7e53da5
browse: fix Content-Security-Policy warnings in Firefox (#6443)
* Remove 'strict-dynamic' + block-all-mixed-content

* CSP: remove 'unsafe-inline' from script-src
2024-07-07 06:56:47 -06:00
Steffen Busch
4ef360745d
browse: add Content-Security-Policy w/ nonce (#6425)
* browse: add Content-Security-Policy w/ nonce

* Add backward-compat values to script-src

* Remove dummy "#" href from layout anchors
2024-07-06 10:46:08 -06:00
Francis Lavoie
7142d7c1e4
reverseproxy: Add placeholder for host in active health check headers (#6440) 2024-07-06 10:43:19 -06:00
Matt Holt
c3fb5f4d3f
caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data header when proxying (#6427)
* caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data header when proxying

See RFC 8470: https://httpwg.org/specs/rfc8470.html

Thanks to Michael Wedl (@MWedl)  at the University of Applied Sciences St. Poelten for reporting this.

* Don't return value for {remote} placeholder in early data

* Add Caddyfile support
2024-07-05 10:46:20 -06:00