2019-06-30 17:07:58 -05:00
|
|
|
// Copyright 2015 Matthew Holt and The Caddy Authors
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
2019-06-14 12:58:28 -05:00
|
|
|
package caddy
|
2019-03-26 13:00:54 -05:00
|
|
|
|
|
|
|
import (
|
2019-03-26 20:42:52 -05:00
|
|
|
"bytes"
|
2019-03-26 13:00:54 -05:00
|
|
|
"context"
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
"crypto"
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"encoding/base64"
|
2019-03-26 13:00:54 -05:00
|
|
|
"encoding/json"
|
2020-07-31 17:54:18 -05:00
|
|
|
"errors"
|
2019-11-04 14:05:20 -05:00
|
|
|
"expvar"
|
2019-03-26 13:00:54 -05:00
|
|
|
"fmt"
|
|
|
|
"io"
|
2020-05-13 12:28:15 -05:00
|
|
|
"io/ioutil"
|
2020-04-10 18:31:38 -05:00
|
|
|
"net"
|
2019-03-26 13:00:54 -05:00
|
|
|
"net/http"
|
2019-03-26 20:42:52 -05:00
|
|
|
"net/http/pprof"
|
2019-11-04 14:05:20 -05:00
|
|
|
"net/url"
|
2019-07-20 11:48:46 -05:00
|
|
|
"os"
|
2019-11-04 14:05:20 -05:00
|
|
|
"path"
|
2019-11-27 13:49:49 -05:00
|
|
|
"regexp"
|
2019-11-04 14:05:20 -05:00
|
|
|
"strconv"
|
2019-03-26 13:00:54 -05:00
|
|
|
"strings"
|
|
|
|
"sync"
|
2019-03-26 20:42:52 -05:00
|
|
|
"time"
|
2019-06-05 12:10:19 -05:00
|
|
|
|
2021-04-05 15:01:20 -05:00
|
|
|
"github.com/caddyserver/caddy/v2/notify"
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
"github.com/caddyserver/certmagic"
|
2020-09-17 13:01:20 -05:00
|
|
|
"github.com/prometheus/client_golang/prometheus"
|
2019-10-28 15:39:37 -05:00
|
|
|
"go.uber.org/zap"
|
2019-03-26 13:00:54 -05:00
|
|
|
)
|
|
|
|
|
2019-12-10 15:36:46 -05:00
|
|
|
// AdminConfig configures Caddy's API endpoint, which is used
|
|
|
|
// to manage Caddy while it is running.
|
2019-06-28 16:39:41 -05:00
|
|
|
type AdminConfig struct {
|
2019-12-10 15:36:46 -05:00
|
|
|
// If true, the admin endpoint will be completely disabled.
|
|
|
|
// Note that this makes any runtime changes to the config
|
|
|
|
// impossible, since the interface to do so is through the
|
|
|
|
// admin endpoint.
|
|
|
|
Disabled bool `json:"disabled,omitempty"`
|
|
|
|
|
|
|
|
// The address to which the admin endpoint's listener should
|
|
|
|
// bind itself. Can be any single network address that can be
|
2019-12-23 14:46:01 -05:00
|
|
|
// parsed by Caddy. Default: localhost:2019
|
2019-12-10 15:36:46 -05:00
|
|
|
Listen string `json:"listen,omitempty"`
|
|
|
|
|
|
|
|
// If true, CORS headers will be emitted, and requests to the
|
|
|
|
// API will be rejected if their `Host` and `Origin` headers
|
|
|
|
// do not match the expected value(s). Use `origins` to
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// customize which origins/hosts are allowed. If `origins` is
|
2019-12-10 15:36:46 -05:00
|
|
|
// not set, the listen address is the only value allowed by
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// default. Enforced only on local (plaintext) endpoint.
|
2019-12-10 15:36:46 -05:00
|
|
|
EnforceOrigin bool `json:"enforce_origin,omitempty"`
|
|
|
|
|
2020-04-16 12:41:32 -05:00
|
|
|
// The list of allowed origins/hosts for API requests. Only needed
|
|
|
|
// if accessing the admin endpoint from a host different from the
|
|
|
|
// socket's network interface or if `enforce_origin` is true. If not
|
|
|
|
// set, the listener address will be the default value. If set but
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// empty, no origins will be allowed. Enforced only on local
|
|
|
|
// (plaintext) endpoint.
|
2019-12-10 15:36:46 -05:00
|
|
|
Origins []string `json:"origins,omitempty"`
|
2019-12-31 18:56:19 -05:00
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// Options pertaining to configuration management.
|
2019-12-31 18:56:19 -05:00
|
|
|
Config *ConfigSettings `json:"config,omitempty"`
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
|
|
|
|
// Options that establish this server's identity. Identity refers to
|
|
|
|
// credentials which can be used to uniquely identify and authenticate
|
|
|
|
// this server instance. This is required if remote administration is
|
|
|
|
// enabled (but does not require remote administration to be enabled).
|
|
|
|
// Default: no identity management.
|
|
|
|
Identity *IdentityConfig `json:"identity,omitempty"`
|
|
|
|
|
|
|
|
// Options pertaining to remote administration. By default, remote
|
|
|
|
// administration is disabled. If enabled, identity management must
|
|
|
|
// also be configured, as that is how the endpoint is secured.
|
|
|
|
// See the neighboring "identity" object.
|
|
|
|
//
|
|
|
|
// EXPERIMENTAL: This feature is subject to change.
|
|
|
|
Remote *RemoteAdmin `json:"remote,omitempty"`
|
2019-12-31 18:56:19 -05:00
|
|
|
}
|
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// ConfigSettings configures the management of configuration.
|
2019-12-31 18:56:19 -05:00
|
|
|
type ConfigSettings struct {
|
|
|
|
// Whether to keep a copy of the active config on disk. Default is true.
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// Note that "pulled" dynamic configs (using the neighboring "load" module)
|
|
|
|
// are not persisted; only configs that are pushed to Caddy get persisted.
|
2019-12-31 18:56:19 -05:00
|
|
|
Persist *bool `json:"persist,omitempty"`
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
|
|
|
|
// Loads a configuration to use. This is helpful if your configs are
|
|
|
|
// managed elsewhere, and you want Caddy to pull its config dynamically
|
|
|
|
// when it starts. The pulled config completely replaces the current
|
|
|
|
// one, just like any other config load. It is an error if a pulled
|
|
|
|
// config is configured to pull another config.
|
|
|
|
//
|
|
|
|
// EXPERIMENTAL: Subject to change.
|
|
|
|
LoadRaw json.RawMessage `json:"load,omitempty" caddy:"namespace=caddy.config_loaders inline_key=module"`
|
2019-06-28 16:39:41 -05:00
|
|
|
}
|
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// IdentityConfig configures management of this server's identity. An identity
|
|
|
|
// consists of credentials that uniquely verify this instance; for example,
|
|
|
|
// TLS certificates (public + private key pairs).
|
|
|
|
type IdentityConfig struct {
|
|
|
|
// List of names or IP addresses which refer to this server.
|
|
|
|
// Certificates will be obtained for these identifiers so
|
|
|
|
// secure TLS connections can be made using them.
|
|
|
|
Identifiers []string `json:"identifiers,omitempty"`
|
|
|
|
|
|
|
|
// Issuers that can provide this admin endpoint its identity
|
|
|
|
// certificate(s). Default: ACME issuers configured for
|
|
|
|
// ZeroSSL and Let's Encrypt. Be sure to change this if you
|
|
|
|
// require credentials for private identifiers.
|
|
|
|
IssuersRaw []json.RawMessage `json:"issuers,omitempty" caddy:"namespace=tls.issuance inline_key=module"`
|
|
|
|
|
|
|
|
issuers []certmagic.Issuer
|
|
|
|
}
|
|
|
|
|
|
|
|
// RemoteAdmin enables and configures remote administration. If enabled,
|
|
|
|
// a secure listener enforcing mutual TLS authentication will be started
|
|
|
|
// on a different port from the standard plaintext admin server.
|
|
|
|
//
|
|
|
|
// This endpoint is secured using identity management, which must be
|
|
|
|
// configured separately (because identity management does not depend
|
|
|
|
// on remote administration). See the admin/identity config struct.
|
|
|
|
//
|
|
|
|
// EXPERIMENTAL: Subject to change.
|
|
|
|
type RemoteAdmin struct {
|
|
|
|
// The address on which to start the secure listener.
|
|
|
|
// Default: :2021
|
|
|
|
Listen string `json:"listen,omitempty"`
|
|
|
|
|
|
|
|
// List of access controls for this secure admin endpoint.
|
|
|
|
// This configures TLS mutual authentication (i.e. authorized
|
|
|
|
// client certificates), but also application-layer permissions
|
|
|
|
// like which paths and methods each identity is authorized for.
|
|
|
|
AccessControl []*AdminAccess `json:"access_control,omitempty"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// AdminAccess specifies what permissions an identity or group
|
|
|
|
// of identities are granted.
|
|
|
|
type AdminAccess struct {
|
|
|
|
// Base64-encoded DER certificates containing public keys to accept.
|
|
|
|
// (The contents of PEM certificate blocks are base64-encoded DER.)
|
|
|
|
// Any of these public keys can appear in any part of a verified chain.
|
|
|
|
PublicKeys []string `json:"public_keys,omitempty"`
|
|
|
|
|
|
|
|
// Limits what the associated identities are allowed to do.
|
|
|
|
// If unspecified, all permissions are granted.
|
|
|
|
Permissions []AdminPermissions `json:"permissions,omitempty"`
|
|
|
|
|
|
|
|
publicKeys []crypto.PublicKey
|
|
|
|
}
|
|
|
|
|
|
|
|
// AdminPermissions specifies what kinds of requests are allowed
|
|
|
|
// to be made to the admin endpoint.
|
|
|
|
type AdminPermissions struct {
|
|
|
|
// The API paths allowed. Paths are simple prefix matches.
|
|
|
|
// Any subpath of the specified paths will be allowed.
|
|
|
|
Paths []string `json:"paths,omitempty"`
|
|
|
|
|
|
|
|
// The HTTP methods allowed for the given paths.
|
|
|
|
Methods []string `json:"methods,omitempty"`
|
2019-06-28 16:39:41 -05:00
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
// newAdminHandler reads admin's config and returns an http.Handler suitable
|
|
|
|
// for use in an admin endpoint server, which will be listening on listenAddr.
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
func (admin AdminConfig) newAdminHandler(addr NetworkAddress, remote bool) adminHandler {
|
|
|
|
muxWrap := adminHandler{mux: http.NewServeMux()}
|
|
|
|
|
|
|
|
// secure the local or remote endpoint respectively
|
|
|
|
if remote {
|
|
|
|
muxWrap.remoteControl = admin.Remote
|
|
|
|
} else {
|
|
|
|
muxWrap.enforceHost = !addr.isWildcardInterface()
|
|
|
|
muxWrap.allowedOrigins = admin.allowedOrigins(addr)
|
2019-10-30 16:12:42 -05:00
|
|
|
}
|
|
|
|
|
2020-09-17 13:01:20 -05:00
|
|
|
addRouteWithMetrics := func(pattern string, handlerLabel string, h http.Handler) {
|
|
|
|
labels := prometheus.Labels{"path": pattern, "handler": handlerLabel}
|
2020-09-22 21:10:34 -05:00
|
|
|
h = instrumentHandlerCounter(
|
2020-09-17 13:01:20 -05:00
|
|
|
adminMetrics.requestCount.MustCurryWith(labels),
|
|
|
|
h,
|
|
|
|
)
|
|
|
|
muxWrap.mux.Handle(pattern, h)
|
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
// addRoute just calls muxWrap.mux.Handle after
|
|
|
|
// wrapping the handler with error handling
|
2020-09-17 13:01:20 -05:00
|
|
|
addRoute := func(pattern string, handlerLabel string, h AdminHandler) {
|
2019-11-04 14:05:20 -05:00
|
|
|
wrapper := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
err := h.ServeHTTP(w, r)
|
2020-09-17 13:01:20 -05:00
|
|
|
if err != nil {
|
|
|
|
labels := prometheus.Labels{
|
|
|
|
"path": pattern,
|
|
|
|
"handler": handlerLabel,
|
2020-09-22 21:10:34 -05:00
|
|
|
"method": strings.ToUpper(r.Method),
|
2020-09-17 13:01:20 -05:00
|
|
|
}
|
|
|
|
adminMetrics.requestErrors.With(labels).Inc()
|
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
muxWrap.handleError(w, r, err)
|
|
|
|
})
|
2020-09-17 13:01:20 -05:00
|
|
|
addRouteWithMetrics(pattern, handlerLabel, wrapper)
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
|
2020-09-17 13:01:20 -05:00
|
|
|
const handlerLabel = "admin"
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
// register standard config control endpoints
|
2020-09-17 13:01:20 -05:00
|
|
|
addRoute("/"+rawConfigKey+"/", handlerLabel, AdminHandlerFunc(handleConfig))
|
|
|
|
addRoute("/id/", handlerLabel, AdminHandlerFunc(handleConfigID))
|
|
|
|
addRoute("/stop", handlerLabel, AdminHandlerFunc(handleStop))
|
2019-11-04 14:05:20 -05:00
|
|
|
|
|
|
|
// register debugging endpoints
|
2020-09-17 13:01:20 -05:00
|
|
|
addRouteWithMetrics("/debug/pprof/", handlerLabel, http.HandlerFunc(pprof.Index))
|
|
|
|
addRouteWithMetrics("/debug/pprof/cmdline", handlerLabel, http.HandlerFunc(pprof.Cmdline))
|
|
|
|
addRouteWithMetrics("/debug/pprof/profile", handlerLabel, http.HandlerFunc(pprof.Profile))
|
|
|
|
addRouteWithMetrics("/debug/pprof/symbol", handlerLabel, http.HandlerFunc(pprof.Symbol))
|
|
|
|
addRouteWithMetrics("/debug/pprof/trace", handlerLabel, http.HandlerFunc(pprof.Trace))
|
|
|
|
addRouteWithMetrics("/debug/vars", handlerLabel, expvar.Handler())
|
2019-11-04 14:05:20 -05:00
|
|
|
|
|
|
|
// register third-party module endpoints
|
|
|
|
for _, m := range GetModules("admin.api") {
|
|
|
|
router := m.New().(AdminRouter)
|
2020-09-17 13:01:20 -05:00
|
|
|
handlerLabel := m.ID.Name()
|
2019-11-04 14:05:20 -05:00
|
|
|
for _, route := range router.Routes() {
|
2020-09-17 13:01:20 -05:00
|
|
|
addRoute(route.Pattern, handlerLabel, route.Handler)
|
2019-06-28 16:39:41 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
return muxWrap
|
|
|
|
}
|
|
|
|
|
|
|
|
// allowedOrigins returns a list of origins that are allowed.
|
|
|
|
// If admin.Origins is nil (null), the provided listen address
|
|
|
|
// will be used as the default origin. If admin.Origins is
|
|
|
|
// empty, no origins will be allowed, effectively bricking the
|
2020-04-10 18:31:38 -05:00
|
|
|
// endpoint for non-unix-socket endpoints, but whatever.
|
|
|
|
func (admin AdminConfig) allowedOrigins(addr NetworkAddress) []string {
|
2019-11-04 14:05:20 -05:00
|
|
|
uniqueOrigins := make(map[string]struct{})
|
|
|
|
for _, o := range admin.Origins {
|
|
|
|
uniqueOrigins[o] = struct{}{}
|
2019-09-13 12:24:07 -05:00
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
if admin.Origins == nil {
|
2020-04-10 18:31:38 -05:00
|
|
|
if addr.isLoopback() {
|
|
|
|
if addr.IsUnixNetwork() {
|
|
|
|
// RFC 2616, Section 14.26:
|
|
|
|
// "A client MUST include a Host header field in all HTTP/1.1 request
|
|
|
|
// messages. If the requested URI does not include an Internet host
|
|
|
|
// name for the service being requested, then the Host header field MUST
|
|
|
|
// be given with an empty value."
|
|
|
|
uniqueOrigins[""] = struct{}{}
|
|
|
|
} else {
|
|
|
|
uniqueOrigins[net.JoinHostPort("localhost", addr.port())] = struct{}{}
|
|
|
|
uniqueOrigins[net.JoinHostPort("::1", addr.port())] = struct{}{}
|
|
|
|
uniqueOrigins[net.JoinHostPort("127.0.0.1", addr.port())] = struct{}{}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !addr.IsUnixNetwork() {
|
|
|
|
uniqueOrigins[addr.JoinHostPort(0)] = struct{}{}
|
|
|
|
}
|
2019-09-13 12:24:07 -05:00
|
|
|
}
|
2020-04-08 16:31:51 -05:00
|
|
|
allowed := make([]string, 0, len(uniqueOrigins))
|
2019-11-04 14:05:20 -05:00
|
|
|
for origin := range uniqueOrigins {
|
|
|
|
allowed = append(allowed, origin)
|
2019-03-26 13:00:54 -05:00
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
return allowed
|
|
|
|
}
|
2019-03-26 13:00:54 -05:00
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// replaceLocalAdminServer replaces the running local admin server
|
|
|
|
// according to the relevant configuration in cfg. If no configuration
|
|
|
|
// for the admin endpoint exists in cfg, a default one is used, so
|
|
|
|
// that there is always an admin server (unless it is explicitly
|
|
|
|
// configured to be disabled).
|
|
|
|
func replaceLocalAdminServer(cfg *Config) error {
|
2019-11-04 14:05:20 -05:00
|
|
|
// always be sure to close down the old admin endpoint
|
|
|
|
// as gracefully as possible, even if the new one is
|
|
|
|
// disabled -- careful to use reference to the current
|
|
|
|
// (old) admin endpoint since it will be different
|
|
|
|
// when the function returns
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
oldAdminServer := localAdminServer
|
2019-11-04 14:05:20 -05:00
|
|
|
defer func() {
|
|
|
|
// do the shutdown asynchronously so that any
|
|
|
|
// current API request gets a response; this
|
|
|
|
// goroutine may last a few seconds
|
|
|
|
if oldAdminServer != nil {
|
|
|
|
go func(oldAdminServer *http.Server) {
|
|
|
|
err := stopAdminServer(oldAdminServer)
|
|
|
|
if err != nil {
|
|
|
|
Log().Named("admin").Error("stopping current admin endpoint", zap.Error(err))
|
|
|
|
}
|
|
|
|
}(oldAdminServer)
|
|
|
|
}
|
|
|
|
}()
|
2019-03-26 13:00:54 -05:00
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
// always get a valid admin config
|
|
|
|
adminConfig := DefaultAdminConfig
|
|
|
|
if cfg != nil && cfg.Admin != nil {
|
|
|
|
adminConfig = cfg.Admin
|
|
|
|
}
|
2019-03-26 20:42:52 -05:00
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
// if new admin endpoint is to be disabled, we're done
|
|
|
|
if adminConfig.Disabled {
|
|
|
|
Log().Named("admin").Warn("admin endpoint disabled")
|
|
|
|
return nil
|
2019-03-26 13:00:54 -05:00
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
// extract a singular listener address
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
addr, err := parseAdminListenAddr(adminConfig.Listen, DefaultAdminListen)
|
2019-11-04 14:05:20 -05:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-06-05 12:10:19 -05:00
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
handler := adminConfig.newAdminHandler(addr, false)
|
2019-11-04 14:05:20 -05:00
|
|
|
|
2020-04-10 18:31:38 -05:00
|
|
|
ln, err := Listen(addr.Network, addr.JoinHostPort(0))
|
2019-11-04 14:05:20 -05:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
localAdminServer = &http.Server{
|
|
|
|
Addr: addr.String(), // for logging purposes only
|
2019-06-05 12:10:19 -05:00
|
|
|
Handler: handler,
|
2019-11-04 14:05:20 -05:00
|
|
|
ReadTimeout: 10 * time.Second,
|
2019-03-26 20:42:52 -05:00
|
|
|
ReadHeaderTimeout: 5 * time.Second,
|
2019-11-04 14:05:20 -05:00
|
|
|
IdleTimeout: 60 * time.Second,
|
2019-10-09 20:10:00 -05:00
|
|
|
MaxHeaderBytes: 1024 * 64,
|
2019-03-26 13:00:54 -05:00
|
|
|
}
|
|
|
|
|
2020-07-31 17:54:18 -05:00
|
|
|
adminLogger := Log().Named("admin")
|
|
|
|
go func() {
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
if err := localAdminServer.Serve(ln); !errors.Is(err, http.ErrServerClosed) {
|
2020-07-31 17:54:18 -05:00
|
|
|
adminLogger.Error("admin server shutdown for unknown reason", zap.Error(err))
|
|
|
|
}
|
|
|
|
}()
|
2019-03-26 13:00:54 -05:00
|
|
|
|
2020-07-31 17:54:18 -05:00
|
|
|
adminLogger.Info("admin endpoint started",
|
2020-04-10 18:31:38 -05:00
|
|
|
zap.String("address", addr.String()),
|
2019-11-04 14:05:20 -05:00
|
|
|
zap.Bool("enforce_origin", adminConfig.EnforceOrigin),
|
2020-04-16 12:41:32 -05:00
|
|
|
zap.Strings("origins", handler.allowedOrigins))
|
|
|
|
|
|
|
|
if !handler.enforceHost {
|
2020-07-31 17:54:18 -05:00
|
|
|
adminLogger.Warn("admin endpoint on open interface; host checking disabled",
|
2020-04-16 12:41:32 -05:00
|
|
|
zap.String("address", addr.String()))
|
|
|
|
}
|
2019-06-28 16:39:41 -05:00
|
|
|
|
2019-03-26 13:00:54 -05:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// manageIdentity sets up automated identity management for this server.
|
|
|
|
func manageIdentity(ctx Context, cfg *Config) error {
|
|
|
|
if cfg == nil || cfg.Admin == nil || cfg.Admin.Identity == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
oldIdentityCertCache := identityCertCache
|
|
|
|
if oldIdentityCertCache != nil {
|
|
|
|
defer oldIdentityCertCache.Stop()
|
|
|
|
}
|
|
|
|
|
|
|
|
// set default issuers; this is pretty hacky because we can't
|
|
|
|
// import the caddytls package -- but it works
|
|
|
|
if cfg.Admin.Identity.IssuersRaw == nil {
|
|
|
|
cfg.Admin.Identity.IssuersRaw = []json.RawMessage{
|
|
|
|
json.RawMessage(`{"module": "zerossl"}`),
|
|
|
|
json.RawMessage(`{"module": "acme"}`),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// load and provision issuer modules
|
|
|
|
if cfg.Admin.Identity.IssuersRaw != nil {
|
|
|
|
val, err := ctx.LoadModule(cfg.Admin.Identity, "IssuersRaw")
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("loading identity issuer modules: %s", err)
|
|
|
|
}
|
|
|
|
for _, issVal := range val.([]interface{}) {
|
|
|
|
cfg.Admin.Identity.issuers = append(cfg.Admin.Identity.issuers, issVal.(certmagic.Issuer))
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
logger := Log().Named("admin.identity")
|
|
|
|
cmCfg := cfg.Admin.Identity.certmagicConfig(logger)
|
|
|
|
|
|
|
|
// issuers have circular dependencies with the configs because,
|
|
|
|
// as explained in the caddytls package, they need access to the
|
|
|
|
// correct storage and cache to solve ACME challenges
|
|
|
|
for _, issuer := range cfg.Admin.Identity.issuers {
|
|
|
|
// avoid import cycle with caddytls package, so manually duplicate the interface here, yuck
|
|
|
|
if annoying, ok := issuer.(interface{ SetConfig(cfg *certmagic.Config) }); ok {
|
|
|
|
annoying.SetConfig(cmCfg)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// obtain and renew server identity certificate(s)
|
|
|
|
return cmCfg.ManageAsync(ctx, cfg.Admin.Identity.Identifiers)
|
|
|
|
}
|
|
|
|
|
|
|
|
// replaceRemoteAdminServer replaces the running remote admin server
|
|
|
|
// according to the relevant configuration in cfg. It stops any previous
|
|
|
|
// remote admin server and only starts a new one if configured.
|
|
|
|
func replaceRemoteAdminServer(ctx Context, cfg *Config) error {
|
|
|
|
if cfg == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
remoteLogger := Log().Named("admin.remote")
|
|
|
|
|
|
|
|
oldAdminServer := remoteAdminServer
|
|
|
|
defer func() {
|
|
|
|
if oldAdminServer != nil {
|
|
|
|
go func(oldAdminServer *http.Server) {
|
|
|
|
err := stopAdminServer(oldAdminServer)
|
|
|
|
if err != nil {
|
|
|
|
Log().Named("admin").Error("stopping current secure admin endpoint", zap.Error(err))
|
|
|
|
}
|
|
|
|
}(oldAdminServer)
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
if cfg.Admin == nil || cfg.Admin.Remote == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
addr, err := parseAdminListenAddr(cfg.Admin.Remote.Listen, DefaultRemoteAdminListen)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// make the HTTP handler but disable Host/Origin enforcement
|
|
|
|
// because we are using TLS authentication instead
|
|
|
|
handler := cfg.Admin.newAdminHandler(addr, true)
|
|
|
|
|
|
|
|
// create client certificate pool for TLS mutual auth, and extract public keys
|
|
|
|
// so that we can enforce access controls at the application layer
|
|
|
|
clientCertPool := x509.NewCertPool()
|
|
|
|
for i, accessControl := range cfg.Admin.Remote.AccessControl {
|
|
|
|
for j, certBase64 := range accessControl.PublicKeys {
|
|
|
|
cert, err := decodeBase64DERCert(certBase64)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("access control %d public key %d: parsing base64 certificate DER: %v", i, j, err)
|
|
|
|
}
|
|
|
|
accessControl.publicKeys = append(accessControl.publicKeys, cert.PublicKey)
|
|
|
|
clientCertPool.AddCert(cert)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// create TLS config that will enforce mutual authentication
|
|
|
|
cmCfg := cfg.Admin.Identity.certmagicConfig(remoteLogger)
|
|
|
|
tlsConfig := cmCfg.TLSConfig()
|
|
|
|
tlsConfig.NextProtos = nil // this server does not solve ACME challenges
|
|
|
|
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
|
|
|
tlsConfig.ClientCAs = clientCertPool
|
|
|
|
|
|
|
|
// convert logger to stdlib so it can be used by HTTP server
|
|
|
|
serverLogger, err := zap.NewStdLogAt(remoteLogger, zap.DebugLevel)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// create secure HTTP server
|
|
|
|
remoteAdminServer = &http.Server{
|
|
|
|
Addr: addr.String(), // for logging purposes only
|
|
|
|
Handler: handler,
|
|
|
|
TLSConfig: tlsConfig,
|
|
|
|
ReadTimeout: 10 * time.Second,
|
|
|
|
ReadHeaderTimeout: 5 * time.Second,
|
|
|
|
IdleTimeout: 60 * time.Second,
|
|
|
|
MaxHeaderBytes: 1024 * 64,
|
|
|
|
ErrorLog: serverLogger,
|
|
|
|
}
|
|
|
|
|
|
|
|
// start listener
|
|
|
|
ln, err := Listen(addr.Network, addr.JoinHostPort(0))
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
ln = tls.NewListener(ln, tlsConfig)
|
|
|
|
|
|
|
|
go func() {
|
|
|
|
if err := remoteAdminServer.Serve(ln); !errors.Is(err, http.ErrServerClosed) {
|
|
|
|
remoteLogger.Error("admin remote server shutdown for unknown reason", zap.Error(err))
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
remoteLogger.Info("secure admin remote control endpoint started",
|
|
|
|
zap.String("address", addr.String()))
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (ident *IdentityConfig) certmagicConfig(logger *zap.Logger) *certmagic.Config {
|
|
|
|
if ident == nil {
|
|
|
|
// user might not have configured identity; that's OK, we can still make a
|
|
|
|
// certmagic config, although it'll be mostly useless for remote management
|
|
|
|
ident = new(IdentityConfig)
|
|
|
|
}
|
|
|
|
cmCfg := &certmagic.Config{
|
|
|
|
Storage: DefaultStorage, // do not act as part of a cluster (this is for the server's local identity)
|
|
|
|
Logger: logger,
|
|
|
|
Issuers: ident.issuers,
|
|
|
|
}
|
|
|
|
if identityCertCache == nil {
|
|
|
|
identityCertCache = certmagic.NewCache(certmagic.CacheOptions{
|
|
|
|
GetConfigForCert: func(certmagic.Certificate) (*certmagic.Config, error) {
|
|
|
|
return cmCfg, nil
|
|
|
|
},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
return certmagic.New(identityCertCache, *cmCfg)
|
|
|
|
}
|
|
|
|
|
|
|
|
// IdentityCredentials returns this instance's configured, managed identity credentials
|
|
|
|
// that can be used in TLS client authentication.
|
|
|
|
func (ctx Context) IdentityCredentials(logger *zap.Logger) ([]tls.Certificate, error) {
|
|
|
|
if ctx.cfg == nil || ctx.cfg.Admin == nil || ctx.cfg.Admin.Identity == nil {
|
|
|
|
return nil, fmt.Errorf("no server identity configured")
|
|
|
|
}
|
|
|
|
ident := ctx.cfg.Admin.Identity
|
|
|
|
if len(ident.Identifiers) == 0 {
|
|
|
|
return nil, fmt.Errorf("no identifiers configured")
|
|
|
|
}
|
|
|
|
if logger == nil {
|
|
|
|
logger = Log()
|
|
|
|
}
|
|
|
|
magic := ident.certmagicConfig(logger)
|
|
|
|
return magic.ClientCredentials(ctx, ident.Identifiers)
|
|
|
|
}
|
|
|
|
|
|
|
|
// enforceAccessControls enforces application-layer access controls for r based on remote.
|
|
|
|
// It expects that the TLS server has already established at least one verified chain of
|
|
|
|
// trust, and then looks for a matching, authorized public key that is allowed to access
|
|
|
|
// the defined path(s) using the defined method(s).
|
|
|
|
func (remote RemoteAdmin) enforceAccessControls(r *http.Request) error {
|
|
|
|
for _, chain := range r.TLS.VerifiedChains {
|
|
|
|
for _, peerCert := range chain {
|
|
|
|
for _, adminAccess := range remote.AccessControl {
|
|
|
|
for _, allowedKey := range adminAccess.publicKeys {
|
|
|
|
// see if we found a matching public key; the TLS server already verified the chain
|
|
|
|
// so we know the client possesses the associated private key; this handy interface
|
|
|
|
// doesn't appear to be defined anywhere in the std lib, but was implemented here:
|
|
|
|
// https://github.com/golang/go/commit/b5f2c0f50297fa5cd14af668ddd7fd923626cf8c
|
|
|
|
comparer, ok := peerCert.PublicKey.(interface{ Equal(crypto.PublicKey) bool })
|
|
|
|
if !ok || !comparer.Equal(allowedKey) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// key recognized; make sure its HTTP request is permitted
|
|
|
|
for _, accessPerm := range adminAccess.Permissions {
|
|
|
|
// verify method
|
|
|
|
methodFound := accessPerm.Methods == nil
|
|
|
|
for _, method := range accessPerm.Methods {
|
|
|
|
if method == r.Method {
|
|
|
|
methodFound = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !methodFound {
|
|
|
|
return APIError{
|
|
|
|
HTTPStatus: http.StatusForbidden,
|
|
|
|
Message: "not authorized to use this method",
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// verify path
|
|
|
|
pathFound := accessPerm.Paths == nil
|
|
|
|
for _, allowedPath := range accessPerm.Paths {
|
|
|
|
if strings.HasPrefix(r.URL.Path, allowedPath) {
|
|
|
|
pathFound = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !pathFound {
|
|
|
|
return APIError{
|
|
|
|
HTTPStatus: http.StatusForbidden,
|
|
|
|
Message: "not authorized to access this path",
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// public key authorized, method and path allowed
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// in theory, this should never happen; with an unverified chain, the TLS server
|
|
|
|
// should not accept the connection in the first place, and the acceptable cert
|
|
|
|
// pool is configured using the same list of public keys we verify against
|
|
|
|
return APIError{
|
|
|
|
HTTPStatus: http.StatusUnauthorized,
|
|
|
|
Message: "client identity not authorized",
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
func stopAdminServer(srv *http.Server) error {
|
|
|
|
if srv == nil {
|
|
|
|
return fmt.Errorf("no admin server")
|
2019-03-26 13:00:54 -05:00
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
|
|
|
|
defer cancel()
|
|
|
|
err := srv.Shutdown(ctx)
|
2019-03-26 13:00:54 -05:00
|
|
|
if err != nil {
|
2019-11-04 14:05:20 -05:00
|
|
|
return fmt.Errorf("shutting down admin server: %v", err)
|
2019-03-26 13:00:54 -05:00
|
|
|
}
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
Log().Named("admin").Info("stopped previous server", zap.String("address", srv.Addr))
|
2019-03-26 13:00:54 -05:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-08-21 11:46:35 -05:00
|
|
|
// AdminRouter is a type which can return routes for the admin API.
|
|
|
|
type AdminRouter interface {
|
|
|
|
Routes() []AdminRoute
|
|
|
|
}
|
|
|
|
|
2019-03-26 16:45:51 -05:00
|
|
|
// AdminRoute represents a route for the admin endpoint.
|
|
|
|
type AdminRoute struct {
|
|
|
|
Pattern string
|
2019-11-04 14:05:20 -05:00
|
|
|
Handler AdminHandler
|
2019-03-26 16:45:51 -05:00
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
type adminHandler struct {
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
mux *http.ServeMux
|
|
|
|
|
|
|
|
// security for local/plaintext) endpoint, on by default
|
2019-11-04 14:05:20 -05:00
|
|
|
enforceOrigin bool
|
2020-04-16 12:41:32 -05:00
|
|
|
enforceHost bool
|
2019-11-04 14:05:20 -05:00
|
|
|
allowedOrigins []string
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
|
|
|
|
// security for remote/encrypted endpoint
|
|
|
|
remoteControl *RemoteAdmin
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// ServeHTTP is the external entry point for API requests.
|
|
|
|
// It will only be called once per request.
|
|
|
|
func (h adminHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
2020-09-25 19:00:08 -05:00
|
|
|
log := Log().Named("admin.api").With(
|
2019-11-04 14:05:20 -05:00
|
|
|
zap.String("method", r.Method),
|
2020-04-10 18:31:38 -05:00
|
|
|
zap.String("host", r.Host),
|
2019-11-04 14:05:20 -05:00
|
|
|
zap.String("uri", r.RequestURI),
|
|
|
|
zap.String("remote_addr", r.RemoteAddr),
|
|
|
|
zap.Reflect("headers", r.Header),
|
|
|
|
)
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
if r.TLS != nil {
|
|
|
|
log = log.With(
|
|
|
|
zap.Bool("secure", true),
|
|
|
|
zap.Int("verified_chains", len(r.TLS.VerifiedChains)),
|
|
|
|
)
|
|
|
|
}
|
2020-09-25 19:00:08 -05:00
|
|
|
if r.RequestURI == "/metrics" {
|
|
|
|
log.Debug("received request")
|
|
|
|
} else {
|
|
|
|
log.Info("received request")
|
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
h.serveHTTP(w, r)
|
|
|
|
}
|
|
|
|
|
|
|
|
// serveHTTP is the internal entry point for API requests. It may
|
|
|
|
// be called more than once per request, for example if a request
|
|
|
|
// is rewritten (i.e. internal redirect).
|
|
|
|
func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
if h.remoteControl != nil {
|
|
|
|
// enforce access controls on secure endpoint
|
|
|
|
if err := h.remoteControl.enforceAccessControls(r); err != nil {
|
|
|
|
h.handleError(w, r, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-05-21 13:29:19 -05:00
|
|
|
if strings.Contains(r.Header.Get("Upgrade"), "websocket") {
|
|
|
|
// I've never been able demonstrate a vulnerability myself, but apparently
|
|
|
|
// WebSocket connections originating from browsers aren't subject to CORS
|
|
|
|
// restrictions, so we'll just be on the safe side
|
|
|
|
h.handleError(w, r, fmt.Errorf("websocket connections aren't allowed"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2020-04-16 12:41:32 -05:00
|
|
|
if h.enforceHost {
|
|
|
|
// DNS rebinding mitigation
|
|
|
|
err := h.checkHost(r)
|
|
|
|
if err != nil {
|
|
|
|
h.handleError(w, r, err)
|
|
|
|
return
|
|
|
|
}
|
2020-04-10 18:31:38 -05:00
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
|
2020-04-10 18:31:38 -05:00
|
|
|
if h.enforceOrigin {
|
2019-11-04 14:05:20 -05:00
|
|
|
// cross-site mitigation
|
|
|
|
origin, err := h.checkOrigin(r)
|
|
|
|
if err != nil {
|
|
|
|
h.handleError(w, r, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2019-12-23 14:46:01 -05:00
|
|
|
if r.Method == http.MethodOptions {
|
|
|
|
w.Header().Set("Access-Control-Allow-Methods", "OPTIONS, GET, POST, PUT, PATCH, DELETE")
|
|
|
|
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Content-Length, Cache-Control")
|
|
|
|
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
w.Header().Set("Access-Control-Allow-Origin", origin)
|
|
|
|
}
|
|
|
|
|
|
|
|
h.mux.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h adminHandler) handleError(w http.ResponseWriter, r *http.Request, err error) {
|
|
|
|
if err == nil {
|
2019-03-26 13:00:54 -05:00
|
|
|
return
|
|
|
|
}
|
2021-05-19 11:27:25 -05:00
|
|
|
if err == errInternalRedir {
|
|
|
|
h.serveHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
|
|
|
|
apiErr, ok := err.(APIError)
|
|
|
|
if !ok {
|
|
|
|
apiErr = APIError{
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
HTTPStatus: http.StatusInternalServerError,
|
|
|
|
Err: err,
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
}
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
if apiErr.HTTPStatus == 0 {
|
|
|
|
apiErr.HTTPStatus = http.StatusInternalServerError
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
if apiErr.Message == "" && apiErr.Err != nil {
|
|
|
|
apiErr.Message = apiErr.Err.Error()
|
|
|
|
}
|
|
|
|
|
|
|
|
Log().Named("admin.api").Error("request error",
|
|
|
|
zap.Error(err),
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
zap.Int("status_code", apiErr.HTTPStatus),
|
2019-11-04 14:05:20 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
w.WriteHeader(apiErr.HTTPStatus)
|
2020-11-22 16:50:29 -05:00
|
|
|
encErr := json.NewEncoder(w).Encode(apiErr)
|
|
|
|
if encErr != nil {
|
|
|
|
Log().Named("admin.api").Error("failed to encode error response", zap.Error(encErr))
|
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// checkHost returns a handler that wraps next such that
|
|
|
|
// it will only be called if the request's Host header matches
|
|
|
|
// a trustworthy/expected value. This helps to mitigate DNS
|
|
|
|
// rebinding attacks.
|
|
|
|
func (h adminHandler) checkHost(r *http.Request) error {
|
|
|
|
var allowed bool
|
|
|
|
for _, allowedHost := range h.allowedOrigins {
|
|
|
|
if r.Host == allowedHost {
|
|
|
|
allowed = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !allowed {
|
|
|
|
return APIError{
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
HTTPStatus: http.StatusForbidden,
|
|
|
|
Err: fmt.Errorf("host not allowed: %s", r.Host),
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// checkOrigin ensures that the Origin header, if
|
|
|
|
// set, matches the intended target; prevents arbitrary
|
|
|
|
// sites from issuing requests to our listener. It
|
|
|
|
// returns the origin that was obtained from r.
|
|
|
|
func (h adminHandler) checkOrigin(r *http.Request) (string, error) {
|
|
|
|
origin := h.getOriginHost(r)
|
|
|
|
if origin == "" {
|
|
|
|
return origin, APIError{
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
HTTPStatus: http.StatusForbidden,
|
|
|
|
Err: fmt.Errorf("missing required Origin header"),
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if !h.originAllowed(origin) {
|
|
|
|
return origin, APIError{
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
HTTPStatus: http.StatusForbidden,
|
|
|
|
Err: fmt.Errorf("client is not allowed to access from origin %s", origin),
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return origin, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h adminHandler) getOriginHost(r *http.Request) string {
|
|
|
|
origin := r.Header.Get("Origin")
|
|
|
|
if origin == "" {
|
|
|
|
origin = r.Header.Get("Referer")
|
|
|
|
}
|
|
|
|
originURL, err := url.Parse(origin)
|
|
|
|
if err == nil && originURL.Host != "" {
|
|
|
|
origin = originURL.Host
|
|
|
|
}
|
|
|
|
return origin
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h adminHandler) originAllowed(origin string) bool {
|
|
|
|
for _, allowedOrigin := range h.allowedOrigins {
|
|
|
|
originCopy := origin
|
|
|
|
if !strings.Contains(allowedOrigin, "://") {
|
|
|
|
// no scheme specified, so allow both
|
|
|
|
originCopy = strings.TrimPrefix(originCopy, "http://")
|
|
|
|
originCopy = strings.TrimPrefix(originCopy, "https://")
|
|
|
|
}
|
|
|
|
if originCopy == allowedOrigin {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func handleConfig(w http.ResponseWriter, r *http.Request) error {
|
|
|
|
switch r.Method {
|
|
|
|
case http.MethodGet:
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
|
|
|
|
err := readConfig(r.URL.Path, w)
|
|
|
|
if err != nil {
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
return APIError{HTTPStatus: http.StatusBadRequest, Err: err}
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
|
|
case http.MethodPost,
|
|
|
|
http.MethodPut,
|
|
|
|
http.MethodPatch,
|
|
|
|
http.MethodDelete:
|
|
|
|
|
|
|
|
// DELETE does not use a body, but the others do
|
|
|
|
var body []byte
|
|
|
|
if r.Method != http.MethodDelete {
|
|
|
|
if ct := r.Header.Get("Content-Type"); !strings.Contains(ct, "/json") {
|
|
|
|
return APIError{
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
HTTPStatus: http.StatusBadRequest,
|
|
|
|
Err: fmt.Errorf("unacceptable content-type: %v; 'application/json' required", ct),
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
buf := bufPool.Get().(*bytes.Buffer)
|
|
|
|
buf.Reset()
|
|
|
|
defer bufPool.Put(buf)
|
|
|
|
|
|
|
|
_, err := io.Copy(buf, r.Body)
|
|
|
|
if err != nil {
|
|
|
|
return APIError{
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
HTTPStatus: http.StatusBadRequest,
|
|
|
|
Err: fmt.Errorf("reading request body: %v", err),
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
body = buf.Bytes()
|
2019-08-22 15:52:39 -05:00
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
|
|
|
|
forceReload := r.Header.Get("Cache-Control") == "must-revalidate"
|
|
|
|
|
|
|
|
err := changeConfig(r.Method, r.URL.Path, body, forceReload)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
default:
|
|
|
|
return APIError{
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
HTTPStatus: http.StatusMethodNotAllowed,
|
|
|
|
Err: fmt.Errorf("method %s not allowed", r.Method),
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func handleConfigID(w http.ResponseWriter, r *http.Request) error {
|
|
|
|
idPath := r.URL.Path
|
|
|
|
|
|
|
|
parts := strings.Split(idPath, "/")
|
|
|
|
if len(parts) < 3 || parts[2] == "" {
|
|
|
|
return fmt.Errorf("request path is missing object ID")
|
|
|
|
}
|
|
|
|
if parts[0] != "" || parts[1] != "id" {
|
|
|
|
return fmt.Errorf("malformed object path")
|
|
|
|
}
|
|
|
|
id := parts[2]
|
|
|
|
|
|
|
|
// map the ID to the expanded path
|
|
|
|
currentCfgMu.RLock()
|
|
|
|
expanded, ok := rawCfgIndex[id]
|
|
|
|
defer currentCfgMu.RUnlock()
|
|
|
|
if !ok {
|
|
|
|
return fmt.Errorf("unknown object ID '%s'", id)
|
2019-03-26 13:00:54 -05:00
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
// piece the full URL path back together
|
|
|
|
parts = append([]string{expanded}, parts[3:]...)
|
|
|
|
r.URL.Path = path.Join(parts...)
|
|
|
|
|
2021-05-19 11:27:25 -05:00
|
|
|
return errInternalRedir
|
2019-11-04 14:53:14 -05:00
|
|
|
}
|
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
func handleStop(w http.ResponseWriter, r *http.Request) error {
|
2019-07-20 11:48:46 -05:00
|
|
|
if r.Method != http.MethodPost {
|
2019-11-04 14:05:20 -05:00
|
|
|
return APIError{
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
HTTPStatus: http.StatusMethodNotAllowed,
|
|
|
|
Err: fmt.Errorf("method not allowed"),
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
}
|
2021-04-05 15:01:20 -05:00
|
|
|
|
|
|
|
if err := notify.NotifyStopping(); err != nil {
|
|
|
|
Log().Error("unable to notify stopping to service manager", zap.Error(err))
|
|
|
|
}
|
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
exitProcess(Log().Named("admin.api"))
|
2019-11-04 14:05:20 -05:00
|
|
|
return nil
|
2019-07-20 11:48:46 -05:00
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
// unsyncedConfigAccess traverses into the current config and performs
|
|
|
|
// the operation at path according to method, using body and out as
|
|
|
|
// needed. This is a low-level, unsynchronized function; most callers
|
|
|
|
// will want to use changeConfig or readConfig instead. This requires a
|
|
|
|
// read or write lock on currentCfgMu, depending on method (GET needs
|
|
|
|
// only a read lock; all others need a write lock).
|
|
|
|
func unsyncedConfigAccess(method, path string, body []byte, out io.Writer) error {
|
|
|
|
var err error
|
|
|
|
var val interface{}
|
|
|
|
|
|
|
|
// if there is a request body, decode it into the
|
|
|
|
// variable that will be set in the config according
|
|
|
|
// to method and path
|
|
|
|
if len(body) > 0 {
|
|
|
|
err = json.Unmarshal(body, &val)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("decoding request body: %v", err)
|
|
|
|
}
|
|
|
|
}
|
2019-03-26 20:42:52 -05:00
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
enc := json.NewEncoder(out)
|
|
|
|
|
|
|
|
cleanPath := strings.Trim(path, "/")
|
|
|
|
if cleanPath == "" {
|
|
|
|
return fmt.Errorf("no traversable path")
|
2019-03-26 20:42:52 -05:00
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
parts := strings.Split(cleanPath, "/")
|
|
|
|
if len(parts) == 0 {
|
|
|
|
return fmt.Errorf("path missing")
|
2019-03-26 13:00:54 -05:00
|
|
|
}
|
2019-03-26 20:42:52 -05:00
|
|
|
|
2019-12-17 12:11:45 -05:00
|
|
|
// A path that ends with "..." implies:
|
|
|
|
// 1) the part before it is an array
|
|
|
|
// 2) the payload is an array
|
|
|
|
// and means that the user wants to expand the elements
|
|
|
|
// in the payload array and append each one into the
|
|
|
|
// destination array, like so:
|
|
|
|
// array = append(array, elems...)
|
|
|
|
// This special case is handled below.
|
|
|
|
ellipses := parts[len(parts)-1] == "..."
|
|
|
|
if ellipses {
|
|
|
|
parts = parts[:len(parts)-1]
|
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
var ptr interface{} = rawCfg
|
|
|
|
|
|
|
|
traverseLoop:
|
|
|
|
for i, part := range parts {
|
|
|
|
switch v := ptr.(type) {
|
|
|
|
case map[string]interface{}:
|
|
|
|
// if the next part enters a slice, and the slice is our destination,
|
|
|
|
// handle it specially (because appending to the slice copies the slice
|
|
|
|
// header, which does not replace the original one like we want)
|
|
|
|
if arr, ok := v[part].([]interface{}); ok && i == len(parts)-2 {
|
|
|
|
var idx int
|
|
|
|
if method != http.MethodPost {
|
|
|
|
idxStr := parts[len(parts)-1]
|
|
|
|
idx, err = strconv.Atoi(idxStr)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("[%s] invalid array index '%s': %v",
|
|
|
|
path, idxStr, err)
|
|
|
|
}
|
|
|
|
if idx < 0 || idx >= len(arr) {
|
|
|
|
return fmt.Errorf("[%s] array index out of bounds: %s", path, idxStr)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
switch method {
|
|
|
|
case http.MethodGet:
|
|
|
|
err = enc.Encode(arr[idx])
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("encoding config: %v", err)
|
|
|
|
}
|
|
|
|
case http.MethodPost:
|
2019-12-17 12:11:45 -05:00
|
|
|
if ellipses {
|
|
|
|
valArray, ok := val.([]interface{})
|
|
|
|
if !ok {
|
|
|
|
return fmt.Errorf("final element is not an array")
|
|
|
|
}
|
|
|
|
v[part] = append(arr, valArray...)
|
|
|
|
} else {
|
|
|
|
v[part] = append(arr, val)
|
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
case http.MethodPut:
|
|
|
|
// avoid creation of new slice and a second copy (see
|
|
|
|
// https://github.com/golang/go/wiki/SliceTricks#insert)
|
|
|
|
arr = append(arr, nil)
|
|
|
|
copy(arr[idx+1:], arr[idx:])
|
|
|
|
arr[idx] = val
|
|
|
|
v[part] = arr
|
|
|
|
case http.MethodPatch:
|
|
|
|
arr[idx] = val
|
|
|
|
case http.MethodDelete:
|
|
|
|
v[part] = append(arr[:idx], arr[idx+1:]...)
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("unrecognized method %s", method)
|
|
|
|
}
|
|
|
|
break traverseLoop
|
|
|
|
}
|
|
|
|
|
|
|
|
if i == len(parts)-1 {
|
|
|
|
switch method {
|
|
|
|
case http.MethodGet:
|
|
|
|
err = enc.Encode(v[part])
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("encoding config: %v", err)
|
|
|
|
}
|
|
|
|
case http.MethodPost:
|
2019-12-17 12:11:45 -05:00
|
|
|
// if the part is an existing list, POST appends to
|
|
|
|
// it, otherwise it just sets or creates the value
|
2019-11-04 14:05:20 -05:00
|
|
|
if arr, ok := v[part].([]interface{}); ok {
|
2019-12-17 12:11:45 -05:00
|
|
|
if ellipses {
|
|
|
|
valArray, ok := val.([]interface{})
|
|
|
|
if !ok {
|
|
|
|
return fmt.Errorf("final element is not an array")
|
|
|
|
}
|
|
|
|
v[part] = append(arr, valArray...)
|
|
|
|
} else {
|
|
|
|
v[part] = append(arr, val)
|
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
} else {
|
|
|
|
v[part] = val
|
|
|
|
}
|
|
|
|
case http.MethodPut:
|
|
|
|
if _, ok := v[part]; ok {
|
|
|
|
return fmt.Errorf("[%s] key already exists: %s", path, part)
|
|
|
|
}
|
|
|
|
v[part] = val
|
|
|
|
case http.MethodPatch:
|
|
|
|
if _, ok := v[part]; !ok {
|
|
|
|
return fmt.Errorf("[%s] key does not exist: %s", path, part)
|
|
|
|
}
|
|
|
|
v[part] = val
|
|
|
|
case http.MethodDelete:
|
|
|
|
delete(v, part)
|
|
|
|
default:
|
|
|
|
return fmt.Errorf("unrecognized method %s", method)
|
|
|
|
}
|
|
|
|
} else {
|
2019-12-15 14:58:01 -05:00
|
|
|
// if we are "PUTting" a new resource, the key(s) in its path
|
|
|
|
// might not exist yet; that's OK but we need to make them as
|
|
|
|
// we go, while we still have a pointer from the level above
|
|
|
|
if v[part] == nil && method == http.MethodPut {
|
|
|
|
v[part] = make(map[string]interface{})
|
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
ptr = v[part]
|
|
|
|
}
|
|
|
|
|
|
|
|
case []interface{}:
|
|
|
|
partInt, err := strconv.Atoi(part)
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("[/%s] invalid array index '%s': %v",
|
|
|
|
strings.Join(parts[:i+1], "/"), part, err)
|
|
|
|
}
|
|
|
|
if partInt < 0 || partInt >= len(v) {
|
|
|
|
return fmt.Errorf("[/%s] array index out of bounds: %s",
|
|
|
|
strings.Join(parts[:i+1], "/"), part)
|
|
|
|
}
|
|
|
|
ptr = v[partInt]
|
|
|
|
|
|
|
|
default:
|
2019-12-10 15:36:46 -05:00
|
|
|
return fmt.Errorf("invalid traversal path at: %s", strings.Join(parts[:i+1], "/"))
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
2019-03-26 13:00:54 -05:00
|
|
|
}
|
2019-03-26 20:42:52 -05:00
|
|
|
|
2019-03-26 13:00:54 -05:00
|
|
|
return nil
|
|
|
|
}
|
2019-03-26 20:42:52 -05:00
|
|
|
|
2019-12-31 18:56:19 -05:00
|
|
|
// RemoveMetaFields removes meta fields like "@id" from a JSON message
|
|
|
|
// by using a simple regular expression. (An alternate way to do this
|
|
|
|
// would be to delete them from the raw, map[string]interface{}
|
|
|
|
// representation as they are indexed, then iterate the index we made
|
|
|
|
// and add them back after encoding as JSON, but this is simpler.)
|
2019-12-12 16:30:22 -05:00
|
|
|
func RemoveMetaFields(rawJSON []byte) []byte {
|
|
|
|
return idRegexp.ReplaceAllFunc(rawJSON, func(in []byte) []byte {
|
|
|
|
// matches with a comma on both sides (when "@id" property is
|
|
|
|
// not the first or last in the object) need to keep exactly
|
|
|
|
// one comma for correct JSON syntax
|
|
|
|
comma := []byte{','}
|
|
|
|
if bytes.HasPrefix(in, comma) && bytes.HasSuffix(in, comma) {
|
|
|
|
return comma
|
|
|
|
}
|
|
|
|
return []byte{}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
// AdminHandler is like http.Handler except ServeHTTP may return an error.
|
|
|
|
//
|
|
|
|
// If any handler encounters an error, it should be returned for proper
|
|
|
|
// handling.
|
|
|
|
type AdminHandler interface {
|
|
|
|
ServeHTTP(http.ResponseWriter, *http.Request) error
|
|
|
|
}
|
|
|
|
|
|
|
|
// AdminHandlerFunc is a convenience type like http.HandlerFunc.
|
|
|
|
type AdminHandlerFunc func(http.ResponseWriter, *http.Request) error
|
|
|
|
|
|
|
|
// ServeHTTP implements the Handler interface.
|
|
|
|
func (f AdminHandlerFunc) ServeHTTP(w http.ResponseWriter, r *http.Request) error {
|
|
|
|
return f(w, r)
|
|
|
|
}
|
|
|
|
|
|
|
|
// APIError is a structured error that every API
|
|
|
|
// handler should return for consistency in logging
|
|
|
|
// and client responses. If Message is unset, then
|
|
|
|
// Err.Error() will be serialized in its place.
|
|
|
|
type APIError struct {
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
HTTPStatus int `json:"-"`
|
|
|
|
Err error `json:"-"`
|
|
|
|
Message string `json:"error"`
|
2019-11-04 14:05:20 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
func (e APIError) Error() string {
|
|
|
|
if e.Err != nil {
|
|
|
|
return e.Err.Error()
|
|
|
|
}
|
|
|
|
return e.Message
|
|
|
|
}
|
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// parseAdminListenAddr extracts a singular listen address from either addr
|
|
|
|
// or defaultAddr, returning the network and the address of the listener.
|
|
|
|
func parseAdminListenAddr(addr string, defaultAddr string) (NetworkAddress, error) {
|
|
|
|
input := addr
|
|
|
|
if input == "" {
|
|
|
|
input = defaultAddr
|
|
|
|
}
|
|
|
|
listenAddr, err := ParseNetworkAddress(input)
|
|
|
|
if err != nil {
|
|
|
|
return NetworkAddress{}, fmt.Errorf("parsing listener address: %v", err)
|
|
|
|
}
|
|
|
|
if listenAddr.PortRangeSize() != 1 {
|
|
|
|
return NetworkAddress{}, fmt.Errorf("must be exactly one listener address; cannot listen on: %s", listenAddr)
|
|
|
|
}
|
|
|
|
return listenAddr, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// decodeBase64DERCert base64-decodes, then DER-decodes, certStr.
|
|
|
|
func decodeBase64DERCert(certStr string) (*x509.Certificate, error) {
|
|
|
|
derBytes, err := base64.StdEncoding.DecodeString(certStr)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return x509.ParseCertificate(derBytes)
|
|
|
|
}
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
var (
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// DefaultAdminListen is the address for the local admin
|
2019-11-04 14:05:20 -05:00
|
|
|
// listener, if none is specified at startup.
|
|
|
|
DefaultAdminListen = "localhost:2019"
|
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// DefaultRemoteAdminListen is the address for the remote
|
|
|
|
// (TLS-authenticated) admin listener, if enabled and not
|
|
|
|
// specified otherwise.
|
|
|
|
DefaultRemoteAdminListen = ":2021"
|
2019-11-04 14:05:20 -05:00
|
|
|
|
|
|
|
// DefaultAdminConfig is the default configuration
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// for the local administration endpoint.
|
2019-11-04 14:05:20 -05:00
|
|
|
DefaultAdminConfig = &AdminConfig{
|
|
|
|
Listen: DefaultAdminListen,
|
|
|
|
}
|
|
|
|
)
|
|
|
|
|
2020-05-13 12:28:15 -05:00
|
|
|
// PIDFile writes a pidfile to the file at filename. It
|
|
|
|
// will get deleted before the process gracefully exits.
|
|
|
|
func PIDFile(filename string) error {
|
|
|
|
pid := []byte(strconv.Itoa(os.Getpid()) + "\n")
|
2020-11-22 16:50:29 -05:00
|
|
|
err := ioutil.WriteFile(filename, pid, 0600)
|
2020-05-13 12:28:15 -05:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
pidfile = filename
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-11-27 13:49:49 -05:00
|
|
|
// idRegexp is used to match ID fields and their associated values
|
|
|
|
// in the config. It also matches adjacent commas so that syntax
|
|
|
|
// can be preserved no matter where in the object the field appears.
|
|
|
|
// It supports string and most numeric values.
|
2020-03-24 11:52:05 -05:00
|
|
|
var idRegexp = regexp.MustCompile(`(?m),?\s*"` + idKey + `"\s*:\s*(-?[0-9]+(\.[0-9]+)?|(?U)".*")\s*,?`)
|
2019-11-27 13:49:49 -05:00
|
|
|
|
2020-05-13 12:28:15 -05:00
|
|
|
// pidfile is the name of the pidfile, if any.
|
|
|
|
var pidfile string
|
|
|
|
|
2021-05-19 11:27:25 -05:00
|
|
|
// errInternalRedir indicates an internal redirect
|
|
|
|
// and is useful when admin API handlers rewrite
|
|
|
|
// the request; in that case, authentication and
|
|
|
|
// authorization needs to happen again for the
|
|
|
|
// rewritten request.
|
|
|
|
var errInternalRedir = fmt.Errorf("internal redirect; re-authorization required")
|
|
|
|
|
2019-11-04 14:05:20 -05:00
|
|
|
const (
|
|
|
|
rawConfigKey = "config"
|
|
|
|
idKey = "@id"
|
|
|
|
)
|
2019-07-05 10:59:13 -05:00
|
|
|
|
2019-03-26 20:42:52 -05:00
|
|
|
var bufPool = sync.Pool{
|
|
|
|
New: func() interface{} {
|
|
|
|
return new(bytes.Buffer)
|
|
|
|
},
|
|
|
|
}
|
2019-11-04 14:05:20 -05:00
|
|
|
|
admin: Identity management, remote admin, config loaders (#3994)
This commits dds 3 separate, but very related features:
1. Automated server identity management
How do you know you're connecting to the server you think you are? How do you know the server connecting to you is the server instance you think it is? Mutually-authenticated TLS (mTLS) answers both of these questions. Using TLS to authenticate requires a public/private key pair (and the peer must trust the certificate you present to it).
Fortunately, Caddy is really good at managing certificates by now. We tap into that power to make it possible for Caddy to obtain and renew its own identity credentials, or in other words, a certificate that can be used for both server verification when clients connect to it, and client verification when it connects to other servers. Its associated private key is essentially its identity, and TLS takes care of possession proofs.
This configuration is simply a list of identifiers and an optional list of custom certificate issuers. Identifiers are things like IP addresses or DNS names that can be used to access the Caddy instance. The default issuers are ZeroSSL and Let's Encrypt, but these are public CAs, so they won't issue certs for private identifiers. Caddy will simply manage credentials for these, which other parts of Caddy can use, for example: remote administration or dynamic config loading (described below).
2. Remote administration over secure connection
This feature adds generic remote admin functionality that is safe to expose on a public interface.
- The "remote" (or "secure") endpoint is optional. It does not affect the standard/local/plaintext endpoint.
- It's the same as the [API endpoint on localhost:2019](https://caddyserver.com/docs/api), but over TLS.
- TLS cannot be disabled on this endpoint.
- TLS mutual auth is required, and cannot be disabled.
- The server's certificate _must_ be obtained and renewed via automated means, such as ACME. It cannot be manually loaded.
- The TLS server takes care of verifying the client.
- The admin handler takes care of application-layer permissions (methods and paths that each client is allowed to use).\
- Sensible defaults are still WIP.
- Config fields subject to change/renaming.
3. Dyanmic config loading at startup
Since this feature was planned in tandem with remote admin, and depends on its changes, I am combining them into one PR.
Dynamic config loading is where you tell Caddy how to load its config, and then it loads and runs that. First, it will load the config you give it (and persist that so it can be optionally resumed later). Then, it will try pulling its _actual_ config using the module you've specified (dynamically loaded configs are _not_ persisted to storage, since resuming them doesn't make sense).
This PR comes with a standard config loader module called `caddy.config_loaders.http`.
Caddyfile config for all of this can probably be added later.
COMMITS:
* admin: Secure socket for remote management
Functional, but still WIP.
Optional secure socket for the admin endpoint is designed
for remote management, i.e. to be exposed on a public
port. It enforces TLS mutual authentication which cannot
be disabled. The default port for this is :2021. The server
certificate cannot be specified manually, it MUST be
obtained from a certificate issuer (i.e. ACME).
More polish and sensible defaults are still in development.
Also cleaned up and consolidated the code related to
quitting the process.
* Happy lint
* Implement dynamic config loading; HTTP config loader module
This allows Caddy to load a dynamic config when it starts.
Dynamically-loaded configs are intentionally not persisted to storage.
Includes an implementation of the standard config loader, HTTPLoader.
Can be used to download configs over HTTP(S).
* Refactor and cleanup; prevent recursive config pulls
Identity management is now separated from remote administration.
There is no need to enable remote administration if all you want is identity
management, but you will need to configure identity management
if you want remote administration.
* Fix lint warnings
* Rename identities->identifiers for consistency
2021-01-27 18:16:04 -05:00
|
|
|
// keep a reference to admin endpoint singletons while they're active
|
|
|
|
var (
|
|
|
|
localAdminServer, remoteAdminServer *http.Server
|
|
|
|
identityCertCache *certmagic.Cache
|
|
|
|
)
|