mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-30 22:34:15 -05:00
caddytls: Zero out throttle window first (#5443)
* caddytls: Zero out throttle window first
* Don't error for on-demand
Fixes b97c76fb47
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
This commit is contained in:
parent
a7db0cfe55
commit
0cc49c053f
2 changed files with 23 additions and 15 deletions
|
@ -19,6 +19,7 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/caddyserver/caddy/v2"
|
"github.com/caddyserver/caddy/v2"
|
||||||
|
@ -224,8 +225,10 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
|
||||||
// on-demand TLS
|
// on-demand TLS
|
||||||
var ond *certmagic.OnDemandConfig
|
var ond *certmagic.OnDemandConfig
|
||||||
if ap.OnDemand {
|
if ap.OnDemand {
|
||||||
// ask endpoint is now required after a number of negligence cases causing abuse
|
// ask endpoint is now required after a number of negligence cases causing abuse;
|
||||||
if !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") {
|
// but is still allowed for explicit subjects (non-wildcard, non-unbounded),
|
||||||
|
// and for the internal issuer since it doesn't cause ACME issuer pressure
|
||||||
|
if ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") {
|
||||||
return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details")
|
return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details")
|
||||||
}
|
}
|
||||||
ond = &certmagic.OnDemandConfig{
|
ond = &certmagic.OnDemandConfig{
|
||||||
|
@ -294,6 +297,22 @@ func (ap *AutomationPolicy) onlyInternalIssuer() bool {
|
||||||
return ok
|
return ok
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// isWildcardOrDefault determines if the subjects include any wildcard domains,
|
||||||
|
// or is the "default" policy (i.e. no subjects) which is unbounded.
|
||||||
|
func (ap *AutomationPolicy) isWildcardOrDefault() bool {
|
||||||
|
isWildcardOrDefault := false
|
||||||
|
if len(ap.Subjects) == 0 {
|
||||||
|
isWildcardOrDefault = true
|
||||||
|
}
|
||||||
|
for _, sub := range ap.Subjects {
|
||||||
|
if strings.HasPrefix(sub, "*") {
|
||||||
|
isWildcardOrDefault = true
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return isWildcardOrDefault
|
||||||
|
}
|
||||||
|
|
||||||
// DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults.
|
// DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults.
|
||||||
// This function is experimental and has no compatibility promises.
|
// This function is experimental and has no compatibility promises.
|
||||||
func DefaultIssuers() []certmagic.Issuer {
|
func DefaultIssuers() []certmagic.Issuer {
|
||||||
|
|
|
@ -22,7 +22,6 @@ import (
|
||||||
"log"
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
"runtime/debug"
|
"runtime/debug"
|
||||||
"strings"
|
|
||||||
"sync"
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -182,8 +181,8 @@ func (t *TLS) Provision(ctx caddy.Context) error {
|
||||||
onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
|
onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
|
||||||
} else {
|
} else {
|
||||||
// remove any existing rate limiter
|
// remove any existing rate limiter
|
||||||
onDemandRateLimiter.SetMaxEvents(0)
|
|
||||||
onDemandRateLimiter.SetWindow(0)
|
onDemandRateLimiter.SetWindow(0)
|
||||||
|
onDemandRateLimiter.SetMaxEvents(0)
|
||||||
}
|
}
|
||||||
|
|
||||||
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
|
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
|
||||||
|
@ -260,17 +259,7 @@ func (t *TLS) Start() error {
|
||||||
if t.Automation.OnDemand == nil ||
|
if t.Automation.OnDemand == nil ||
|
||||||
(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
|
(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
|
||||||
for _, ap := range t.Automation.Policies {
|
for _, ap := range t.Automation.Policies {
|
||||||
isWildcardOrDefault := false
|
if ap.OnDemand && ap.isWildcardOrDefault() {
|
||||||
if len(ap.Subjects) == 0 {
|
|
||||||
isWildcardOrDefault = true
|
|
||||||
}
|
|
||||||
for _, sub := range ap.Subjects {
|
|
||||||
if strings.HasPrefix(sub, "*") {
|
|
||||||
isWildcardOrDefault = true
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if ap.OnDemand && isWildcardOrDefault {
|
|
||||||
t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
|
t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
|
||||||
zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
|
zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
|
||||||
break
|
break
|
||||||
|
|
Loading…
Reference in a new issue