mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-16 21:56:40 -05:00
caddytls: Caddyfile support for TLS handshake matchers (#6461)
* Caddyfile support for TLS handshake matchers: - caddytls.MatchLocalIP - caddytls.MatchRemoteIP - caddytls.MatchServerName * Caddyfile support for TLS handshake matchers: - fix imports order Co-authored-by: Francis Lavoie <lavofr@gmail.com> --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>
This commit is contained in:
parent
3afa02ba4e
commit
61fe152c60
1 changed files with 103 additions and 0 deletions
|
@ -25,6 +25,7 @@ import (
|
||||||
"go.uber.org/zap"
|
"go.uber.org/zap"
|
||||||
|
|
||||||
"github.com/caddyserver/caddy/v2"
|
"github.com/caddyserver/caddy/v2"
|
||||||
|
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
|
@ -56,6 +57,29 @@ func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// UnmarshalCaddyfile sets up the MatchServerName from Caddyfile tokens. Syntax:
|
||||||
|
//
|
||||||
|
// sni <domains...>
|
||||||
|
func (m *MatchServerName) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||||
|
for d.Next() {
|
||||||
|
wrapper := d.Val()
|
||||||
|
|
||||||
|
// At least one same-line option must be provided
|
||||||
|
if d.CountRemainingArgs() == 0 {
|
||||||
|
return d.ArgErr()
|
||||||
|
}
|
||||||
|
|
||||||
|
*m = append(*m, d.RemainingArgs()...)
|
||||||
|
|
||||||
|
// No blocks are supported
|
||||||
|
if d.NextBlock(d.Nesting()) {
|
||||||
|
return d.Errf("malformed TLS handshake matcher '%s': blocks are not supported", wrapper)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// MatchRemoteIP matches based on the remote IP of the
|
// MatchRemoteIP matches based on the remote IP of the
|
||||||
// connection. Specific IPs or CIDR ranges can be specified.
|
// connection. Specific IPs or CIDR ranges can be specified.
|
||||||
//
|
//
|
||||||
|
@ -145,6 +169,50 @@ func (MatchRemoteIP) matches(ip netip.Addr, ranges []netip.Prefix) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// UnmarshalCaddyfile sets up the MatchRemoteIP from Caddyfile tokens. Syntax:
|
||||||
|
//
|
||||||
|
// remote_ip <ranges...>
|
||||||
|
//
|
||||||
|
// Note: IPs and CIDRs prefixed with ! symbol are treated as not_ranges
|
||||||
|
func (m *MatchRemoteIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||||
|
for d.Next() {
|
||||||
|
wrapper := d.Val()
|
||||||
|
|
||||||
|
// At least one same-line option must be provided
|
||||||
|
if d.CountRemainingArgs() == 0 {
|
||||||
|
return d.ArgErr()
|
||||||
|
}
|
||||||
|
|
||||||
|
for d.NextArg() {
|
||||||
|
val := d.Val()
|
||||||
|
if len(val) > 1 && val[0] == '!' {
|
||||||
|
prefixes, err := m.parseIPRange(val[1:])
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
for _, prefix := range prefixes {
|
||||||
|
m.NotRanges = append(m.NotRanges, prefix.String())
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
prefixes, err := m.parseIPRange(val)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
for _, prefix := range prefixes {
|
||||||
|
m.Ranges = append(m.Ranges, prefix.String())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// No blocks are supported
|
||||||
|
if d.NextBlock(d.Nesting()) {
|
||||||
|
return d.Errf("malformed TLS handshake matcher '%s': blocks are not supported", wrapper)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// MatchLocalIP matches based on the IP address of the interface
|
// MatchLocalIP matches based on the IP address of the interface
|
||||||
// receiving the connection. Specific IPs or CIDR ranges can be specified.
|
// receiving the connection. Specific IPs or CIDR ranges can be specified.
|
||||||
type MatchLocalIP struct {
|
type MatchLocalIP struct {
|
||||||
|
@ -219,6 +287,37 @@ func (MatchLocalIP) matches(ip netip.Addr, ranges []netip.Prefix) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// UnmarshalCaddyfile sets up the MatchLocalIP from Caddyfile tokens. Syntax:
|
||||||
|
//
|
||||||
|
// local_ip <ranges...>
|
||||||
|
func (m *MatchLocalIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||||
|
for d.Next() {
|
||||||
|
wrapper := d.Val()
|
||||||
|
|
||||||
|
// At least one same-line option must be provided
|
||||||
|
if d.CountRemainingArgs() == 0 {
|
||||||
|
return d.ArgErr()
|
||||||
|
}
|
||||||
|
|
||||||
|
for d.NextArg() {
|
||||||
|
prefixes, err := m.parseIPRange(d.Val())
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
for _, prefix := range prefixes {
|
||||||
|
m.Ranges = append(m.Ranges, prefix.String())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// No blocks are supported
|
||||||
|
if d.NextBlock(d.Nesting()) {
|
||||||
|
return d.Errf("malformed TLS handshake matcher '%s': blocks are not supported", wrapper)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// Interface guards
|
// Interface guards
|
||||||
var (
|
var (
|
||||||
_ ConnectionMatcher = (*MatchServerName)(nil)
|
_ ConnectionMatcher = (*MatchServerName)(nil)
|
||||||
|
@ -226,4 +325,8 @@ var (
|
||||||
|
|
||||||
_ caddy.Provisioner = (*MatchLocalIP)(nil)
|
_ caddy.Provisioner = (*MatchLocalIP)(nil)
|
||||||
_ ConnectionMatcher = (*MatchLocalIP)(nil)
|
_ ConnectionMatcher = (*MatchLocalIP)(nil)
|
||||||
|
|
||||||
|
_ caddyfile.Unmarshaler = (*MatchLocalIP)(nil)
|
||||||
|
_ caddyfile.Unmarshaler = (*MatchRemoteIP)(nil)
|
||||||
|
_ caddyfile.Unmarshaler = (*MatchServerName)(nil)
|
||||||
)
|
)
|
||||||
|
|
Loading…
Reference in a new issue