mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-06 22:40:31 -05:00
httpcaddyfile: Add skip_install_trust
global option (#4153)
Fixes https://github.com/caddyserver/caddy/issues/4002
This commit is contained in:
parent
323ffd2076
commit
658772ff24
3 changed files with 77 additions and 0 deletions
|
@ -39,6 +39,7 @@ func init() {
|
||||||
RegisterGlobalOption("acme_dns", parseOptACMEDNS)
|
RegisterGlobalOption("acme_dns", parseOptACMEDNS)
|
||||||
RegisterGlobalOption("acme_eab", parseOptACMEEAB)
|
RegisterGlobalOption("acme_eab", parseOptACMEEAB)
|
||||||
RegisterGlobalOption("cert_issuer", parseOptCertIssuer)
|
RegisterGlobalOption("cert_issuer", parseOptCertIssuer)
|
||||||
|
RegisterGlobalOption("skip_install_trust", parseOptTrue)
|
||||||
RegisterGlobalOption("email", parseOptSingleString)
|
RegisterGlobalOption("email", parseOptSingleString)
|
||||||
RegisterGlobalOption("admin", parseOptAdmin)
|
RegisterGlobalOption("admin", parseOptAdmin)
|
||||||
RegisterGlobalOption("on_demand_tls", parseOptOnDemand)
|
RegisterGlobalOption("on_demand_tls", parseOptOnDemand)
|
||||||
|
|
|
@ -27,15 +27,35 @@ func (st ServerType) buildPKIApp(
|
||||||
|
|
||||||
pkiApp := &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}
|
pkiApp := &caddypki.PKI{CAs: make(map[string]*caddypki.CA)}
|
||||||
|
|
||||||
|
skipInstallTrust := false
|
||||||
|
if _, ok := options["skip_install_trust"]; ok {
|
||||||
|
skipInstallTrust = true
|
||||||
|
}
|
||||||
|
falseBool := false
|
||||||
|
|
||||||
for _, p := range pairings {
|
for _, p := range pairings {
|
||||||
for _, sblock := range p.serverBlocks {
|
for _, sblock := range p.serverBlocks {
|
||||||
// find all the CAs that were defined and add them to the app config
|
// find all the CAs that were defined and add them to the app config
|
||||||
|
// i.e. from any "acme_server" directives
|
||||||
for _, caCfgValue := range sblock.pile["pki.ca"] {
|
for _, caCfgValue := range sblock.pile["pki.ca"] {
|
||||||
ca := caCfgValue.Value.(*caddypki.CA)
|
ca := caCfgValue.Value.(*caddypki.CA)
|
||||||
|
if skipInstallTrust {
|
||||||
|
ca.InstallTrust = &falseBool
|
||||||
|
}
|
||||||
pkiApp.CAs[ca.ID] = ca
|
pkiApp.CAs[ca.ID] = ca
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// if there was no CAs defined in any of the servers,
|
||||||
|
// and we were requested to not install trust, then
|
||||||
|
// add one for the default/local CA to do so
|
||||||
|
if len(pkiApp.CAs) == 0 && skipInstallTrust {
|
||||||
|
ca := new(caddypki.CA)
|
||||||
|
ca.ID = caddypki.DefaultCAID
|
||||||
|
ca.InstallTrust = &falseBool
|
||||||
|
pkiApp.CAs[ca.ID] = ca
|
||||||
|
}
|
||||||
|
|
||||||
return pkiApp, warnings, nil
|
return pkiApp, warnings, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,56 @@
|
||||||
|
{
|
||||||
|
skip_install_trust
|
||||||
|
}
|
||||||
|
|
||||||
|
a.example.com {
|
||||||
|
tls internal
|
||||||
|
}
|
||||||
|
----------
|
||||||
|
{
|
||||||
|
"apps": {
|
||||||
|
"http": {
|
||||||
|
"servers": {
|
||||||
|
"srv0": {
|
||||||
|
"listen": [
|
||||||
|
":443"
|
||||||
|
],
|
||||||
|
"routes": [
|
||||||
|
{
|
||||||
|
"match": [
|
||||||
|
{
|
||||||
|
"host": [
|
||||||
|
"a.example.com"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"terminal": true
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"pki": {
|
||||||
|
"certificate_authorities": {
|
||||||
|
"local": {
|
||||||
|
"install_trust": false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"tls": {
|
||||||
|
"automation": {
|
||||||
|
"policies": [
|
||||||
|
{
|
||||||
|
"subjects": [
|
||||||
|
"a.example.com"
|
||||||
|
],
|
||||||
|
"issuers": [
|
||||||
|
{
|
||||||
|
"module": "internal"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue