diff --git a/caddy/caddymain/run.go b/caddy/caddymain/run.go index 23d938703..fd193d5f7 100644 --- a/caddy/caddymain/run.go +++ b/caddy/caddymain/run.go @@ -29,6 +29,8 @@ func init() { flag.BoolVar(&caddytls.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement") flag.StringVar(&caddytls.DefaultCAUrl, "ca", "https://acme-v01.api.letsencrypt.org/directory", "URL to certificate authority's ACME server directory") + flag.BoolVar(&caddytls.DisableHTTPChallenge, "disable-http-challenge", caddytls.DisableHTTPChallenge, "Disable the ACME HTTP challenge") + flag.BoolVar(&caddytls.DisableTLSSNIChallenge, "disable-tls-sni-challenge", caddytls.DisableTLSSNIChallenge, "Disable the ACME TLS-SNI challenge") flag.StringVar(&conf, "conf", "", "Caddyfile to load (default \""+caddy.DefaultConfigFile+"\")") flag.StringVar(&cpu, "cpu", "100%", "CPU cap") flag.BoolVar(&plugins, "plugins", false, "List installed plugins") diff --git a/caddytls/client.go b/caddytls/client.go index d1c3295e5..394c36882 100644 --- a/caddytls/client.go +++ b/caddytls/client.go @@ -143,6 +143,18 @@ var newACMEClient = func(config *Config, allowPrompts bool) (*ACMEClient, error) if caddy.HasListenerWithAddress(net.JoinHostPort(config.ListenHost, useTLSSNIPort)) { c.acmeClient.SetChallengeProvider(acme.TLSSNI01, tlsSniSolver{}) } + + // Disable any challenges that should not be used + var disabledChallenges []acme.Challenge + if DisableHTTPChallenge { + disabledChallenges = append(disabledChallenges, acme.HTTP01) + } + if DisableTLSSNIChallenge { + disabledChallenges = append(disabledChallenges, acme.TLSSNI01) + } + if len(disabledChallenges) > 0 { + c.acmeClient.ExcludeChallenges(disabledChallenges) + } } else { // Otherwise, use DNS challenge exclusively diff --git a/caddytls/httphandler.go b/caddytls/httphandler.go index 0ea40c67d..db3c93a01 100644 --- a/caddytls/httphandler.go +++ b/caddytls/httphandler.go @@ -20,6 +20,9 @@ func HTTPChallengeHandler(w http.ResponseWriter, r *http.Request, listenHost, al if !strings.HasPrefix(r.URL.Path, challengeBasePath) { return false } + if DisableHTTPChallenge { + return false + } if !namesObtaining.Has(r.Host) { return false } diff --git a/caddytls/tls.go b/caddytls/tls.go index 50c9814a7..f7a084357 100644 --- a/caddytls/tls.go +++ b/caddytls/tls.go @@ -167,6 +167,12 @@ var ( // DefaultKeyType is used as the type of key for new certificates // when no other key type is specified. DefaultKeyType = acme.RSA2048 + + // DisableHTTPChallenge will disable all HTTP challenges. + DisableHTTPChallenge bool + + // DisableTLSSNIChallenge will disable all TLS-SNI challenges. + DisableTLSSNIChallenge bool ) var storageProviders = make(map[string]StorageConstructor)