mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-16 21:56:40 -05:00
tls: Update to match CertMagic refactor (#2571)
* Update to match CertMagic's refactoring * mod: CertMagic v0.5.0
This commit is contained in:
Matt Holt
GitHub
parent
fd6e4516dc
commit
917d9bc9da
8 changed files with 60 additions and 21 deletions
|
|
@ -45,11 +45,11 @@ import (
|
||||||
func init() {
|
func init() {
|
||||||
caddy.TrapSignals()
|
caddy.TrapSignals()
|
||||||
|
|
||||||
flag.BoolVar(&certmagic.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
|
flag.BoolVar(&certmagic.Default.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
|
||||||
flag.StringVar(&certmagic.CA, "ca", certmagic.CA, "URL to certificate authority's ACME server directory")
|
flag.StringVar(&certmagic.Default.CA, "ca", certmagic.Default.CA, "URL to certificate authority's ACME server directory")
|
||||||
flag.StringVar(&certmagic.DefaultServerName, "default-sni", certmagic.DefaultServerName, "If a ClientHello ServerName is empty, use this ServerName to choose a TLS certificate")
|
flag.StringVar(&certmagic.Default.DefaultServerName, "default-sni", certmagic.Default.DefaultServerName, "If a ClientHello ServerName is empty, use this ServerName to choose a TLS certificate")
|
||||||
flag.BoolVar(&certmagic.DisableHTTPChallenge, "disable-http-challenge", certmagic.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
|
flag.BoolVar(&certmagic.Default.DisableHTTPChallenge, "disable-http-challenge", certmagic.Default.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
|
||||||
flag.BoolVar(&certmagic.DisableTLSALPNChallenge, "disable-tls-alpn-challenge", certmagic.DisableTLSALPNChallenge, "Disable the ACME TLS-ALPN challenge")
|
flag.BoolVar(&certmagic.Default.DisableTLSALPNChallenge, "disable-tls-alpn-challenge", certmagic.Default.DisableTLSALPNChallenge, "Disable the ACME TLS-ALPN challenge")
|
||||||
flag.StringVar(&disabledMetrics, "disabled-metrics", "", "Comma-separated list of telemetry metrics to disable")
|
flag.StringVar(&disabledMetrics, "disabled-metrics", "", "Comma-separated list of telemetry metrics to disable")
|
||||||
flag.StringVar(&conf, "conf", "", "Caddyfile to load (default \""+caddy.DefaultConfigFile+"\")")
|
flag.StringVar(&conf, "conf", "", "Caddyfile to load (default \""+caddy.DefaultConfigFile+"\")")
|
||||||
flag.StringVar(&cpu, "cpu", "100%", "CPU cap")
|
flag.StringVar(&cpu, "cpu", "100%", "CPU cap")
|
||||||
|
|
@ -57,7 +57,7 @@ func init() {
|
||||||
flag.StringVar(&envFile, "envfile", "", "Path to file with environment variables to load in KEY=VALUE format")
|
flag.StringVar(&envFile, "envfile", "", "Path to file with environment variables to load in KEY=VALUE format")
|
||||||
flag.BoolVar(&fromJSON, "json-to-caddyfile", false, "From JSON stdin to Caddyfile stdout")
|
flag.BoolVar(&fromJSON, "json-to-caddyfile", false, "From JSON stdin to Caddyfile stdout")
|
||||||
flag.BoolVar(&plugins, "plugins", false, "List installed plugins")
|
flag.BoolVar(&plugins, "plugins", false, "List installed plugins")
|
||||||
flag.StringVar(&certmagic.Email, "email", "", "Default ACME CA account email address")
|
flag.StringVar(&certmagic.Default.Email, "email", "", "Default ACME CA account email address")
|
||||||
flag.DurationVar(&certmagic.HTTPTimeout, "catimeout", certmagic.HTTPTimeout, "Default ACME CA HTTP timeout")
|
flag.DurationVar(&certmagic.HTTPTimeout, "catimeout", certmagic.HTTPTimeout, "Default ACME CA HTTP timeout")
|
||||||
flag.StringVar(&logfile, "log", "", "Process log file")
|
flag.StringVar(&logfile, "log", "", "Process log file")
|
||||||
flag.IntVar(&logRollMB, "log-roll-mb", 100, "Roll process log when it reaches this many megabytes (0 to disable rolling)")
|
flag.IntVar(&logRollMB, "log-roll-mb", 100, "Roll process log when it reaches this many megabytes (0 to disable rolling)")
|
||||||
|
|
|
||||||
|
|
@ -234,7 +234,7 @@ func (h *httpContext) MakeServers() ([]caddy.Server, error) {
|
||||||
// trusted CA (obviously not a perfect heuristic)
|
// trusted CA (obviously not a perfect heuristic)
|
||||||
var looksLikeProductionCA bool
|
var looksLikeProductionCA bool
|
||||||
for _, publicCAEndpoint := range caddytls.KnownACMECAs {
|
for _, publicCAEndpoint := range caddytls.KnownACMECAs {
|
||||||
if strings.Contains(certmagic.CA, publicCAEndpoint) {
|
if strings.Contains(certmagic.Default.CA, publicCAEndpoint) {
|
||||||
looksLikeProductionCA = true
|
looksLikeProductionCA = true
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -21,6 +21,7 @@ import (
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"sync/atomic"
|
"sync/atomic"
|
||||||
|
"time"
|
||||||
|
|
||||||
"github.com/go-acme/lego/challenge/tlsalpn01"
|
"github.com/go-acme/lego/challenge/tlsalpn01"
|
||||||
|
|
||||||
|
|
@ -117,22 +118,48 @@ func NewConfig(inst *caddy.Instance) (*Config, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("constructing cluster plugin %s: %v", clusterPluginName, err)
|
return nil, fmt.Errorf("constructing cluster plugin %s: %v", clusterPluginName, err)
|
||||||
}
|
}
|
||||||
certmagic.DefaultStorage = storage
|
certmagic.Default.Storage = storage
|
||||||
} else {
|
} else {
|
||||||
return nil, fmt.Errorf("unrecognized cluster plugin (was it included in the Caddy build?): %s", clusterPluginName)
|
return nil, fmt.Errorf("unrecognized cluster plugin (was it included in the Caddy build?): %s", clusterPluginName)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
certCache = certmagic.NewCache(certmagic.DefaultStorage)
|
certCache = certmagic.NewCache(certmagic.CacheOptions{
|
||||||
|
GetConfigForCert: func(cert certmagic.Certificate) (certmagic.Config, error) {
|
||||||
|
inst.StorageMu.Lock()
|
||||||
|
cfgMap, ok := inst.Storage[configMapKey].(map[string]*Config)
|
||||||
|
inst.StorageMu.Unlock()
|
||||||
|
if ok {
|
||||||
|
for hostname, cfg := range cfgMap {
|
||||||
|
if cfg.Manager != nil && hostname == cert.Names[0] {
|
||||||
|
return *cfg.Manager, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// returning Default not strictly necessary, since Default is used as template
|
||||||
|
// anyway; but this makes it clear that that's what we fall back to
|
||||||
|
return certmagic.Default, nil
|
||||||
|
},
|
||||||
|
})
|
||||||
|
storageCleaningTicker := time.NewTicker(12 * time.Hour)
|
||||||
|
go func() {
|
||||||
|
for range storageCleaningTicker.C {
|
||||||
|
certmagic.CleanStorage(certmagic.Default.Storage, certmagic.CleanStorageOptions{
|
||||||
|
OCSPStaples: true,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}()
|
||||||
inst.OnShutdown = append(inst.OnShutdown, func() error {
|
inst.OnShutdown = append(inst.OnShutdown, func() error {
|
||||||
certCache.Stop()
|
certCache.Stop()
|
||||||
|
storageCleaningTicker.Stop()
|
||||||
return nil
|
return nil
|
||||||
})
|
})
|
||||||
|
|
||||||
inst.StorageMu.Lock()
|
inst.StorageMu.Lock()
|
||||||
inst.Storage[CertCacheInstStorageKey] = certCache
|
inst.Storage[CertCacheInstStorageKey] = certCache
|
||||||
inst.StorageMu.Unlock()
|
inst.StorageMu.Unlock()
|
||||||
}
|
}
|
||||||
return &Config{
|
return &Config{
|
||||||
Manager: certmagic.NewWithCache(certCache, certmagic.Config{}),
|
Manager: certmagic.New(certCache, certmagic.Config{}),
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -418,7 +445,6 @@ func SetDefaultTLSParams(config *Config) {
|
||||||
var supportedKeyTypes = map[string]certcrypto.KeyType{
|
var supportedKeyTypes = map[string]certcrypto.KeyType{
|
||||||
"P384": certcrypto.EC384,
|
"P384": certcrypto.EC384,
|
||||||
"P256": certcrypto.EC256,
|
"P256": certcrypto.EC256,
|
||||||
"RSA8192": certcrypto.RSA8192,
|
|
||||||
"RSA4096": certcrypto.RSA4096,
|
"RSA4096": certcrypto.RSA4096,
|
||||||
"RSA2048": certcrypto.RSA2048,
|
"RSA2048": certcrypto.RSA2048,
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -42,7 +42,7 @@ type configGroup map[string]*Config
|
||||||
func (cg configGroup) getConfig(hello *tls.ClientHelloInfo) *Config {
|
func (cg configGroup) getConfig(hello *tls.ClientHelloInfo) *Config {
|
||||||
name := certmagic.NormalizedName(hello.ServerName)
|
name := certmagic.NormalizedName(hello.ServerName)
|
||||||
if name == "" {
|
if name == "" {
|
||||||
name = certmagic.NormalizedName(certmagic.DefaultServerName)
|
name = certmagic.NormalizedName(certmagic.Default.DefaultServerName)
|
||||||
}
|
}
|
||||||
|
|
||||||
// if SNI is empty, prefer matching IP address (it is
|
// if SNI is empty, prefer matching IP address (it is
|
||||||
|
|
|
||||||
|
|
@ -63,7 +63,7 @@ func setupTLS(c *caddy.Controller) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("constructing cluster plugin %s: %v", clusterPluginName, err)
|
return fmt.Errorf("constructing cluster plugin %s: %v", clusterPluginName, err)
|
||||||
}
|
}
|
||||||
certmagic.DefaultStorage = storage
|
certmagic.Default.Storage = storage
|
||||||
} else {
|
} else {
|
||||||
return fmt.Errorf("unrecognized cluster plugin (was it included in the Caddy build?): %s", clusterPluginName)
|
return fmt.Errorf("unrecognized cluster plugin (was it included in the Caddy build?): %s", clusterPluginName)
|
||||||
}
|
}
|
||||||
|
|
@ -363,6 +363,14 @@ func setupTLS(c *caddy.Controller) error {
|
||||||
telemetry.Increment("tls_self_signed_count")
|
telemetry.Increment("tls_self_signed_count")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// store this as a custom config
|
||||||
|
cfgMap, ok := c.Get(configMapKey).(map[string]*Config)
|
||||||
|
if !ok || cfgMap == nil {
|
||||||
|
cfgMap = make(map[string]*Config)
|
||||||
|
}
|
||||||
|
cfgMap[config.Hostname] = config
|
||||||
|
c.Set(configMapKey, cfgMap)
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -449,3 +457,5 @@ func loadCertsInDir(cfg *Config, c *caddy.Controller, dir string) error {
|
||||||
func constructDefaultClusterPlugin() (certmagic.Storage, error) {
|
func constructDefaultClusterPlugin() (certmagic.Storage, error) {
|
||||||
return &certmagic.FileStorage{Path: caddy.AssetsPath()}, nil
|
return &certmagic.FileStorage{Path: caddy.AssetsPath()}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const configMapKey = "tls_custom_configs"
|
||||||
|
|
|
||||||
|
|
@ -53,8 +53,8 @@ func TestSetupParseBasic(t *testing.T) {
|
||||||
}
|
}
|
||||||
defer os.RemoveAll(tmpdir)
|
defer os.RemoveAll(tmpdir)
|
||||||
|
|
||||||
certCache := certmagic.NewCache(&certmagic.FileStorage{Path: tmpdir})
|
certmagic.Default.Storage = &certmagic.FileStorage{Path: tmpdir}
|
||||||
cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
|
cfg := &Config{Manager: certmagic.NewDefault()}
|
||||||
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
|
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
|
||||||
c := caddy.NewTestController("", `tls `+certFile+` `+keyFile+``)
|
c := caddy.NewTestController("", `tls `+certFile+` `+keyFile+``)
|
||||||
|
|
||||||
|
|
@ -139,8 +139,8 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
|
||||||
}
|
}
|
||||||
defer os.RemoveAll(tmpdir)
|
defer os.RemoveAll(tmpdir)
|
||||||
|
|
||||||
certCache := certmagic.NewCache(&certmagic.FileStorage{Path: tmpdir})
|
certmagic.Default.Storage = &certmagic.FileStorage{Path: tmpdir}
|
||||||
cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
|
cfg := &Config{Manager: certmagic.NewDefault()}
|
||||||
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
|
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
|
||||||
c := caddy.NewTestController("", params)
|
c := caddy.NewTestController("", params)
|
||||||
|
|
||||||
|
|
@ -276,8 +276,7 @@ func TestSetupParseWithClientAuth(t *testing.T) {
|
||||||
clients verify_if_given
|
clients verify_if_given
|
||||||
}`, tls.VerifyClientCertIfGiven, true, noCAs},
|
}`, tls.VerifyClientCertIfGiven, true, noCAs},
|
||||||
} {
|
} {
|
||||||
certCache := certmagic.NewCache(certmagic.DefaultStorage)
|
cfg := &Config{Manager: certmagic.NewDefault()}
|
||||||
cfg := &Config{Manager: certmagic.NewWithCache(certCache, certmagic.Config{})}
|
|
||||||
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
|
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
|
||||||
c := caddy.NewTestController("", caseData.params)
|
c := caddy.NewTestController("", caseData.params)
|
||||||
|
|
||||||
|
|
|
||||||
4
go.mod
4
go.mod
|
|
@ -7,7 +7,7 @@ require (
|
||||||
github.com/caddyserver/builds v0.0.0-20170910200810-c62e2219460a
|
github.com/caddyserver/builds v0.0.0-20170910200810-c62e2219460a
|
||||||
github.com/dustin/go-humanize v1.0.0
|
github.com/dustin/go-humanize v1.0.0
|
||||||
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568
|
github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568
|
||||||
github.com/go-acme/lego v2.4.0+incompatible
|
github.com/go-acme/lego v2.5.0+incompatible
|
||||||
github.com/google/uuid v1.1.1
|
github.com/google/uuid v1.1.1
|
||||||
github.com/gorilla/websocket v1.4.0
|
github.com/gorilla/websocket v1.4.0
|
||||||
github.com/hashicorp/go-syslog v1.0.0
|
github.com/hashicorp/go-syslog v1.0.0
|
||||||
|
|
@ -15,7 +15,7 @@ require (
|
||||||
github.com/klauspost/cpuid v1.2.0
|
github.com/klauspost/cpuid v1.2.0
|
||||||
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 // indirect
|
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 // indirect
|
||||||
github.com/lucas-clemente/quic-go v0.10.2
|
github.com/lucas-clemente/quic-go v0.10.2
|
||||||
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234
|
github.com/mholt/certmagic v0.5.0
|
||||||
github.com/naoina/go-stringutil v0.1.0 // indirect
|
github.com/naoina/go-stringutil v0.1.0 // indirect
|
||||||
github.com/naoina/toml v0.1.1
|
github.com/naoina/toml v0.1.1
|
||||||
github.com/russross/blackfriday v0.0.0-20170610170232-067529f716f4
|
github.com/russross/blackfriday v0.0.0-20170610170232-067529f716f4
|
||||||
|
|
|
||||||
4
go.sum
4
go.sum
|
|
@ -19,6 +19,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
|
||||||
github.com/go-acme/lego v2.3.1-0.20190318164254-3684cc738d37+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
|
github.com/go-acme/lego v2.3.1-0.20190318164254-3684cc738d37+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
|
||||||
github.com/go-acme/lego v2.4.0+incompatible h1:+BTLUfLtDc5qQauyiTCXH6lupEUOCvXyGlEjdeU0YQI=
|
github.com/go-acme/lego v2.4.0+incompatible h1:+BTLUfLtDc5qQauyiTCXH6lupEUOCvXyGlEjdeU0YQI=
|
||||||
github.com/go-acme/lego v2.4.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
|
github.com/go-acme/lego v2.4.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
|
||||||
|
github.com/go-acme/lego v2.5.0+incompatible h1:5fNN9yRQfv8ymH3DSsxla+4aYeQt2IgfZqHKVnK8f0s=
|
||||||
|
github.com/go-acme/lego v2.5.0+incompatible/go.mod h1:yzMNe9CasVUhkquNvti5nAtPmG94USbYxYrZfTkIn0M=
|
||||||
github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
|
github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
|
||||||
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
|
github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
|
||||||
github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
|
github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
|
||||||
|
|
@ -49,6 +51,8 @@ github.com/lucas-clemente/quic-go-certificates v0.0.0-20160823095156-d2f86524cce
|
||||||
github.com/marten-seemann/qtls v0.2.3/go.mod h1:xzjG7avBwGGbdZ8dTGxlBnLArsVKLvwmjgmPuiQEcYk=
|
github.com/marten-seemann/qtls v0.2.3/go.mod h1:xzjG7avBwGGbdZ8dTGxlBnLArsVKLvwmjgmPuiQEcYk=
|
||||||
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234 h1:6biVHmhBIOQCzdOClOJ97D/Ip9oH8TgFftq2bj/93YI=
|
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234 h1:6biVHmhBIOQCzdOClOJ97D/Ip9oH8TgFftq2bj/93YI=
|
||||||
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234/go.mod h1:KvmxBmeVqj88J9Z9us/x04Yp/YYfMtmGkhQFWewFe6U=
|
github.com/mholt/certmagic v0.0.0-20190319183800-ee1543e2f234/go.mod h1:KvmxBmeVqj88J9Z9us/x04Yp/YYfMtmGkhQFWewFe6U=
|
||||||
|
github.com/mholt/certmagic v0.5.0 h1:lYXxsLUFya/I3BgDCrfuwcMQOB+4auzI8CCzpK41tjc=
|
||||||
|
github.com/mholt/certmagic v0.5.0/go.mod h1:g4cOPxcjV0oFq3qwpjSA30LReKD8AoIfwAY9VvG35NY=
|
||||||
github.com/miekg/dns v1.1.3 h1:1g0r1IvskvgL8rR+AcHzUA+oFmGcQlaIm4IqakufeMM=
|
github.com/miekg/dns v1.1.3 h1:1g0r1IvskvgL8rR+AcHzUA+oFmGcQlaIm4IqakufeMM=
|
||||||
github.com/miekg/dns v1.1.3/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
|
github.com/miekg/dns v1.1.3/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
|
||||||
github.com/naoina/go-stringutil v0.1.0 h1:rCUeRUHjBjGTSHl0VC00jUPLz8/F9dDzYI70Hzifhks=
|
github.com/naoina/go-stringutil v0.1.0 h1:rCUeRUHjBjGTSHl0VC00jUPLz8/F9dDzYI70Hzifhks=
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue