diff --git a/caddy/setup/tls.go b/caddy/setup/tls.go index 4e5f7f9d..963d62d6 100644 --- a/caddy/setup/tls.go +++ b/caddy/setup/tls.go @@ -11,12 +11,12 @@ import ( // TLS sets up the TLS configuration (but does not activate Let's Encrypt; that is handled elsewhere). func TLS(c *Controller) (middleware.Middleware, error) { - if c.Port == "http" { + if c.Scheme == "http" { c.TLS.Enabled = false log.Printf("[WARNING] TLS disabled for %s://%s. To force TLS over the plaintext HTTP port, "+ - "specify port 80 explicitly (https://%s:80).", c.Port, c.Host, c.Host) + "specify port 80 explicitly (https://%s:80).", c.Scheme, c.Address(), c.Host) } else { - c.TLS.Enabled = true // they had a tls directive, so assume it's on unless we confirm otherwise later + c.TLS.Enabled = true // assume this for now } for c.Next() { @@ -37,13 +37,11 @@ func TLS(c *Controller) (middleware.Middleware, error) { // served on the HTTPS port; that is what user would expect, and // makes it consistent with how the letsencrypt package works. if c.Port == "" { - c.Port = "https" + c.Port = "443" } - default: - return nil, c.ArgErr() } - // Optional block + // Optional block with extra parameters for c.NextBlock() { switch c.Val() { case "protocols": @@ -74,6 +72,9 @@ func TLS(c *Controller) (middleware.Middleware, error) { if len(c.TLS.ClientCerts) == 0 { return nil, c.ArgErr() } + // TODO: Allow this? It's a bad idea to allow HTTP. If we do this, make sure invoking tls at all (even manually) also sets up a redirect if possible? + // case "allow_http": + // c.TLS.DisableHTTPRedir = true default: return nil, c.Errf("Unknown keyword '%s'", c.Val()) } diff --git a/caddy/setup/tls_test.go b/caddy/setup/tls_test.go index fdea1e0c..e4e0596c 100644 --- a/caddy/setup/tls_test.go +++ b/caddy/setup/tls_test.go @@ -66,11 +66,12 @@ func TestTLSParseBasic(t *testing.T) { } func TestTLSParseIncompleteParams(t *testing.T) { + // This doesn't do anything useful but is allowed in case the user wants to be explicit + // about TLS being enabled... c := NewTestController(`tls`) - _, err := TLS(c) - if err == nil { - t.Errorf("Expected errors (first check), but no error returned") + if err != nil { + t.Errorf("Expected no error, but got %v", err) } } @@ -95,10 +96,39 @@ func TestTLSParseWithOptionalParams(t *testing.T) { } if len(c.TLS.Ciphers)-1 != 3 { - t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers)) + t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers)-1) } } +func TestTLSDefaultWithOptionalParams(t *testing.T) { + params := `tls { + ciphers RSA-3DES-EDE-CBC-SHA + }` + c := NewTestController(params) + + _, err := TLS(c) + if err != nil { + t.Errorf("Expected no errors, got: %v", err) + } + if len(c.TLS.Ciphers)-1 != 1 { + t.Errorf("Expected 1 ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers)-1) + } +} + +// TODO: If we allow this... but probably not a good idea. +// func TestTLSDisableHTTPRedirect(t *testing.T) { +// c := NewTestController(`tls { +// allow_http +// }`) +// _, err := TLS(c) +// if err != nil { +// t.Errorf("Expected no error, but got %v", err) +// } +// if !c.TLS.DisableHTTPRedir { +// t.Error("Expected HTTP redirect to be disabled, but it wasn't") +// } +// } + func TestTLSParseWithWrongOptionalParams(t *testing.T) { // Test protocols wrong params params := `tls cert.crt cert.key {