tls: Allow opening block without specifying cert+key args

2024-12-23 22:27:38 -05:00 · 2016-01-03 16:44:30 -07:00 · 2016-01-03 16:44:30 -07:00 · bb80f99190
commit bb80f99190
parent 946ff5e87b
2 changed files with 42 additions and 11 deletions
--- a/caddy/setup/tls.go
+++ b/caddy/setup/tls.go
@ -11,12 +11,12 @@ import (

 // TLS sets up the TLS configuration (but does not activate Let's Encrypt; that is handled elsewhere).
 func TLS(c *Controller) (middleware.Middleware, error) {
-	if c.Port == "http" {
+	if c.Scheme == "http" {
 		c.TLS.Enabled = false
 		log.Printf("[WARNING] TLS disabled for %s://%s. To force TLS over the plaintext HTTP port, "+
-			"specify port 80 explicitly (https://%s:80).", c.Port, c.Host, c.Host)
+			"specify port 80 explicitly (https://%s:80).", c.Scheme, c.Address(), c.Host)
 	} else {
-		c.TLS.Enabled = true // they had a tls directive, so assume it's on unless we confirm otherwise later
+		c.TLS.Enabled = true // assume this for now
 	}

 	for c.Next() {
@ -37,13 +37,11 @@ func TLS(c *Controller) (middleware.Middleware, error) {
 			// served on the HTTPS port; that is what user would expect, and
 			// makes it consistent with how the letsencrypt package works.
 			if c.Port == "" {
-				c.Port = "https"
+				c.Port = "443"
 			}
-		default:
-			return nil, c.ArgErr()
 		}

-		// Optional block
+		// Optional block with extra parameters
 		for c.NextBlock() {
 			switch c.Val() {
 			case "protocols":
@ -74,6 +72,9 @@ func TLS(c *Controller) (middleware.Middleware, error) {
 				if len(c.TLS.ClientCerts) == 0 {
 					return nil, c.ArgErr()
 				}
+			// TODO: Allow this? It's a bad idea to allow HTTP. If we do this, make sure invoking tls at all (even manually) also sets up a redirect if possible?
+			// case "allow_http":
+			// 	c.TLS.DisableHTTPRedir = true
 			default:
 				return nil, c.Errf("Unknown keyword '%s'", c.Val())
 			}
--- a/caddy/setup/tls_test.go
+++ b/caddy/setup/tls_test.go
@ -66,11 +66,12 @@ func TestTLSParseBasic(t *testing.T) {
 }

 func TestTLSParseIncompleteParams(t *testing.T) {
+	// This doesn't do anything useful but is allowed in case the user wants to be explicit
+	// about TLS being enabled...
 	c := NewTestController(`tls`)
-
 	_, err := TLS(c)
-	if err == nil {
-		t.Errorf("Expected errors (first check), but no error returned")
+	if err != nil {
+		t.Errorf("Expected no error, but got %v", err)
 	}
 }

@ -95,10 +96,39 @@ func TestTLSParseWithOptionalParams(t *testing.T) {
 	}

 	if len(c.TLS.Ciphers)-1 != 3 {
-		t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers))
+		t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers)-1)
 	}
 }

+func TestTLSDefaultWithOptionalParams(t *testing.T) {
+	params := `tls {
+            ciphers RSA-3DES-EDE-CBC-SHA
+        }`
+	c := NewTestController(params)
+
+	_, err := TLS(c)
+	if err != nil {
+		t.Errorf("Expected no errors, got: %v", err)
+	}
+	if len(c.TLS.Ciphers)-1 != 1 {
+		t.Errorf("Expected 1 ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers)-1)
+	}
+}
+
+// TODO: If we allow this... but probably not a good idea.
+// func TestTLSDisableHTTPRedirect(t *testing.T) {
+// 	c := NewTestController(`tls {
+// 	    allow_http
+// 	}`)
+// 	_, err := TLS(c)
+// 	if err != nil {
+// 		t.Errorf("Expected no error, but got %v", err)
+// 	}
+// 	if !c.TLS.DisableHTTPRedir {
+// 		t.Error("Expected HTTP redirect to be disabled, but it wasn't")
+// 	}
+// }
+
 func TestTLSParseWithWrongOptionalParams(t *testing.T) {
 	// Test protocols wrong params
 	params := `tls cert.crt cert.key {