mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-16 21:56:40 -05:00
caddyhttp: Clean up; move some code around
This commit is contained in:
parent
f596fd77bb
commit
e42514ad4a
2 changed files with 436 additions and 409 deletions
433
modules/caddyhttp/app.go
Normal file
433
modules/caddyhttp/app.go
Normal file
|
@ -0,0 +1,433 @@
|
|||
// Copyright 2015 Matthew Holt and The Caddy Authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package caddyhttp
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/caddyserver/caddy/v2"
|
||||
"github.com/caddyserver/caddy/v2/modules/caddytls"
|
||||
"github.com/lucas-clemente/quic-go/http3"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
func init() {
|
||||
err := caddy.RegisterModule(App{})
|
||||
if err != nil {
|
||||
caddy.Log().Fatal(err.Error())
|
||||
}
|
||||
}
|
||||
|
||||
// App is a robust, production-ready HTTP server.
|
||||
//
|
||||
// HTTPS is enabled by default if host matchers with qualifying names are used
|
||||
// in any of routes; certificates are automatically provisioned and renewed.
|
||||
// Additionally, automatic HTTPS will also enable HTTPS for servers that listen
|
||||
// only on the HTTPS port but which do not have any TLS connection policies
|
||||
// defined by adding a good, default TLS connection policy.
|
||||
//
|
||||
// In HTTP routes, additional placeholders are available (replace any `*`):
|
||||
//
|
||||
// Placeholder | Description
|
||||
// ------------|---------------
|
||||
// `{http.request.cookie.*}` | HTTP request cookie
|
||||
// `{http.request.header.*}` | Specific request header field
|
||||
// `{http.request.host.labels.*}` | Request host labels (0-based from right); e.g. for foo.example.com: 0=com, 1=example, 2=foo
|
||||
// `{http.request.host}` | The host part of the request's Host header
|
||||
// `{http.request.hostport}` | The host and port from the request's Host header
|
||||
// `{http.request.method}` | The request method
|
||||
// `{http.request.orig_method}` | The request's original method
|
||||
// `{http.request.orig_uri.path.dir}` | The request's original directory
|
||||
// `{http.request.orig_uri.path.file}` | The request's original filename
|
||||
// `{http.request.orig_uri.path}` | The request's original path
|
||||
// `{http.request.orig_uri.query}` | The request's original query string (without `?`)
|
||||
// `{http.request.orig_uri}` | The request's original URI
|
||||
// `{http.request.port}` | The port part of the request's Host header
|
||||
// `{http.request.proto}` | The protocol of the request
|
||||
// `{http.request.remote.host}` | The host part of the remote client's address
|
||||
// `{http.request.remote.port}` | The port part of the remote client's address
|
||||
// `{http.request.remote}` | The address of the remote client
|
||||
// `{http.request.scheme}` | The request scheme
|
||||
// `{http.request.tls.version}` | The TLS version name
|
||||
// `{http.request.tls.cipher_suite}` | The TLS cipher suite
|
||||
// `{http.request.tls.resumed}` | The TLS connection resumed a previous connection
|
||||
// `{http.request.tls.proto}` | The negotiated next protocol
|
||||
// `{http.request.tls.proto_mutual}` | The negotiated next protocol was advertised by the server
|
||||
// `{http.request.tls.server_name}` | The server name requested by the client, if any
|
||||
// `{http.request.tls.client.fingerprint}` | The SHA256 checksum of the client certificate
|
||||
// `{http.request.tls.client.issuer}` | The issuer DN of the client certificate
|
||||
// `{http.request.tls.client.serial}` | The serial number of the client certificate
|
||||
// `{http.request.tls.client.subject}` | The subject DN of the client certificate
|
||||
// `{http.request.uri.path.*}` | Parts of the path, split by `/` (0-based from left)
|
||||
// `{http.request.uri.path.dir}` | The directory, excluding leaf filename
|
||||
// `{http.request.uri.path.file}` | The filename of the path, excluding directory
|
||||
// `{http.request.uri.path}` | The path component of the request URI
|
||||
// `{http.request.uri.query.*}` | Individual query string value
|
||||
// `{http.request.uri.query}` | The query string (without `?`)
|
||||
// `{http.request.uri}` | The full request URI
|
||||
// `{http.response.header.*}` | Specific response header field
|
||||
// `{http.vars.*}` | Custom variables in the HTTP handler chain
|
||||
type App struct {
|
||||
// HTTPPort specifies the port to use for HTTP (as opposed to HTTPS),
|
||||
// which is used when setting up HTTP->HTTPS redirects or ACME HTTP
|
||||
// challenge solvers. Default: 80.
|
||||
HTTPPort int `json:"http_port,omitempty"`
|
||||
|
||||
// HTTPSPort specifies the port to use for HTTPS, which is used when
|
||||
// solving the ACME TLS-ALPN challenges, or whenever HTTPS is needed
|
||||
// but no specific port number is given. Default: 443.
|
||||
HTTPSPort int `json:"https_port,omitempty"`
|
||||
|
||||
// GracePeriod is how long to wait for active connections when shutting
|
||||
// down the server. Once the grace period is over, connections will
|
||||
// be forcefully closed.
|
||||
GracePeriod caddy.Duration `json:"grace_period,omitempty"`
|
||||
|
||||
// Servers is the list of servers, keyed by arbitrary names chosen
|
||||
// at your discretion for your own convenience; the keys do not
|
||||
// affect functionality.
|
||||
Servers map[string]*Server `json:"servers,omitempty"`
|
||||
|
||||
servers []*http.Server
|
||||
h3servers []*http3.Server
|
||||
h3listeners []net.PacketConn
|
||||
|
||||
ctx caddy.Context
|
||||
logger *zap.Logger
|
||||
tlsApp *caddytls.TLS
|
||||
|
||||
// used temporarily between phases 1 and 2 of auto HTTPS
|
||||
allCertDomains []string
|
||||
}
|
||||
|
||||
// CaddyModule returns the Caddy module information.
|
||||
func (App) CaddyModule() caddy.ModuleInfo {
|
||||
return caddy.ModuleInfo{
|
||||
ID: "http",
|
||||
New: func() caddy.Module { return new(App) },
|
||||
}
|
||||
}
|
||||
|
||||
// Provision sets up the app.
|
||||
func (app *App) Provision(ctx caddy.Context) error {
|
||||
// store some references
|
||||
tlsAppIface, err := ctx.App("tls")
|
||||
if err != nil {
|
||||
return fmt.Errorf("getting tls app: %v", err)
|
||||
}
|
||||
app.tlsApp = tlsAppIface.(*caddytls.TLS)
|
||||
app.ctx = ctx
|
||||
app.logger = ctx.Logger(app)
|
||||
|
||||
repl := caddy.NewReplacer()
|
||||
|
||||
// this provisions the matchers for each route,
|
||||
// and prepares auto HTTP->HTTPS redirects, and
|
||||
// is required before we provision each server
|
||||
err = app.automaticHTTPSPhase1(ctx, repl)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// prepare each server
|
||||
for srvName, srv := range app.Servers {
|
||||
srv.tlsApp = app.tlsApp
|
||||
srv.logger = app.logger.Named("log")
|
||||
srv.errorLogger = app.logger.Named("log.error")
|
||||
|
||||
// only enable access logs if configured
|
||||
if srv.Logs != nil {
|
||||
srv.accessLogger = app.logger.Named("log.access")
|
||||
}
|
||||
|
||||
// if not explicitly configured by the user, disallow TLS
|
||||
// client auth bypass (domain fronting) which could
|
||||
// otherwise be exploited by sending an unprotected SNI
|
||||
// value during a TLS handshake, then putting a protected
|
||||
// domain in the Host header after establishing connection;
|
||||
// this is a safe default, but we allow users to override
|
||||
// it for example in the case of running a proxy where
|
||||
// domain fronting is desired and access is not restricted
|
||||
// based on hostname
|
||||
if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() {
|
||||
app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured",
|
||||
zap.String("server_name", srvName),
|
||||
)
|
||||
trueBool := true
|
||||
srv.StrictSNIHost = &trueBool
|
||||
}
|
||||
|
||||
// process each listener address
|
||||
for i := range srv.Listen {
|
||||
lnOut, err := repl.ReplaceOrErr(srv.Listen[i], true, true)
|
||||
if err != nil {
|
||||
return fmt.Errorf("server %s, listener %d: %v",
|
||||
srvName, i, err)
|
||||
}
|
||||
srv.Listen[i] = lnOut
|
||||
}
|
||||
|
||||
// set up each listener modifier
|
||||
if srv.ListenerWrappersRaw != nil {
|
||||
vals, err := ctx.LoadModule(srv, "ListenerWrappersRaw")
|
||||
if err != nil {
|
||||
return fmt.Errorf("loading listener wrapper modules: %v", err)
|
||||
}
|
||||
var hasTLSPlaceholder bool
|
||||
for i, val := range vals.([]interface{}) {
|
||||
if _, ok := val.(*tlsPlaceholderWrapper); ok {
|
||||
if i == 0 {
|
||||
// putting the tls placeholder wrapper first is nonsensical because
|
||||
// that is the default, implicit setting: without it, all wrappers
|
||||
// will go after the TLS listener anyway
|
||||
return fmt.Errorf("it is unnecessary to specify the TLS listener wrapper in the first position because that is the default")
|
||||
}
|
||||
if hasTLSPlaceholder {
|
||||
return fmt.Errorf("TLS listener wrapper can only be specified once")
|
||||
}
|
||||
hasTLSPlaceholder = true
|
||||
}
|
||||
srv.listenerWrappers = append(srv.listenerWrappers, val.(caddy.ListenerWrapper))
|
||||
}
|
||||
// if any wrappers were configured but the TLS placeholder wrapper is
|
||||
// absent, prepend it so all defined wrappers come after the TLS
|
||||
// handshake; this simplifies logic when starting the server, since we
|
||||
// can simply assume the TLS placeholder will always be there
|
||||
if !hasTLSPlaceholder && len(srv.listenerWrappers) > 0 {
|
||||
srv.listenerWrappers = append([]caddy.ListenerWrapper{new(tlsPlaceholderWrapper)}, srv.listenerWrappers...)
|
||||
}
|
||||
}
|
||||
|
||||
// pre-compile the primary handler chain, and be sure to wrap it in our
|
||||
// route handler so that important security checks are done, etc.
|
||||
primaryRoute := emptyHandler
|
||||
if srv.Routes != nil {
|
||||
err := srv.Routes.ProvisionHandlers(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("server %s: setting up route handlers: %v", srvName, err)
|
||||
}
|
||||
primaryRoute = srv.Routes.Compile(emptyHandler)
|
||||
}
|
||||
srv.primaryHandlerChain = srv.wrapPrimaryRoute(primaryRoute)
|
||||
|
||||
// pre-compile the error handler chain
|
||||
if srv.Errors != nil {
|
||||
err := srv.Errors.Routes.Provision(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("server %s: setting up server error handling routes: %v", srvName, err)
|
||||
}
|
||||
srv.errorHandlerChain = srv.Errors.Routes.Compile(errorEmptyHandler)
|
||||
}
|
||||
|
||||
// prepare the TLS connection policies
|
||||
err = srv.TLSConnPolicies.Provision(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("server %s: setting up TLS connection policies: %v", srvName, err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Validate ensures the app's configuration is valid.
|
||||
func (app *App) Validate() error {
|
||||
// each server must use distinct listener addresses
|
||||
lnAddrs := make(map[string]string)
|
||||
for srvName, srv := range app.Servers {
|
||||
for _, addr := range srv.Listen {
|
||||
listenAddr, err := caddy.ParseNetworkAddress(addr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid listener address '%s': %v", addr, err)
|
||||
}
|
||||
// check that every address in the port range is unique to this server;
|
||||
// we do not use <= here because PortRangeSize() adds 1 to EndPort for us
|
||||
for i := uint(0); i < listenAddr.PortRangeSize(); i++ {
|
||||
addr := caddy.JoinNetworkAddress(listenAddr.Network, listenAddr.Host, strconv.Itoa(int(listenAddr.StartPort+i)))
|
||||
if sn, ok := lnAddrs[addr]; ok {
|
||||
return fmt.Errorf("server %s: listener address repeated: %s (already claimed by server '%s')", srvName, addr, sn)
|
||||
}
|
||||
lnAddrs[addr] = srvName
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Start runs the app. It finishes automatic HTTPS if enabled,
|
||||
// including management of certificates.
|
||||
func (app *App) Start() error {
|
||||
for srvName, srv := range app.Servers {
|
||||
s := &http.Server{
|
||||
ReadTimeout: time.Duration(srv.ReadTimeout),
|
||||
ReadHeaderTimeout: time.Duration(srv.ReadHeaderTimeout),
|
||||
WriteTimeout: time.Duration(srv.WriteTimeout),
|
||||
IdleTimeout: time.Duration(srv.IdleTimeout),
|
||||
MaxHeaderBytes: srv.MaxHeaderBytes,
|
||||
Handler: srv,
|
||||
}
|
||||
|
||||
for _, lnAddr := range srv.Listen {
|
||||
listenAddr, err := caddy.ParseNetworkAddress(lnAddr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s: parsing listen address '%s': %v", srvName, lnAddr, err)
|
||||
}
|
||||
for portOffset := uint(0); portOffset < listenAddr.PortRangeSize(); portOffset++ {
|
||||
// create the listener for this socket
|
||||
hostport := listenAddr.JoinHostPort(portOffset)
|
||||
ln, err := caddy.Listen(listenAddr.Network, hostport)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s: listening on %s: %v", listenAddr.Network, hostport, err)
|
||||
}
|
||||
|
||||
// wrap listener before TLS (up to the TLS placeholder wrapper)
|
||||
var lnWrapperIdx int
|
||||
for i, lnWrapper := range srv.listenerWrappers {
|
||||
if _, ok := lnWrapper.(*tlsPlaceholderWrapper); ok {
|
||||
lnWrapperIdx = i + 1 // mark the next wrapper's spot
|
||||
break
|
||||
}
|
||||
ln = lnWrapper.WrapListener(ln)
|
||||
}
|
||||
|
||||
// enable TLS if there is a policy and if this is not the HTTP port
|
||||
useTLS := len(srv.TLSConnPolicies) > 0 && int(listenAddr.StartPort+portOffset) != app.httpPort()
|
||||
if useTLS {
|
||||
// create TLS listener
|
||||
tlsCfg := srv.TLSConnPolicies.TLSConfig(app.ctx)
|
||||
ln = tls.NewListener(ln, tlsCfg)
|
||||
|
||||
/////////
|
||||
// TODO: HTTP/3 support is experimental for now
|
||||
if srv.ExperimentalHTTP3 {
|
||||
app.logger.Info("enabling experimental HTTP/3 listener",
|
||||
zap.String("addr", hostport),
|
||||
)
|
||||
h3ln, err := caddy.ListenPacket("udp", hostport)
|
||||
if err != nil {
|
||||
return fmt.Errorf("getting HTTP/3 UDP listener: %v", err)
|
||||
}
|
||||
h3srv := &http3.Server{
|
||||
Server: &http.Server{
|
||||
Addr: hostport,
|
||||
Handler: srv,
|
||||
TLSConfig: tlsCfg,
|
||||
},
|
||||
}
|
||||
go h3srv.Serve(h3ln)
|
||||
app.h3servers = append(app.h3servers, h3srv)
|
||||
app.h3listeners = append(app.h3listeners, h3ln)
|
||||
srv.h3server = h3srv
|
||||
}
|
||||
/////////
|
||||
}
|
||||
|
||||
// finish wrapping listener where we left off before TLS
|
||||
for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ {
|
||||
ln = srv.listenerWrappers[i].WrapListener(ln)
|
||||
}
|
||||
|
||||
app.logger.Debug("starting server loop",
|
||||
zap.String("address", lnAddr),
|
||||
zap.Bool("http3", srv.ExperimentalHTTP3),
|
||||
zap.Bool("tls", useTLS),
|
||||
)
|
||||
|
||||
go s.Serve(ln)
|
||||
app.servers = append(app.servers, s)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// finish automatic HTTPS by finally beginning
|
||||
// certificate management
|
||||
err := app.automaticHTTPSPhase2()
|
||||
if err != nil {
|
||||
return fmt.Errorf("finalizing automatic HTTPS: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Stop gracefully shuts down the HTTP server.
|
||||
func (app *App) Stop() error {
|
||||
ctx := context.Background()
|
||||
if app.GracePeriod > 0 {
|
||||
var cancel context.CancelFunc
|
||||
ctx, cancel = context.WithTimeout(ctx, time.Duration(app.GracePeriod))
|
||||
defer cancel()
|
||||
}
|
||||
for _, s := range app.servers {
|
||||
err := s.Shutdown(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// close the http3 servers; it's unclear whether the bug reported in
|
||||
// https://github.com/caddyserver/caddy/pull/2727#issuecomment-526856566
|
||||
// was ever truly fixed, since it seemed racey/nondeterministic; but
|
||||
// recent tests in 2020 were unable to replicate the issue again after
|
||||
// repeated attempts (the bug manifested after a config reload; i.e.
|
||||
// reusing a http3 server or listener was problematic), but it seems
|
||||
// to be working fine now
|
||||
for _, s := range app.h3servers {
|
||||
// TODO: CloseGracefully, once implemented upstream
|
||||
// (see https://github.com/lucas-clemente/quic-go/issues/2103)
|
||||
err := s.Close()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// closing an http3.Server does not close their underlying listeners
|
||||
// since apparently the listener can be used both by servers and
|
||||
// clients at the same time; so we need to manually call Close()
|
||||
// on the underlying h3 listeners (see lucas-clemente/quic-go#2103)
|
||||
for _, pc := range app.h3listeners {
|
||||
err := pc.Close()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (app *App) httpPort() int {
|
||||
if app.HTTPPort == 0 {
|
||||
return DefaultHTTPPort
|
||||
}
|
||||
return app.HTTPPort
|
||||
}
|
||||
|
||||
func (app *App) httpsPort() int {
|
||||
if app.HTTPSPort == 0 {
|
||||
return DefaultHTTPSPort
|
||||
}
|
||||
return app.HTTPSPort
|
||||
}
|
||||
|
||||
// Interface guards
|
||||
var (
|
||||
_ caddy.App = (*App)(nil)
|
||||
_ caddy.Provisioner = (*App)(nil)
|
||||
_ caddy.Validator = (*App)(nil)
|
||||
)
|
|
@ -16,10 +16,7 @@ package caddyhttp
|
|||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
weakrand "math/rand"
|
||||
"net"
|
||||
|
@ -28,412 +25,15 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/caddyserver/caddy/v2"
|
||||
"github.com/caddyserver/caddy/v2/modules/caddytls"
|
||||
"github.com/lucas-clemente/quic-go/http3"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
func init() {
|
||||
weakrand.Seed(time.Now().UnixNano())
|
||||
|
||||
err := caddy.RegisterModule(App{})
|
||||
err := caddy.RegisterModule(tlsPlaceholderWrapper{})
|
||||
if err != nil {
|
||||
caddy.Log().Fatal(err.Error())
|
||||
}
|
||||
|
||||
err = caddy.RegisterModule(tlsPlaceholderWrapper{})
|
||||
if err != nil {
|
||||
caddy.Log().Fatal(err.Error())
|
||||
}
|
||||
}
|
||||
|
||||
// App is a robust, production-ready HTTP server.
|
||||
//
|
||||
// HTTPS is enabled by default if host matchers with qualifying names are used
|
||||
// in any of routes; certificates are automatically provisioned and renewed.
|
||||
// Additionally, automatic HTTPS will also enable HTTPS for servers that listen
|
||||
// only on the HTTPS port but which do not have any TLS connection policies
|
||||
// defined by adding a good, default TLS connection policy.
|
||||
//
|
||||
// In HTTP routes, additional placeholders are available (replace any `*`):
|
||||
//
|
||||
// Placeholder | Description
|
||||
// ------------|---------------
|
||||
// `{http.request.cookie.*}` | HTTP request cookie
|
||||
// `{http.request.header.*}` | Specific request header field
|
||||
// `{http.request.host.labels.*}` | Request host labels (0-based from right); e.g. for foo.example.com: 0=com, 1=example, 2=foo
|
||||
// `{http.request.host}` | The host part of the request's Host header
|
||||
// `{http.request.hostport}` | The host and port from the request's Host header
|
||||
// `{http.request.method}` | The request method
|
||||
// `{http.request.orig_method}` | The request's original method
|
||||
// `{http.request.orig_uri.path.dir}` | The request's original directory
|
||||
// `{http.request.orig_uri.path.file}` | The request's original filename
|
||||
// `{http.request.orig_uri.path}` | The request's original path
|
||||
// `{http.request.orig_uri.query}` | The request's original query string (without `?`)
|
||||
// `{http.request.orig_uri}` | The request's original URI
|
||||
// `{http.request.port}` | The port part of the request's Host header
|
||||
// `{http.request.proto}` | The protocol of the request
|
||||
// `{http.request.remote.host}` | The host part of the remote client's address
|
||||
// `{http.request.remote.port}` | The port part of the remote client's address
|
||||
// `{http.request.remote}` | The address of the remote client
|
||||
// `{http.request.scheme}` | The request scheme
|
||||
// `{http.request.tls.version}` | The TLS version name
|
||||
// `{http.request.tls.cipher_suite}` | The TLS cipher suite
|
||||
// `{http.request.tls.resumed}` | The TLS connection resumed a previous connection
|
||||
// `{http.request.tls.proto}` | The negotiated next protocol
|
||||
// `{http.request.tls.proto_mutual}` | The negotiated next protocol was advertised by the server
|
||||
// `{http.request.tls.server_name}` | The server name requested by the client, if any
|
||||
// `{http.request.tls.client.fingerprint}` | The SHA256 checksum of the client certificate
|
||||
// `{http.request.tls.client.issuer}` | The issuer DN of the client certificate
|
||||
// `{http.request.tls.client.serial}` | The serial number of the client certificate
|
||||
// `{http.request.tls.client.subject}` | The subject DN of the client certificate
|
||||
// `{http.request.uri.path.*}` | Parts of the path, split by `/` (0-based from left)
|
||||
// `{http.request.uri.path.dir}` | The directory, excluding leaf filename
|
||||
// `{http.request.uri.path.file}` | The filename of the path, excluding directory
|
||||
// `{http.request.uri.path}` | The path component of the request URI
|
||||
// `{http.request.uri.query.*}` | Individual query string value
|
||||
// `{http.request.uri.query}` | The query string (without `?`)
|
||||
// `{http.request.uri}` | The full request URI
|
||||
// `{http.response.header.*}` | Specific response header field
|
||||
// `{http.vars.*}` | Custom variables in the HTTP handler chain
|
||||
type App struct {
|
||||
// HTTPPort specifies the port to use for HTTP (as opposed to HTTPS),
|
||||
// which is used when setting up HTTP->HTTPS redirects or ACME HTTP
|
||||
// challenge solvers. Default: 80.
|
||||
HTTPPort int `json:"http_port,omitempty"`
|
||||
|
||||
// HTTPSPort specifies the port to use for HTTPS, which is used when
|
||||
// solving the ACME TLS-ALPN challenges, or whenever HTTPS is needed
|
||||
// but no specific port number is given. Default: 443.
|
||||
HTTPSPort int `json:"https_port,omitempty"`
|
||||
|
||||
// GracePeriod is how long to wait for active connections when shutting
|
||||
// down the server. Once the grace period is over, connections will
|
||||
// be forcefully closed.
|
||||
GracePeriod caddy.Duration `json:"grace_period,omitempty"`
|
||||
|
||||
// Servers is the list of servers, keyed by arbitrary names chosen
|
||||
// at your discretion for your own convenience; the keys do not
|
||||
// affect functionality.
|
||||
Servers map[string]*Server `json:"servers,omitempty"`
|
||||
|
||||
servers []*http.Server
|
||||
h3servers []*http3.Server
|
||||
h3listeners []net.PacketConn
|
||||
|
||||
ctx caddy.Context
|
||||
logger *zap.Logger
|
||||
tlsApp *caddytls.TLS
|
||||
|
||||
// used temporarily between phases 1 and 2 of auto HTTPS
|
||||
allCertDomains []string
|
||||
}
|
||||
|
||||
// CaddyModule returns the Caddy module information.
|
||||
func (App) CaddyModule() caddy.ModuleInfo {
|
||||
return caddy.ModuleInfo{
|
||||
ID: "http",
|
||||
New: func() caddy.Module { return new(App) },
|
||||
}
|
||||
}
|
||||
|
||||
// Provision sets up the app.
|
||||
func (app *App) Provision(ctx caddy.Context) error {
|
||||
// store some references
|
||||
tlsAppIface, err := ctx.App("tls")
|
||||
if err != nil {
|
||||
return fmt.Errorf("getting tls app: %v", err)
|
||||
}
|
||||
app.tlsApp = tlsAppIface.(*caddytls.TLS)
|
||||
app.ctx = ctx
|
||||
app.logger = ctx.Logger(app)
|
||||
|
||||
repl := caddy.NewReplacer()
|
||||
|
||||
// this provisions the matchers for each route,
|
||||
// and prepares auto HTTP->HTTPS redirects, and
|
||||
// is required before we provision each server
|
||||
err = app.automaticHTTPSPhase1(ctx, repl)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// prepare each server
|
||||
for srvName, srv := range app.Servers {
|
||||
srv.tlsApp = app.tlsApp
|
||||
srv.logger = app.logger.Named("log")
|
||||
srv.errorLogger = app.logger.Named("log.error")
|
||||
|
||||
// only enable access logs if configured
|
||||
if srv.Logs != nil {
|
||||
srv.accessLogger = app.logger.Named("log.access")
|
||||
}
|
||||
|
||||
// if not explicitly configured by the user, disallow TLS
|
||||
// client auth bypass (domain fronting) which could
|
||||
// otherwise be exploited by sending an unprotected SNI
|
||||
// value during a TLS handshake, then putting a protected
|
||||
// domain in the Host header after establishing connection;
|
||||
// this is a safe default, but we allow users to override
|
||||
// it for example in the case of running a proxy where
|
||||
// domain fronting is desired and access is not restricted
|
||||
// based on hostname
|
||||
if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() {
|
||||
app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured",
|
||||
zap.String("server_name", srvName),
|
||||
)
|
||||
trueBool := true
|
||||
srv.StrictSNIHost = &trueBool
|
||||
}
|
||||
|
||||
// process each listener address
|
||||
for i := range srv.Listen {
|
||||
lnOut, err := repl.ReplaceOrErr(srv.Listen[i], true, true)
|
||||
if err != nil {
|
||||
return fmt.Errorf("server %s, listener %d: %v",
|
||||
srvName, i, err)
|
||||
}
|
||||
srv.Listen[i] = lnOut
|
||||
}
|
||||
|
||||
// set up each listener modifier
|
||||
if srv.ListenerWrappersRaw != nil {
|
||||
vals, err := ctx.LoadModule(srv, "ListenerWrappersRaw")
|
||||
if err != nil {
|
||||
return fmt.Errorf("loading listener wrapper modules: %v", err)
|
||||
}
|
||||
var hasTLSPlaceholder bool
|
||||
for i, val := range vals.([]interface{}) {
|
||||
if _, ok := val.(*tlsPlaceholderWrapper); ok {
|
||||
if i == 0 {
|
||||
// putting the tls placeholder wrapper first is nonsensical because
|
||||
// that is the default, implicit setting: without it, all wrappers
|
||||
// will go after the TLS listener anyway
|
||||
return fmt.Errorf("it is unnecessary to specify the TLS listener wrapper in the first position because that is the default")
|
||||
}
|
||||
if hasTLSPlaceholder {
|
||||
return fmt.Errorf("TLS listener wrapper can only be specified once")
|
||||
}
|
||||
hasTLSPlaceholder = true
|
||||
}
|
||||
srv.listenerWrappers = append(srv.listenerWrappers, val.(caddy.ListenerWrapper))
|
||||
}
|
||||
// if any wrappers were configured but the TLS placeholder wrapper is
|
||||
// absent, prepend it so all defined wrappers come after the TLS
|
||||
// handshake; this simplifies logic when starting the server, since we
|
||||
// can simply assume the TLS placeholder will always be there
|
||||
if !hasTLSPlaceholder && len(srv.listenerWrappers) > 0 {
|
||||
srv.listenerWrappers = append([]caddy.ListenerWrapper{new(tlsPlaceholderWrapper)}, srv.listenerWrappers...)
|
||||
}
|
||||
}
|
||||
|
||||
// pre-compile the primary handler chain, and be sure to wrap it in our
|
||||
// route handler so that important security checks are done, etc.
|
||||
primaryRoute := emptyHandler
|
||||
if srv.Routes != nil {
|
||||
err := srv.Routes.ProvisionHandlers(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("server %s: setting up route handlers: %v", srvName, err)
|
||||
}
|
||||
primaryRoute = srv.Routes.Compile(emptyHandler)
|
||||
}
|
||||
srv.primaryHandlerChain = srv.wrapPrimaryRoute(primaryRoute)
|
||||
|
||||
// pre-compile the error handler chain
|
||||
if srv.Errors != nil {
|
||||
err := srv.Errors.Routes.Provision(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("server %s: setting up server error handling routes: %v", srvName, err)
|
||||
}
|
||||
srv.errorHandlerChain = srv.Errors.Routes.Compile(errorEmptyHandler)
|
||||
}
|
||||
|
||||
// prepare the TLS connection policies
|
||||
err = srv.TLSConnPolicies.Provision(ctx)
|
||||
if err != nil {
|
||||
return fmt.Errorf("server %s: setting up TLS connection policies: %v", srvName, err)
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Validate ensures the app's configuration is valid.
|
||||
func (app *App) Validate() error {
|
||||
// each server must use distinct listener addresses
|
||||
lnAddrs := make(map[string]string)
|
||||
for srvName, srv := range app.Servers {
|
||||
for _, addr := range srv.Listen {
|
||||
listenAddr, err := caddy.ParseNetworkAddress(addr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("invalid listener address '%s': %v", addr, err)
|
||||
}
|
||||
// check that every address in the port range is unique to this server;
|
||||
// we do not use <= here because PortRangeSize() adds 1 to EndPort for us
|
||||
for i := uint(0); i < listenAddr.PortRangeSize(); i++ {
|
||||
addr := caddy.JoinNetworkAddress(listenAddr.Network, listenAddr.Host, strconv.Itoa(int(listenAddr.StartPort+i)))
|
||||
if sn, ok := lnAddrs[addr]; ok {
|
||||
return fmt.Errorf("server %s: listener address repeated: %s (already claimed by server '%s')", srvName, addr, sn)
|
||||
}
|
||||
lnAddrs[addr] = srvName
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Start runs the app. It finishes automatic HTTPS if enabled,
|
||||
// including management of certificates.
|
||||
func (app *App) Start() error {
|
||||
for srvName, srv := range app.Servers {
|
||||
s := &http.Server{
|
||||
ReadTimeout: time.Duration(srv.ReadTimeout),
|
||||
ReadHeaderTimeout: time.Duration(srv.ReadHeaderTimeout),
|
||||
WriteTimeout: time.Duration(srv.WriteTimeout),
|
||||
IdleTimeout: time.Duration(srv.IdleTimeout),
|
||||
MaxHeaderBytes: srv.MaxHeaderBytes,
|
||||
Handler: srv,
|
||||
}
|
||||
|
||||
for _, lnAddr := range srv.Listen {
|
||||
listenAddr, err := caddy.ParseNetworkAddress(lnAddr)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s: parsing listen address '%s': %v", srvName, lnAddr, err)
|
||||
}
|
||||
for portOffset := uint(0); portOffset < listenAddr.PortRangeSize(); portOffset++ {
|
||||
// create the listener for this socket
|
||||
hostport := listenAddr.JoinHostPort(portOffset)
|
||||
ln, err := caddy.Listen(listenAddr.Network, hostport)
|
||||
if err != nil {
|
||||
return fmt.Errorf("%s: listening on %s: %v", listenAddr.Network, hostport, err)
|
||||
}
|
||||
|
||||
// wrap listener before TLS (up to the TLS placeholder wrapper)
|
||||
var lnWrapperIdx int
|
||||
for i, lnWrapper := range srv.listenerWrappers {
|
||||
if _, ok := lnWrapper.(*tlsPlaceholderWrapper); ok {
|
||||
lnWrapperIdx = i + 1 // mark the next wrapper's spot
|
||||
break
|
||||
}
|
||||
ln = lnWrapper.WrapListener(ln)
|
||||
}
|
||||
|
||||
// enable TLS if there is a policy and if this is not the HTTP port
|
||||
useTLS := len(srv.TLSConnPolicies) > 0 && int(listenAddr.StartPort+portOffset) != app.httpPort()
|
||||
if useTLS {
|
||||
// create TLS listener
|
||||
tlsCfg := srv.TLSConnPolicies.TLSConfig(app.ctx)
|
||||
ln = tls.NewListener(ln, tlsCfg)
|
||||
|
||||
/////////
|
||||
// TODO: HTTP/3 support is experimental for now
|
||||
if srv.ExperimentalHTTP3 {
|
||||
app.logger.Info("enabling experimental HTTP/3 listener",
|
||||
zap.String("addr", hostport),
|
||||
)
|
||||
h3ln, err := caddy.ListenPacket("udp", hostport)
|
||||
if err != nil {
|
||||
return fmt.Errorf("getting HTTP/3 UDP listener: %v", err)
|
||||
}
|
||||
h3srv := &http3.Server{
|
||||
Server: &http.Server{
|
||||
Addr: hostport,
|
||||
Handler: srv,
|
||||
TLSConfig: tlsCfg,
|
||||
},
|
||||
}
|
||||
go h3srv.Serve(h3ln)
|
||||
app.h3servers = append(app.h3servers, h3srv)
|
||||
app.h3listeners = append(app.h3listeners, h3ln)
|
||||
srv.h3server = h3srv
|
||||
}
|
||||
/////////
|
||||
}
|
||||
|
||||
// finish wrapping listener where we left off before TLS
|
||||
for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ {
|
||||
ln = srv.listenerWrappers[i].WrapListener(ln)
|
||||
}
|
||||
|
||||
app.logger.Debug("starting server loop",
|
||||
zap.String("address", lnAddr),
|
||||
zap.Bool("http3", srv.ExperimentalHTTP3),
|
||||
zap.Bool("tls", useTLS),
|
||||
)
|
||||
|
||||
go s.Serve(ln)
|
||||
app.servers = append(app.servers, s)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// finish automatic HTTPS by finally beginning
|
||||
// certificate management
|
||||
err := app.automaticHTTPSPhase2()
|
||||
if err != nil {
|
||||
return fmt.Errorf("finalizing automatic HTTPS: %v", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// Stop gracefully shuts down the HTTP server.
|
||||
func (app *App) Stop() error {
|
||||
ctx := context.Background()
|
||||
if app.GracePeriod > 0 {
|
||||
var cancel context.CancelFunc
|
||||
ctx, cancel = context.WithTimeout(ctx, time.Duration(app.GracePeriod))
|
||||
defer cancel()
|
||||
}
|
||||
for _, s := range app.servers {
|
||||
err := s.Shutdown(ctx)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// close the http3 servers; it's unclear whether the bug reported in
|
||||
// https://github.com/caddyserver/caddy/pull/2727#issuecomment-526856566
|
||||
// was ever truly fixed, since it seemed racey/nondeterministic; but
|
||||
// recent tests in 2020 were unable to replicate the issue again after
|
||||
// repeated attempts (the bug manifested after a config reload; i.e.
|
||||
// reusing a http3 server or listener was problematic), but it seems
|
||||
// to be working fine now
|
||||
for _, s := range app.h3servers {
|
||||
// TODO: CloseGracefully, once implemented upstream
|
||||
// (see https://github.com/lucas-clemente/quic-go/issues/2103)
|
||||
err := s.Close()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// closing an http3.Server does not close their underlying listeners
|
||||
// since apparently the listener can be used both by servers and
|
||||
// clients at the same time; so we need to manually call Close()
|
||||
// on the underlying h3 listeners (see lucas-clemente/quic-go#2103)
|
||||
for _, pc := range app.h3listeners {
|
||||
err := pc.Close()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (app *App) httpPort() int {
|
||||
if app.HTTPPort == 0 {
|
||||
return DefaultHTTPPort
|
||||
}
|
||||
return app.HTTPPort
|
||||
}
|
||||
|
||||
func (app *App) httpsPort() int {
|
||||
if app.HTTPSPort == 0 {
|
||||
return DefaultHTTPSPort
|
||||
}
|
||||
return app.HTTPSPort
|
||||
}
|
||||
|
||||
// RequestMatcher is a type that can match to a request.
|
||||
|
@ -618,11 +218,5 @@ const (
|
|||
DefaultHTTPSPort = 443
|
||||
)
|
||||
|
||||
// Interface guards
|
||||
var (
|
||||
_ caddy.App = (*App)(nil)
|
||||
_ caddy.Provisioner = (*App)(nil)
|
||||
_ caddy.Validator = (*App)(nil)
|
||||
|
||||
_ caddy.ListenerWrapper = (*tlsPlaceholderWrapper)(nil)
|
||||
)
|
||||
// Interface guard
|
||||
var _ caddy.ListenerWrapper = (*tlsPlaceholderWrapper)(nil)
|
||||
|
|
Loading…
Reference in a new issue