Improve security warnings

2024-12-16 21:56:40 -05:00 · 2021-02-16 13:31:53 -07:00 · 2021-02-16 13:31:53 -07:00 · fbd00e4b53
commit fbd00e4b53
parent bafb562991
2 changed files with 14 additions and 3 deletions
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@ -176,8 +176,8 @@ func (app *App) Provision(ctx caddy.Context) error {
 		// domain fronting is desired and access is not restricted
 		// based on hostname
 		if srv.StrictSNIHost == nil && srv.hasTLSClientAuth() {
-			app.logger.Info("enabling strict SNI-Host matching because TLS client auth is configured",
-				zap.String("server_name", srvName),
+			app.logger.Warn("enabling strict SNI-Host enforcement because TLS client auth is configured",
+				zap.String("server_id", srvName),
 			)
 			trueBool := true
 			srv.StrictSNIHost = &trueBool
@ -283,7 +283,6 @@ func (app *App) Validate() error {
 			}
 		}
 	}
-
 	return nil
 }

--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@ -236,6 +236,18 @@ func (t *TLS) Validate() error {

 // Start activates the TLS module.
 func (t *TLS) Start() error {
+	// warn if on-demand TLS is enabled but no restrictions are in place
+	if t.Automation.OnDemand == nil ||
+		(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
+		for _, ap := range t.Automation.Policies {
+			if ap.OnDemand {
+				t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
+					zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
+				break
+			}
+		}
+	}
+
 	// now that we are running, and all manual certificates have
 	// been loaded, time to load the automated/managed certificates
 	err := t.Manage(t.automateNames)