0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00
Commit graph

19 commits

Author SHA1 Message Date
W-Mark Kubacki
69c2d78f69 Support configuring less restrictive TLS client auth requirements
Caddyfile parameter "clients" of "tls" henceforth accepts a special
first modifier. It is one of, and effects:

 * request         = tls.RequestClientCert
 * require         = tls.RequireAnyClientCert
 * verify_if_given = tls.VerifyClientCertIfGiven
 * (none)          = tls.RequireAndVerifyClientCert

The use-case for this is as follows: A middleware would serve items to the
public, but if a certificate were given the middleware would permit file
manipulation.

And, in a different plugin such as a forum or blog, not verifying a client
cert would be nice for registration: said blog would subsequently only
compare the SPKI of a client certificate.
2016-04-15 22:21:55 +02:00
Matthew Holt
1ef7f3c4b1 Remove path scoping for middleware slice
It was implemented for almost a year but we'll probably never use it, especially since we'll match more than the path in the future.
2016-02-17 18:11:03 -07:00
Matthew Holt
1cfd960f3c Bug fixes and other improvements to TLS functions
Now attempt to staple OCSP even for certs that don't have an existing staple (issue #605). "tls off" short-circuits tls setup function. Now we call getEmail() when setting up an acme.Client that does renewals, rather than making a new account with empty email address. Check certificate expiry every 12 hours, and OCSP every hour.
2016-02-15 23:39:04 -07:00
Matthew Holt
a11e14aca8 Fix HTTPS config for empty/no Caddyfile
This fixes a regression introduced in recent commits that enabled TLS on the default ":2015" config. This fix is possible because On-Demand TLS is no longer implicit; it must be explicitly enabled by the user by setting a maximum number of certificates to issue.
2016-02-12 13:04:24 -07:00
Matthew Holt
11103bd8d6 Major refactor of all HTTPS/TLS/ACME code
Biggest change is no longer using standard library's tls.Config.getCertificate function to get a certificate during TLS handshake. Implemented our own cache which can be changed dynamically at runtime, even during TLS handshakes. As such, restarts are no longer required after certificate renewals or OCSP updates.

We also allow loading multiple certificates and keys per host, even by specifying a directory (tls got a new 'load' command for that).

Renamed the letsencrypt package to https in a gradual effort to become more generic; and https is more fitting for what the package does now.

There are still some known bugs, e.g. reloading where a new certificate is required but port 80 isn't currently listening, will cause the challenge to fail. There's still plenty of cleanup to do and tests to write. It is especially confusing right now how we enable "on-demand" TLS during setup and keep track of that. But this change should basically work so far.
2016-02-11 00:06:05 -07:00
Matthew Holt
4593982065 letsencrypt: Major refactor of Activate(), fixes #474 and closes #397
Makes restarts cleaner and improves configuration usability related to the tls directive
2016-01-06 16:04:08 -07:00
Matthew Holt
946ff5e87b Parser separate scheme/port, refactor config loading
By separating scheme and port at the parser, we are able to set the port appropriately and also keep the semantics of the scheme being specified by the user later on. The parser also stores an address' original input. Also, the config refactor makes it possible to partially load a config - valuable for determining which ones will need Let's Encrypt integration turned on during a restart.
2016-01-03 16:41:29 -07:00
Matthew Holt
5cced604e4 startup: Only run commands at first startup
We had to hack some special support into the server and caddy packages for this. There are some middlewares which should only execute commands when the original parent process first starts up. For example, someone using the startup directive to start a backend service would not expect the command to be executed every time the config was reloaded or changed - only once when they first started the original caddy process.

This commit adds FirstStartup to the virtualhost config
2015-11-10 19:46:18 -07:00
xenolf
91465d8e6f Support for OCSP Stapling. Fixes #280 2015-10-24 04:36:54 +02:00
Matthew Holt
4e92c71259 LE flags, modified tis directive, moved LE stuff to own file 2015-10-16 11:38:56 -06:00
Matthew Holt
d8391d6fbd core: Handle address lookup and bind errors more gracefully (fixes #136 and #164)
Addresses which fail to resolve are handled more gracefully in the two most common cases: the hostname doesn't resolve or the port is unknown (like "http" on a system that doesn't support that port name). If the hostname doesn't resolve, the host is served on the listener at host 0.0.0.0. If the port is unknown, we attempt to rewrite it as a number manually and try again.
2015-06-23 22:01:37 -06:00
Matthew Holt
c78eb50eb8 tls: Client authentication 2015-06-01 23:22:11 -06:00
Guilherme Rezende
69939108e1 removed tls cache option 2015-05-25 14:42:09 -03:00
Matthew Holt
d6df615588 tls: Mainstream compatibility improvements, better security rating 2015-05-21 10:37:39 -06:00
Guilherme Rezende
823a7eac03 Added tls option block including: ciphers, protocols and cache options
Signed-off-by: Guilherme Rezende <guilhermebr@gmail.com>
2015-05-18 16:38:21 -03:00
Nimi Wariboko Jr
46f7930787 Rename bindaddr to just bind 2015-05-04 22:58:08 -07:00
Nimi Wariboko Jr
d3aedbeb9a core: add bindaddr directive, allowing you to specify what address to listen on 2015-05-04 21:38:49 -07:00
Matthew Holt
2dbd14b6dc Consistent app name/version info; pipe config data through stdin 2015-05-04 16:23:16 -06:00
Matthew Holt
6029973bdc Major refactoring of middleware and parser in progress 2015-05-04 11:04:37 -06:00