0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00
Commit graph

2102 commits

Author SHA1 Message Date
Matt Holt
986d4ffe3d
Merge pull request #2015 from mholt/cert-cache
tls: Restructure and improve certificate management
2018-02-16 12:46:27 -07:00
Matthew Holt
a03eba6fbc
tls: In HTTP->HTTPS redirects, preserve redir port in some circumstances
Only strip the port from the Location URL value if the port is NOT the
HTTPSPort (before, we compared against DefaultHTTPSPort instead of
HTTPSPort). The HTTPSPort can be changed, but is done so for port
forwarding, since in reality you can't 'change' the standard HTTPS port,
you can only forward it.
2018-02-16 12:36:28 -07:00
Matthew Holt
8db80c4a88
tls: Fix HTTP->HTTPS redirects and HTTP challenge when using custom port 2018-02-16 12:05:34 -07:00
Toby Allen
4704a56a17
Merge branch 'master' into cert-cache 2018-02-15 20:17:46 +00:00
Matthew Holt
896dc6bc69
tls: Try empty name if no matches for getting config during handshake
See discussion on #2015; the initial change had removed this check, and
I can't remember why I removed it or if it was accidental. Anyway, it's
back now.
2018-02-15 08:48:05 -07:00
Jason Daly
6f4cf7eec7 readme: Update minimum version to build from source (#2024)
Re: #2009, 1.9 or newer is needed because of the introduction of `sync.Map`
2018-02-15 08:05:58 -07:00
Matthew Holt
be96cc0e65
httpserver: Raise error when adjusted site addresses clash at startup
See discussion on #2015 for how this situation was discovered. For a
Caddyfile like this:

	localhost {
		...
	}
	:2015 {
		...
	}

Running Caddy like this:

	caddy -host localhost

Produces two sites both defined as `localhost:2015` because the flag
changes the default host value to be `localhost`. This should be an
error since the sites are not distinct and it is confusing. It can also
cause issues with TLS handshakes loading the wrong cert, as the linked
discussion shows.
2018-02-15 00:04:31 -07:00
Matthew Holt
ef585ed810
tls: Ensure parent dir exists before creating lock file 2018-02-14 13:32:16 -07:00
Matthew Holt
4b2e22289d
sigtrap: Ensure cleanup actions happen before too many things go wrong 2018-02-13 13:27:08 -07:00
Matthew Holt
f26447e2fb
Merge branch 'master' into cert-cache
# Conflicts:
#	sigtrap_posix.go
2018-02-13 13:25:29 -07:00
Matthew Holt
08028714b5
tls: Synchronize renewals between Caddy instances sharing file storage
Also introduce caddy.OnProcessExit which is a list of functions that
run before exiting the process cleanly; these do not count as shutdown
callbacks, so they do not return errors and must execute quickly.
2018-02-13 13:23:09 -07:00
Matthew Holt
2de4950015 Merge branch 'master' of ssh://github.com/mholt/caddy 2018-02-13 09:30:48 -07:00
Matthew Holt
d29640699e
readme: Update logo image 2018-02-13 09:30:26 -07:00
Etienne Bruines
6a9aea04b1 fastcig: GET requests send along the body (#1975)
Fixes #1961

According to RFC 7231 and RFC 7230, there's
no reason a GET-Request can't have a body
(other than it possibly not being supported
by existing software). It's use is simply not
defined, and is left to the application.
2018-02-11 14:45:45 -07:00
Matthew Holt
592d199315
staticfiles: Prevent path-based open redirects
Not a huge issue, but has security implications if OAuth tokens leaked
2018-02-11 13:30:01 -07:00
Matthew Holt
fc2ff9155c
tls: Restructure and improve certificate management
- Expose the list of Caddy instances through caddy.Instances()

- Added arbitrary storage to caddy.Instance

- The cache of loaded certificates is no longer global; now scoped
  per-instance, meaning upon reload (like SIGUSR1) the old cert cache
  will be discarded entirely, whereas before, aggressively reloading
  config that added and removed lots of sites would cause unnecessary
  build-up in the cache over time.

- Key certificates in the cache by their SHA-256 hash instead of
  by their names. This means certificates will not be duplicated in
  memory (within each instance), making Caddy much more memory-efficient
  for large-scale deployments with thousands of sites sharing certs.

- Perform name-to-certificate lookups scoped per caddytls.Config instead
  of a single global lookup. This prevents certificates from stepping on
  each other when they overlap in their names.

- Do not allow TLS configurations keyed by the same hostname to be
  different; this now throws an error.

- Updated relevant tests, with a stark awareness that more tests are
  needed.

- Change the NewContext function signature to include an *Instance.

- Strongly recommend (basically require) use of caddytls.NewConfig()
  to create a new *caddytls.Config, to ensure pointers to the instance
  certificate cache are initialized properly.

- Update the TLS-SNI challenge solver (even though TLS-SNI is disabled
  currently on the CA side). Store temporary challenge cert in instance
  cache, but do so directly by the ACME challenge name, not the hash.
  Modified the getCertificate function to check the cache directly for
  a name match if one isn't found otherwise. This will allow any
  caddytls.Config to be able to help solve a TLS-SNI challenge, with one
  extra side-effect that might actually be kind of interesting (and
  useless): clients could send a certificate's hash as the SNI and
  Caddy would be able to serve that certificate for the handshake.

- Do not attempt to match a "default" (random) certificate when SNI
  is present but unrecognized; return no certificate so a TLS alert
  happens instead.

- Store an Instance in the list of instances even while the instance
  is still starting up (this allows access to the cert cache for
  performing renewals at startup, etc). Will be removed from list again
  if instance startup fails.

- Laid groundwork for ACMEv2 and Let's Encrypt wildcard support.

Server type plugins will need to be updated slightly to accommodate
minor adjustments to their API (like passing in an Instance). This
commit includes the changes for the HTTP server.

Certain Caddyfile configurations might error out with this change, if
they configured different TLS settings for the same hostname.

This change trades some complexity for other complexity, but ultimately
this new complexity is more correct and robust than earlier logic.

Fixes #1991
Fixes #1994
Fixes #1303
2018-02-04 00:58:27 -07:00
Toby Allen
a50f3a4cfe gitignore: Ignore .bat files (#2013) 2018-02-03 14:48:02 -07:00
magikstm
fd3fafa50c Disable PrivateDevices in systemd as it doesn't work for some devices (#1990) 2018-02-03 11:13:23 -07:00
Phillipp Engelke
e20779e405 Update README.md (#2004)
Adding the bash command for downloading the caddy.service file from the reposetory. Because it was easy to forget where you find it.
2018-02-02 23:53:40 -07:00
Tw
fc6d62286e make eventHooks thread safe (Go 1.9) (#2009)
Signed-off-by: Tw <tw19881113@gmail.com>
2018-02-02 23:52:53 -07:00
Matthew Holt
e2997ac974
request_id: Allow reusing ID from header (closes #2012) 2018-02-02 19:59:28 -07:00
Michael Schubert
50ab4fe11e caddy.service: fix typo, s/retrict/restrict/ (#2008) 2018-01-30 07:19:02 -07:00
Matthew Holt
106d62b067
sigtrap: Fix log messages, and ignore SIGHUP (#1993) 2018-01-26 22:24:11 -07:00
Miek Gieben
a76222f607 sigtrap: allow graceful shutdown for SIGTERM on posix (#1995)
* shutdown: allow graceful shutdown for SIGTERM on posix

The signal is already trapped; make it do the same thing as SIGQUIT to
be more inline with Unix/Linux shutdown expectations.

Fixes #1993

* Implement comment feedback ideas
2018-01-16 15:55:33 -07:00
Whitestrake
e9515425e0 use import to handle globbed values for -conf flag (#1973) 2018-01-16 11:37:49 -07:00
Heri Sim
c80c34ef45 proxy: Turn on KeepAlive in QuicConfig of RoundTripper (#1943)
* Turn on KeepAlive in QuicConfig of RoundTripper

* Update reverseproxy.go
2018-01-15 21:00:59 -07:00
Tw
1ba5512015 ResponseBuffer: add missing header writing (#1997)
Signed-off-by: Tw <tw19881113@gmail.com>
2018-01-15 18:32:19 -07:00
Tw
55a564df6d template: add extension filter test and simplify test code (#1996)
Signed-off-by: Tw <tw19881113@gmail.com>
2018-01-15 18:27:55 -07:00
Andreas Ulm
8a326d4dc1 implemented sourcing of default file for sysvinit (#1984)
* implemented source of default file for sysvinit

Signed-off-by: root360-AndreasUlm <andreas.ulm@root360.de>

* added documentation in README

Signed-off-by: root360-AndreasUlm <andreas.ulm@root360.de>

* fixed sourcing command for sh

Signed-off-by: root360-AndreasUlm <andreas.ulm@root360.de>

* implemented source of default file for sysvinit

Signed-off-by: root360-AndreasUlm <andreas.ulm@root360.de>

* added documentation in README

Signed-off-by: root360-AndreasUlm <andreas.ulm@root360.de>

* fixed sourcing command for sh

Signed-off-by: root360-AndreasUlm <andreas.ulm@root360.de>

* implemented DAEMONOPTS overwrite

Signed-off-by: root360-AndreasUlm <andreas.ulm@root360.de>
2018-01-15 18:22:53 -07:00
magikstm
d35719daed browse: Correct 'modified' date alignment (#1954)
* Correct browse modified date alignment

* New solution to adjust alignment
2018-01-15 18:18:25 -07:00
detaoin
c296d7e7e0 caddymain: fix setCPU silently ignoring small percent values (#1969)
* caddymain: fix setCPU silently ignoring small percent values

the percent value is resolved in a GOMAXPROCS relative number by simple
division, thus rounding down the non-integer quotient. If zero, the call
to runtime.GOMAXPROCS is silently ignored.

We decide here to exceptionally round up the CPU cap in case of percent
values that are too small.

* caddymain: gofmt -s
2018-01-15 18:17:27 -07:00
Sean Lane
fc1509eed4 Update README.md (change to ownership command) (#1970)
* Update README.md

I believe the owner and group of the `chown` command here are mixed up. As it was caused a permissions issue, with the service being unable to read the directory.

* Update README.md

* Update README.md

Revert changes back to the original suggested changes
2018-01-15 18:15:17 -07:00
Toby Allen
9619fe224c
add basicauth {user} to replacer (#1979) 2018-01-07 14:44:49 +00:00
Toby Allen
c0efec52d9
Allow Masking of IP address in Logfile. (#1930)
* First working mask

* IP Mask working with defaults and empty

* add tests for ipmask

* Store Mask as setup, some tidying, cleaner flow

* Prevent mask from running when directive not present

* use custom replacement to store masked ip
2017-12-23 10:52:11 +00:00
magikstm
a74320bf4c Add {user} placeholder to CommonLogFormat (#1953) 2017-12-17 09:13:41 +00:00
Craig Peterson
1125a236ea
Merge pull request #1921 from mholt/macros
Caddyfile snippets
2017-11-13 12:56:48 -05:00
Craig Peterson
8658e189e1
Merge branch 'master' into macros 2017-11-13 12:45:23 -05:00
Aaron Taylor
9a22cda15d httpserver: give each req context a Replacer that preserves custom values (#1937)
This allows custom replacements to be defined in a way that propagates
throughout all plugins.
2017-11-07 10:10:03 -07:00
insomniac
169ab3acda Check for nil listener before printing address (#1946)
* Checking that a server listener is not nil before printing verbose information

* Improved readability of a loop
2017-11-07 10:08:54 -07:00
Mohammad Gufran
5f39cbef94 caddytls: Extract locker into an interface (#1942) 2017-11-06 09:43:41 -07:00
Mohammad Gufran
63fd264043 proxy: Add SRV support for proxy upstream (#1915)
* Simplify parseUpstream function

* Add SRV support for proxy upstream
2017-11-05 23:01:10 -07:00
Toby Allen
345b312e00
Merge branch 'master' into macros 2017-11-05 21:03:44 +00:00
Tw
5cca9cc18e markdown: only update template when file changed (#1909)
Signed-off-by: Tw <tw19881113@gmail.com>
2017-11-04 17:36:59 +00:00
Toby Allen
9ebc11d775
Merge branch 'master' into macros 2017-11-04 11:10:27 +00:00
Kevin Stock
689591ef01 tls: Add option for backend to approve on-demand cert (#1939)
This adds the ask sub-directive to tls that defines the URL of a backend HTTP service to be queried during the TLS handshake to determine if an on-demand TLS certificate should be acquired for incoming hostnames. When the ask sub-directive is defined, Caddy will query the URL for permission to acquire a cert by making a HTTP GET request to the URL including the requested domain in the query string. If the backend service returns a 2xx response Caddy will acquire a cert. Any other response code (including 3xx redirects) are be considered a rejection and the certificate will not be acquired.
2017-11-03 23:01:30 -06:00
Sayem Chowdhury
2782553231 readme: Update build instructions (#1916)
* Update build instruction

This changes add proper an easy instruction for building.

* Update README.md
2017-11-02 06:11:18 -06:00
Craig Peterson
4ec5522a33 Merge branch 'macros' of github.com:mholt/caddy into macros 2017-10-31 23:56:35 -04:00
Craig Peterson
ad2956fd1d snippets now 2017-10-31 23:56:24 -04:00
frk
34a34c565d FreeBSD init: Remove unnecessary daemon -u option (#1924)
The rc.subr framework already takes care of substituting user. So, using
daemon's -u option is double user-substitution and fails if $caddy_user
is non-root.
2017-10-31 10:31:09 -06:00
Arthur Silva
74d4fd3c29 improve error checking (#1938) 2017-10-31 10:19:51 -06:00