0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00
Commit graph

423 commits

Author SHA1 Message Date
Matthew Holt
61679b74f5 Merge branch 'remove-ntlm' 2020-04-07 11:41:49 -06:00
Matthew Holt
2c1b663156
reverseproxy: Remove NTLM transport; refactor and improve docs 2020-04-07 11:39:14 -06:00
Matthew Holt
8b2dbc52ec
core: Rename ParsedAddress -> NetworkAddress 2020-04-07 08:33:45 -06:00
Matthew Holt
657f0cab17
docs: Clarify "not" matcher structure (see #3233) 2020-04-06 18:44:12 -06:00
Francis Lavoie
7be747fbe9
caddyhttp: Add missing LB policy Caddyfile unmarshalers (#3230) 2020-04-06 13:08:42 -06:00
Francis Lavoie
5b355cbed0
caddyhttp: Strictly forbid unnecessary blocks on matchers (#3229) 2020-04-06 13:07:07 -06:00
Francis Lavoie
a3cfe437b1
caddyhttp: Support single-line not matcher (#3228)
* caddyhttp: Support single-line not matcher shortcut

* caddyhttp: Some tests, I guess
2020-04-06 13:05:49 -06:00
Matthew Holt
437d5095a6
templates: Use text/template; add experimental notice to docs
Using html/template.HTML like we were doing before caused nested include
to be HTML-escaped, which breaks sites. Now we do not escape any of the
output; template input is usually trusted, and if it's not, users should
employ escaping actions within their templates to keep it safe. The docs
already said this.
2020-04-06 12:51:53 -06:00
Matthew Holt
1e8af27329
fastcgi: Account for lack of split path configuration (fix #3221) 2020-04-03 10:25:25 -06:00
Matthew Holt
d322de6b42
gzip: Use klauspost/gzip, an optimized gzip implementation 2020-04-01 14:09:57 -06:00
Matthew Holt
ce3ca541d8
caddytls: Update cipher suite names and curve names
Now using IANA-compliant names and Go 1.14's CipherSuites() function so
we don't have to maintain our own mapping of currently-secure cipher
suites.
2020-04-01 14:09:29 -06:00
Matthew Holt
581f1defcb
caddyhttp: Print actual listener address in log message (closes #2992)
Needed if port is 0, thus chosen by OS
2020-04-01 12:23:07 -06:00
Matthew Holt
0d2a3511dc caddyhttp: Update host matcher docs about wildcards 2020-04-01 11:41:04 -06:00
Matt Holt
73643ea736
caddyhttp: 'not' matcher now accepts multiple matcher sets and OR's them (#3208)
See https://caddy.community/t/v2-matcher-or-in-not/7355/
2020-04-01 10:58:29 -06:00
Matthew Holt
809e72792c
rewrite: Fix for rewrites with URI placeholders (#3209)
If a placeholder in the path component injects a query string such as
the {http.request.uri} placeholder is wont to do, we need to separate it
out from the path.
2020-04-01 00:43:40 -06:00
Matthew Holt
ac65f690ae
caddyhttp: Rename MatchNegate type to MatchNot type
This is more congruent with its module name. A change that affects only
code, not configurations.
2020-03-30 11:53:19 -06:00
Matthew Holt
37aa516a6e
headers: Trim any trailing colon from field names as a courtesy 2020-03-30 11:52:11 -06:00
Matthew Holt
105acfa086
Keep type information with placeholders until replacements happen 2020-03-30 11:49:53 -06:00
Matthew Holt
178ba024fe
httpcaddyfile: Put root directive first, before redir and rewrite
See https://caddy.community/t/v2-match-any-path-but-files/7326/8?u=matt

If rewrites (or redirects, for that matter) match on file existence,
the file matcher would need to know the root of the site.

Making this change implies that root directives that depend on rewritten
URIs will not work as expected. However, I think this is very uncommon,
and am not sure I have ever seen that. Usually, dynamic roots are based
on host, not paths or query strings.

I suspect that rewrites based on file existence will be more common than
roots based on rewritten URIs, so I am moving root to be the first in
the list.

Users can always override this ordering with the 'order' global option.
2020-03-28 19:07:51 -06:00
Matthew Holt
e207240f9a
reverse_proxy: Upstream.String() method returns either LookupSRV or Dial
Either Dial or LookupSRV will be set, but if we rely on Dial always
being set, we could run into bugs.

Note: Health checks don't support SRV upstreams.
2020-03-27 14:29:01 -06:00
Robin Lambertz
397e04ebd9
caddyauth: Add Metadata field to caddyauth.User (#3174)
* caddyauth: Add Metadata field to caddyauth.User

* Apply gofmt

* Tidy it up a bit

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2020-03-27 11:10:51 -06:00
Matthew Holt
673d3d00f2
file_server: Fix dumb error check I must have written at 1am 2020-03-24 16:48:04 -06:00
Matthew Holt
2acb208e32
caddyhttp: Specify default access log for a server (fix #3185) 2020-03-24 13:21:18 -06:00
Matt Holt
e02117cb8a
reverse_proxy: Add support for SRV backends (#3180)
* reverse_proxy: Begin SRV lookup support (WIP)

* reverse_proxy: Finish adding support for SRV-based backends (#3179)
2020-03-24 10:53:53 -06:00
Matthew Holt
341d4fb805
Remove some non-essential plugins from this repo (#2780)
Brotli encoder, jsonc and json5 config adapters, and the unfinished
HTTP cache handler are removed.

They will be available in separate repos.
2020-03-24 10:37:47 -06:00
Matthew Holt
745cb0e9e6
fastcgi: Add debug log (#3178) 2020-03-24 08:34:15 -06:00
Matt Holt
2eede58b3a
fastcgi: Ensure root is always absolute (issue #3178) (#3182) 2020-03-23 21:12:54 -06:00
Matthew Holt
235357abc8
fastcgi: Fix PATH_INFO (issue #3178) 2020-03-23 18:29:16 -06:00
Matthew Holt
4c43bf8cc8
caddyhttp: Always provision ACME issuers (fix terms agree error) 2020-03-23 12:21:39 -06:00
Matthew Holt
f2ce81cc8b fastcgi: Support multiple path splitters (close #1564) 2020-03-22 07:48:34 -06:00
Matthew Holt
d692d503a3
tls/http: Fix auto-HTTPS logic w/rt default issuers (fixes #3164)
The comments in the code should explain the new logic thoroughly.
The basic problem for the issue was that we were overriding a catch-all
automation policy's explicitly-configured issuer with our own, for names
that we thought looked like public names. In other words, one could
configure an internal issuer for all names, but then our auto HTTPS
would create a new policy for public-looking names that uses the
default ACME issuer, because we assume public<==>ACME and
nonpublic<==>Internal, but that is not always the case. The new logic
still assumes nonpublic<==>Internal (on catch-all policies only), but
no longer assumes that public-looking names always use an ACME issuer.

Also fix a bug where HTTPPort and HTTPSPort from the HTTP app weren't
being carried through to ACME issuers properly. It required a bit of
refactoring.
2020-03-20 20:25:46 -06:00
Matthew Holt
903776238e
go.mod: Update some deps; add new Strings lib to CEL matcher 2020-03-20 08:53:40 -06:00
Paolo Barbolini
42a6628935
reverseproxy: Add Alt-Svc to Hop-by-hop headers list (#3159)
Adds `Alt-Svc` to the list of headers that get removed when proxying
to a backend.

This fixes the issue of having the contents of the Alt-Svc header
duplicated when proxying to another Caddy server.
2020-03-20 06:54:28 -06:00
Matt Holt
6a4d638c1e
caddyhttp: Implement CEL matcher (see #3051) (#3155)
* caddyhttp: Implement CEL matcher (see #3051)

CEL (Common Expression Language) is a very fast, flexible way to express
complex logic, useful for matching requests when the conditions are not
easy to express with JSON.

This matcher may be considered experimental even after the 2.0 release.

* Improve CEL module docs
2020-03-19 15:46:22 -06:00
Matt Holt
aa6c5fde07
httpcaddyfile: Unify strip_prefix, strip_suffix, uri_replace directives (#3157)
* rewrite: strip_prefix, strip_suffix, uri_replace -> uri (closes #3140)

* Add period, to satisfy @whitestrake :) and my own OCD

* Restore implied / prefix
2020-03-19 11:51:28 -06:00
Matthew Holt
406df22a16
templates: Enable Goldmark's footnote extension (closes #3136)
Also remove Table extension, since GFM (already enabled) apparently
enables strikethrough, table, linkify, and tasklist extensions.
https://github.com/yuin/goldmark#built-in-extensions
2020-03-18 23:38:37 -06:00
Matthew Holt
afb2ca27c1
caddyhttp: Minor improved Caddyfile support for some matchers
Simply allows the matcher to be specified multiple times in a set
which may be more convenient than one long line.
2020-03-18 23:36:25 -06:00
Matthew Holt
fc7340e11a
httpcaddyfile: Many tls-related improvements including on-demand support
Holy heck this was complicated
2020-03-17 21:00:45 -06:00
Matthew Holt
b62f8e0582
caddyhttp: Support path matcher of "*" without panic 2020-03-16 16:08:33 -06:00
Matthew Holt
e42514ad4a
caddyhttp: Clean up; move some code around 2020-03-15 21:28:42 -06:00
Matthew Holt
f596fd77bb
caddyhttp: Add support for listener wrapper modules
Wrapping listeners is useful for composing custom behavior related
to accepting, closing, reading/writing connections (etc) below the
application layer; for example, the PROXY protocol.
2020-03-15 21:26:17 -06:00
Matthew Holt
0433f9d075
caddytls: Clean up some code related to automation 2020-03-15 21:22:26 -06:00
Matthew Holt
8f8ecd2e2a
Add missing license texts 2020-03-15 21:18:00 -06:00
Matthew Holt
2ce3deb540
fileserver: Add --templates flag to file-server command 2020-03-14 23:31:52 -06:00
Matthew Holt
7a4548c582
Some hotfixes for beta 16 2020-03-13 19:14:49 -06:00
Matthew Holt
6cbd93736f
Minor tweaks 2020-03-13 13:04:10 -06:00
Matt Holt
5a19db5dc2
v2: Implement 'pki' app powered by Smallstep for localhost certificates (#3125)
* pki: Initial commit of PKI app (WIP) (see #2502 and #3021)

* pki: Ability to use root/intermediates, and sign with root

* pki: Fix benign misnamings left over from copy+paste

* pki: Only install root if not already trusted

* Make HTTPS port the default; all names use auto-HTTPS; bug fixes

* Fix build - what happened to our CI tests??

* Fix go.mod
2020-03-13 11:06:08 -06:00
Matt Holt
2762f8f058
caddyhttp: New algorithm for auto HTTP->HTTPS redirects (fix #3127) (#3128)
It's still not perfect but I think it should be more correct for
slightly more complex configs. Might still fall apart for complex
configs that use on-demand TLS or at a large scale (workarounds are
to just implement your own redirects, very easy to do anyway).
2020-03-09 15:18:19 -06:00
Mohammed Al Sahaf
fb5168d3b4
http_ntlm: fix panic due to unintialized embedded field (#3120) 2020-03-07 17:58:44 -07:00
Matthew Holt
217419f6d9
tls: Couple of quick fixes for 4d18587192 2020-03-07 11:47:55 -07:00
Matthew Holt
b216d285df
Merge branch 'certmagic-refactor' into v2 2020-03-06 23:26:13 -07:00
Matthew Holt
b8cba62643 Refactor for CertMagic v0.10; prepare for PKI app
This is a breaking change primarily in two areas:
 - Storage paths for certificates have changed
 - Slight changes to JSON config parameters

Huge improvements in this commit, to be detailed more in
the release notes.

The upcoming PKI app will be powered by Smallstep libraries.
2020-03-06 23:15:25 -07:00
Matthew Holt
c83d40ccd4
reverse_proxy, php_fastcgi: Fix upstream parsing regression (fix #3101) 2020-02-28 08:57:59 -07:00
Matthew Holt
e4ec08e977
Couple of minor docs tweaks 2020-02-27 21:08:21 -07:00
Matthew Holt
cef6e098bb Refactor ExtractMatcherSet() 2020-02-27 21:04:28 -07:00
Matthew Holt
260982b2df reverse_proxy: Allow use of URL to specify scheme
This makes it more convenient to configure quick proxies that use HTTPS
but also introduces a lot of logical complexity. We have to do a lot of
verification for consistency and errors.

Path and query string is not supported (i.e. no rewriting).

Scheme and port can be inferred from each other if HTTP(S)/80/443.
If omitted, defaults to HTTP.

Any explicit transport config must be consistent with the upstream
schemes, and the upstream schemes must all match too.

But, this change allows a config that used to require this:

    reverse_proxy example.com:443 {
        transport http {
            tls
        }
    }

to be reduced to this:

    reverse_proxy https://example.com

which is really nice syntactic sugar (and is reminiscent of Caddy 1).
2020-02-27 21:04:28 -07:00
Matthew Holt
0130b699df cmd/reverse_proxy: Add --change-host-header flag
"Transparent mode" is the default, just like the actual handler.
2020-02-27 21:04:28 -07:00
Success Go
ca5c679880
Fix typos (#3087)
* Fix typo

* Fix typo, thanks for Spell Checker under VS Code
2020-02-27 19:30:48 -07:00
Matthew Holt
e2d41ee761 Revert "reverse_proxy: Add 'transparent' Caddyfile subdirective (closes #2873)"
This reverts commit 86b785e51c.
2020-02-27 11:08:56 -07:00
Matthew Holt
86b785e51c
reverse_proxy: Add 'transparent' Caddyfile subdirective (closes #2873) 2020-02-27 10:20:13 -07:00
Success Go
f6ae092507
It might be HTTP->HTTPS in the comment (#3086) 2020-02-27 00:50:36 -05:00
Mark Sargent
2de0acc11f
Initial implementation of global default SNI option (#3047)
* add global default sni

* fixed grammar

* httpcaddyfile: Reduce some duplicated code

* Um, re-commit already-committed commit, I guess? (sigh)

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2020-02-26 16:01:47 -07:00
Cameron Moore
b0a491aec8
Expose TLS placeholders (#2982)
* caddytls: Add CipherSuiteName and ProtocolName functions

The cipher_suites.go file is derived from a commit to the Go master
branch that's slated for Go 1.14.  Once Go 1.14 is released, this file
can be removed.

* caddyhttp: Use commonLogEmptyValue in common_log replacer

* caddyhttp: Add TLS placeholders

* caddytls: update unsupportedProtocols

Don't export unsupportedProtocols and update its godoc to mention that
it's used for logging only.

* caddyhttp: simplify getRegTLSReplacement signature

getRegTLSReplacement should receive a string instead of a pointer.

* caddyhttp: Remove http.request.tls.client.cert replacer

The previous behavior of printing the raw certificate bytes was ported
from Caddy 1, but the usefulness of that approach is suspect.  Remove
the client cert replacer from v2 until a use case is presented.

* caddyhttp: Use tls.CipherSuiteName from Go 1.14

Remove ported version of CipherSuiteName in the process.
2020-02-25 19:22:50 -07:00
Matthew Holt
7cca291d62 reverse_proxy: Health checks: Don't cross the streams
Fixes https://caddy.community/t/v2-health-checks-are-going-to-the-wrong-upstream/7084?u=matt

... I think
2020-02-23 14:31:05 -07:00
Robin Lambertz
e3591009dc
caddyhttp: Add handler for unhandled errors in errorChain (#3063)
* Add handler for unhandled errors in errorChain

Currently, when an error chain is defined, the default error handler is
bypassed entirely - even if the error chain doesn't handle every error.
This results in pages returning a blank 200 OK page.

For instance, it's possible for an error chain to match on the error
status code and only handle a certain subtype of errors (like 403s). In
this case, we'd want any other errors to still go through the default
handler and return an empty page with the status code.

This PR changes the "suffix handler" passed to errorChain.Compile to
set the status code of the response to the error status code.

Fixes #3053

* Move the errorHandlerChain middleware to variable

* Style fix
2020-02-20 15:00:30 -07:00
Gilbert Gilb's
30c14084ab
caddyhttp: Fixes for header and header_regexp directives (#3061)
* Fix crash when specifying "*" to header directive.

Fixes #3060

* Look Host header in header and header_regexp.

Also, if more than one header is provided, header_regexp now looks for
extra headers values to reflect the behavior from header.

Fixes #3059

* Fix parsing of named header_regexp in Caddyfile.

See #3059
2020-02-20 10:55:47 -07:00
Matthew Holt
7f9cfcc0f2
http: Close HTTP/3 servers and listeners; upstream bug irreproducible
See https://github.com/lucas-clemente/quic-go/issues/2103
and https://github.com/caddyserver/caddy/pull/2727
2020-02-18 10:39:34 -07:00
Robin Lambertz
57c6f22684
basicauth: default hash to bcrypt (#3050)
The documentation specifies that the hash algorithm defaults to bcrypt.
However, the implementation returns an error in provision if no hash is
provided.

Fix this inconsistency by *actually* defaulting to bcrypt.
2020-02-17 12:19:59 -07:00
Matthew Holt
f42b138fb1
tls: Avoid duplication AutomationPolicies for large quantities of names
This should greatly reduce memory usage at scale. Part of an overall
effort between Caddy 2 and CertMagic to optimize for large numbers of
names.
2020-02-14 11:14:52 -07:00
Matthew Holt
2cc5d2227d Minor tweaks to docs/comments 2020-02-14 11:01:09 -07:00
Matthew Holt
15bf9c196c caddyfile: Refactor; NewFromNextSegment(); fix repeated matchers
Now multiple instances of the same matcher can be used within a named
matcher without overwriting previous ones.
2020-02-14 11:01:09 -07:00
Jeremy Lin
98bbc54fdc
browse: allow filter init via filter query param (#3027)
This allows creating links that display only a subset of files in a directory.
2020-02-08 12:36:37 -07:00
Mohammed Al Sahaf
9bdd6caa0b v2: Implement RegExp Vars Matcher (#2997)
* implement regexp var matcher

* use subtests pattern for tests

* be more consistent with naming: MatchVarRE -> MatchVarsRE, var_regexp -> vars_regexp
2020-02-08 12:26:31 -07:00
Matthew Holt
8b28c36d48
Remove Starlark, for now
This is temporary as we prepare for a stable v2 release. We don't want
to make promises we don't know we can keep, and the Starlark integration
deserves much more focused attention which resources and funding do not
currently permit. When the project is financially stable, I will be able
to revisit this properly and add flexible, robust Starlark scripting
support to Caddy 2.
2020-02-06 18:46:52 -07:00
Matthew Holt
5c7ca7d96e
http: Split 2-phase auto-HTTPS into 3 phases
This is necessary to avoid a race for sockets. Both the HTTP servers and
CertMagic solvers will try to bind the HTTP/HTTPS ports, but we need to
make sure that our HTTP servers bind first. This is kind of a new thing
now that management is async in Caddy 2.

Also update to CertMagic 0.9.2, which fixes some async use cases at
scale.
2020-02-05 17:34:28 -07:00
Francis Lavoie
ec56c25708
caddyhttp: Fix orig_uri placeholder docs (#3002)
Fixes #3001
2020-02-04 15:49:38 -07:00
Matthew Holt
9639fe7d28
header: caddyfile: Defer header operations for deletions or manually
See https://caddy.community/t/caddy-server-that-returns-only-ip-address-as-text/6928/6?u=matt

In most cases, we will want to apply header operations immediately,
rather than waiting until the response is written. The exceptions are
generally going to be if we are deleting a header field or if a field is
to be overwritten. We now automatically defer header ops if deleting a
header field, and allow the user to manually enable deferred mode with
the defer subdirective.
2020-02-04 11:05:32 -07:00
Matthew Holt
c6bddbfbe2
http: Fix vars matcher 2020-01-22 09:43:42 -07:00
Matthew Holt
0742530d3d
rewrite: Prepend "/" if missing from strip path prefix
Paths always begin with a slash, and omitting the leading slash could be
convenient to avoid confusion with a path matcher in the Caddyfile. I do
not think there would be any harm to implicitly add the leading slash.
2020-01-22 09:36:05 -07:00
Matthew Holt
6b6cd934d0
reverseproxy: Fix casing of RootCAPEMFiles 2020-01-22 09:35:03 -07:00
Matthew Holt
5b878d5bd3
reverseproxy: Accept integer values for flush_interval (fix #2996) 2020-01-22 09:34:16 -07:00
Matthew Holt
2105d59936
httpcaddyfile: Rename 'headers' directive to 'header' 2020-01-22 09:33:53 -07:00
Matthew Holt
d810637a9f
httpcaddyfile: Update directive docs; put root after rewrite 2020-01-22 09:32:38 -07:00
Zaq? Wiedmann
07ef4b0c7d
Merge pull request #2980 from moorereason/bugfix-ciphersuite-logging
v2: http: Fix ciphersuite logging
2020-01-18 19:37:50 -08:00
Mohammed Al Sahaf
2bfaf8e896 reverse_proxy: CB docs; rename type -> factor (#2986)
* v2: add documentation for circuit breaker config and "random selection" load balancing policy

* v2: rename circuit breaker config inline key from `type` to `breaker` to avoid json key clash between the `circuit_breaker` type and the `type` field of the generic circuit breaker Config struct used by circuit breaking implementations

* v2: restore the circuit breaker inline key to `type` and rename the name circuit breaker config field from `Type` to `Factor`
2020-01-18 18:42:56 -07:00
Matthew Holt
793a405810
caddyhttp: Improve docs, and Caddyfile for respond directive 2020-01-17 10:57:57 -07:00
Matthew Holt
e51e56a494
httpcaddyfile: Fix nested blocks; add handle directive; refactor
The fix that was initially put forth in #2971 was good, but only for
up to one layer of nesting. The real problem was that we forgot to
increment nesting when already inside a block if we saw another open
curly brace that opens another block (dispenser.go L157-158).

The new 'handle' directive allows HTTP Caddyfiles to be designed more
like nginx location blocks if the user prefers. Inside a handle block,
directives are still ordered just like they are outside of them, but
handler blocks at a given level of nesting are mutually exclusive.

This work benefitted from some refactoring and cleanup.
2020-01-16 17:08:52 -07:00
Cameron Moore
35174a8ba8 http: Fix ciphersuite logging 2020-01-16 15:44:49 -06:00
Matthew Holt
2466ed1484
httpcaddyfile: Group try_files routes together (#2891)
This ensures that only the first matching route is used.
2020-01-16 11:29:20 -07:00
Matthew Holt
07ad4655db
rewrite: Make URI modifications more transactional (#2891)
Before, modifying the path might have affected how a new query string
was built if the query string relied on the path. Now, we build each
component in isolation and only change the URI on the request later.

Also, prevent trailing & in query string.
2020-01-15 11:44:21 -07:00
Matthew Holt
271b5af148
http: Refactor automatic HTTPS (fixes #2972)
This splits automatic HTTPS into two phases. The first provisions the
route matchers and uses them to build the domain set and configure
auto HTTP->HTTPS redirects. This happens before the rest of the
provisioning does.

The second phase takes place at the beginning of the app start. It
attaches pointers to the tls app to each server, and begins certificate
management for the domains that were found in the first phase.
2020-01-13 16:16:20 -07:00
Matthew Holt
64f0173948
http: Fix subroutes, ensure that next handlers can still be called 2020-01-12 13:39:32 -07:00
Matthew Holt
fe5a531c58
http: Fix empty responses
Sigh... this is what I get for writing code when I'm tired and sick.

See 8be1f0ea66 (r36764627)
2020-01-12 13:34:55 -07:00
Matthew Holt
25dea2903e
http: A little more polish on rewrite handler and try_files directive 2020-01-11 13:47:42 -07:00
Matthew Holt
d876de61e5
rewrite: Fix query string logic 2020-01-11 11:40:03 -07:00
Matthew Holt
8be1f0ea66
http: Ensure primary routes always get compiled (fix #2972)
Including servers for HTTP->HTTPS redirects which do not get provisioned
like the rest.
2020-01-11 00:33:47 -07:00
Matthew Holt
2eda21ec6d
http: Remove {...query_string} placeholder, in favor of {...query}
I am not sure if the query_string one is necessary or useful yet. We
can always add it later if needed.
2020-01-10 17:02:11 -07:00
Matthew Holt
d418e319ab
rewrite: Rename parameters; implement custom query string parser
Our new parser also preserves original parameter order, rather than
re-encoding using the std lib (which sorts).

The renamed parameters are a breaking change but they're new enough
that I don't think anyone is using them.
2020-01-10 17:00:57 -07:00
Matthew Holt
994b9033e9
http: Don't use a Host matcher for HTTP->HTTPS redirects
In case on-demand TLS is enabled, in that case we don't know the only
names that have automatic HTTPS.

See https://caddy.community/t/v2-http-to-https-redirects-fail-for-on-demand-ssl-certs/6742?u=matt
2020-01-09 14:39:49 -07:00
Matthew Holt
590480513a
Update docs for couple of Caddyfile directives 2020-01-09 14:38:59 -07:00
Matt Holt
7527c01705
v2: Implement Caddyfile enhancements (breaking changes) (#2960)
* http: path matcher: exact match by default; substring matches (#2959)

This is a breaking change.

* caddyfile: Change "matcher" directive to "@matcher" syntax (#2959)

* cmd: Assume caddyfile adapter for config files named Caddyfile

* Sub-sort handlers by path matcher length (#2959)

Caddyfile-generated subroutes have handlers, which are sorted first by
directive order (this is unchanged), but within directives we now sort
by specificity of path matcher in descending order (longest path first,
assuming that longest path is most specific).

This only applies if there is only one matcher set, and the path
matcher in that set has only one path in it. Path matchers with two or
more paths are not sorted like this; and routes with more than one
matcher set are not sorted like this either, since specificity is
difficult or impossible to infer correctly.

This is a special case, but definitely a very common one, as a lot of
routing decisions are based on paths.

* caddyfile: New 'route' directive for appearance-order handling (#2959)

* caddyfile: Make rewrite directives mutually exclusive (#2959)

This applies only to rewrites in the top-level subroute created by the
HTTP caddyfile.
2020-01-09 14:00:32 -07:00
Matt Holt
a5ebec0041
http: Change routes to sequential matcher evaluation (#2967)
Previously, all matchers in a route would be evaluated before any
handlers were executed, and a composite route of the matching routes
would be created. This made rewrites especially tricky, since the only
way to defer later matchers' evaluation was to wrap them in a subroute,
or to invoke a "rehandle" which often caused bugs.

Instead, this new sequential design evaluates each route's matchers then
its handlers in lock-step; matcher-handlers-matcher-handlers...

If the first matching route consists of a rewrite, then the second route
will be evaluated against the rewritten request, rather than the original
one, and so on.

This should do away with any need for rehandling.

I've also taken this opportunity to avoid adding new values to the
request context in the handler chain, as this creates a copy of the
Request struct, which may possibly lead to bugs like it has in the past
(see PR #1542, PR #1481, and maybe issue #2463). We now add all the
expected context values in the top-level handler at the server, then
any new values can be added to the variable table via the VarsCtxKey
context key, or just the GetVar/SetVar functions. In particular, we are
using this facility to convey dial information in the reverse proxy.

Had to be careful in one place as the middleware compilation logic has
changed, and moved a bit. We no longer compile a middleware chain per-
request; instead, we can compile it at provision-time, and defer only the
evaluation of matchers to request-time, which should slightly improve
performance. Doing this, however, we take advantage of multiple function
closures, and we also changed the use of HandlerFunc (function pointer)
to Handler (interface)... this led to a situation where, if we aren't
careful, allows one request routed a certain way to permanently change
the "next" handler for all/most other requests! We avoid this by making
a copy of the interface value (which is a lightweight pointer copy) and
using exclusively that within our wrapped handlers. This way, the
original stack frame is preserved in a "read-only" fashion. The comments
in the code describe this phenomenon.

This may very well be a breaking change for some configurations, however
I do not expect it to impact many people. I will make it clear in the
release notes that this change has occurred.
2020-01-09 10:00:13 -07:00
Matthew Holt
8bae8f5f5a
http: Always set status code via response recorder
Fixes panic if no upstream handler wrote anything to the response
2020-01-08 18:37:41 -07:00
Zaq? Wiedmann
21f1f95e7b reverse_proxy: Add tls_trusted_ca_certs to Caddyfile (#2936)
Allows specifying ca certs with by filename in
`reverse_proxy.transport`.

Example
```
reverse_proxy /api api:443 {
    transport http {
        tls
        tls_trusted_ca_certs certs/rootCA.pem
    }
}
```
2020-01-07 12:07:42 -07:00
Matthew Holt
78e98c40d3
basicauth: Accept placeholders; move base64 decoding to provision
See https://caddy.community/t/v2-basicauth-bug/6738?u=matt
2020-01-07 08:50:18 -07:00
Matthew Holt
5c99267dd8
A few miscellaneous, minor fixes 2020-01-06 08:10:20 -07:00
Mohammed Al Sahaf
dff78d82ce v2: housekeeping: address minor lint complaints (#2957)
* v2: housekeeping: update tools

* v2: housekeeping: adhere to US locale in spelling

* v2: housekeeping: simplify code
2020-01-03 11:33:22 -07:00
Matthew Holt
788462bd4c
file-server command: Use safer defaults; http: improve host matcher docs 2019-12-31 16:57:54 -07:00
Matthew Holt
fdabac51a8
Improve docs, especially w.r.t. placeholders and template actions 2019-12-29 13:16:34 -07:00
Matthew Holt
95d944613b
Export Replacer and use concrete type instead of interface
The interface was only making things difficult; a concrete pointer is
probably best.
2019-12-29 13:12:52 -07:00
Matthew Holt
2b33d9a5e5
http: Enable TLS for servers listening only on HTTPS port
It seems silly to have to add a single, empty TLS connection policy to
a server to enable TLS when it's only listening on the HTTPS port. We
now do this for the user as part of automatic HTTPS (thus, it can be
disabled / overridden).

See https://caddy.community/t/v2-catch-all-server-with-automatic-tls/6692/2?u=matt
2019-12-28 23:56:08 -07:00
Matthew Holt
5c8b502964
fastcgi: Set SERVER_SOFTWARE, _NAME, and _PORT properly (fixes #2952) 2019-12-28 16:35:29 -07:00
Matthew Holt
82bebfab8a
templates: Change functions, add front matter support, better markdown 2019-12-23 12:56:41 -07:00
Matthew Holt
be3849c267
Remove markdown module 2019-12-23 12:55:52 -07:00
Matthew Holt
95ed603de7
Improve godocs all around
These will be used in the new automated documentation system
2019-12-23 12:45:35 -07:00
Matthew Holt
724c728678
rewrite: Attempt query string fix (#2891) 2019-12-17 16:30:26 -07:00
Matthew Holt
21408212da
http: query and query_string placeholders should use RawQuery, probably 2019-12-17 16:29:37 -07:00
Matthew Holt
dae4913fe3
http: Patch path matcher to ignore dots and spaces (#2917)
(Try saying "patch path match" ten times fast)
2019-12-17 10:14:04 -07:00
Matthew Holt
b1a456cfe3
rewrite: strip_prefix, strip_suffix, and uri_replace dirs (closes #2906) 2019-12-12 15:46:13 -07:00
Matthew Holt
5e9d81b507
try_files, rewrite: allow query string in try_files (fix #2891)
Also some minor cleanup/improvements discovered along the way
2019-12-12 15:27:09 -07:00
Matthew Holt
09a8517065
rewrite: query string enh.; substring replace; add tests (see #2891) 2019-12-12 14:32:35 -07:00
Matthew Holt
87b6cf470b
Minor improvements; comments and shorter placeholders & module IDs 2019-12-12 14:31:20 -07:00
Matt Holt
3c90e370a4
v2: Module documentation; refactor LoadModule(); new caddy struct tags (#2924)
This commit goes a long way toward making automated documentation of
Caddy config and Caddy modules possible. It's a broad, sweeping change,
but mostly internal. It allows us to automatically generate docs for all
Caddy modules (including future third-party ones) and make them viewable
on a web page; it also doubles as godoc comments.

As such, this commit makes significant progress in migrating the docs
from our temporary wiki page toward our new website which is still under
construction.

With this change, all host modules will use ctx.LoadModule() and pass in
both the struct pointer and the field name as a string. This allows the
reflect package to read the struct tag from that field so that it can
get the necessary information like the module namespace and the inline
key.

This has the nice side-effect of unifying the code and documentation. It
also simplifies module loading, and handles several variations on field
types for raw module fields (i.e. variations on json.RawMessage, such as
arrays and maps).

I also renamed ModuleInfo.Name -> ModuleInfo.ID, to make it clear that
the ID is the "full name" which includes both the module namespace and
the name. This clarity is helpful when describing module hierarchy.

As of this change, Caddy modules are no longer an experimental design.
I think the architecture is good enough to go forward.
2019-12-10 13:36:46 -07:00
Matthew Holt
b07f6958ac
Use "IsUnixNetwork" function instead of repeating the logic 2019-12-06 12:00:04 -07:00
lu4p
68adfdc559 Fix misspellings (#2908) 2019-12-04 16:28:13 -07:00
Matthew Holt
52ae5f70d2 Merge branch 'v2' of ssh://github.com/caddyserver/caddy into v2 2019-11-30 17:53:38 -07:00
Matthew Holt
44f23a67bb
http: Don't listen 1 port beyond port range 2019-11-30 17:53:25 -07:00
Mark Sargent
8b7d6a9ee8 v2: fixes query matcher parsing (#2901)
* fixes query matcher parsing

* return correct argument error when parsing query matcher
2019-11-29 13:05:22 -07:00
Matthew Holt
7c7ef8d40e
http: Shorten regexp matcher placeholders; allow "=/" for simple matcher 2019-11-29 11:23:49 -07:00
Matthew Holt
14d3fd7d03
http: path matcher supports exact matching with = prefix 2019-11-28 21:11:45 -07:00
Matthew Holt
512b004332
http: header matcher supports fast prefix and suffix matching (#2888) 2019-11-27 11:52:31 -07:00
Matthew Holt
db4293cb5f
reverse_proxy: Add flush_interval to caddyfile syntax (#1460)
Also add godoc for Caddyfile syntax for file_server
2019-11-27 11:51:32 -07:00
Matthew Holt
8de1a76227
reverse_proxy: Fix invalid argument to Intn in RandomChoice selection 2019-11-18 14:22:55 -07:00
Matthew Holt
9fe54e1c60
file_server: Use HTTPS port when a qualifying domain is specified
Also little comment cleanups
2019-11-16 10:44:45 -07:00
Matthew Holt
b43e986a52
file_server: Optional pass_thru mode
If enabled, will call the next handler in the chain instead of returning
a 404.
2019-11-15 17:32:13 -07:00
Matthew Holt
1228dd7d93
reverse_proxy: Allow buffering of client requests
This is a bad idea, but some backends apparently require it. See
discussion in #176.
2019-11-15 17:15:33 -07:00
Matthew Holt
af26a03da1
http: Only enable access logs if configured 2019-11-15 17:01:07 -07:00
Matthew Holt
8025ad9107
cmd: Disable admin endpoint for file-server and reverse-proxy commands
This makes it easier to use multiple instances on the same machine
2019-11-15 15:52:19 -07:00
Matthew Holt
0ca109db4a
Minor cleanups 2019-11-15 12:47:38 -07:00
Matthew Holt
0fc97211ab
http: Make path matcher case-insensitive
Adds tests for both the path matcher and host matcher for case
insensitivity.

If case sensitivity is required for the path, a regexp matcher can
be used instead.

This is the v2 equivalent fix of PR #2882.
2019-11-15 12:47:06 -07:00
Mohammed Al Sahaf
93bc1b72e3 core: Use port ranges to avoid OOM with bad inputs (#2859)
* fix OOM issue caught by fuzzing

* use ParsedAddress as the struct name for the result of ParseNetworkAddress

* simplify code using the ParsedAddress type

* minor cleanups
2019-11-11 15:33:38 -07:00
Matthew Holt
a19da07b72
http: Add response headers to access logs 2019-11-11 14:02:01 -07:00
Matthew Holt
16782d9988
http: Use permanent redirects for HTTP->HTTPS 2019-11-11 14:01:42 -07:00
Matthew Holt
95615f5377
reverse_proxy: Fix NTLM auth detection
D'oh. Got mixed up in a refactoring.
2019-11-06 00:16:16 -07:00
Matthew Holt
8e515289cb
reverse_proxy: Add support for NTLM 2019-11-05 16:29:10 -07:00
Matthew Holt
6e95477224
http: Eliminate allocation in cloneURL; add RemoteAddr to origRequest 2019-11-05 16:28:33 -07:00
Matthew Holt
97d918df3e
reverse_proxy: Make HTTP versions configurable, don't set NextProtos 2019-11-05 16:27:51 -07:00
Matthew Holt
f5c6a8553c
Prepare for beta 9 tag 2019-11-04 13:43:39 -07:00
Matthew Holt
bf363f061d
reverse_proxy: Add UnmarshalCaddyfile for random_choose selection policy
Also allow caddy.Duration to be given integer values which are treated
like regular time.Duration values (nanoseconds).

Fixes #2856
2019-11-04 12:54:46 -07:00
Matthew Holt
cb25dd72ab
reverse_proxy: Add port to upstream address if only implied in scheme 2019-11-04 12:18:42 -07:00