mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-16 21:56:40 -05:00
57c5b921a4
* caddytls: Make on-demand 'ask' permission modular This makes the 'ask' endpoint a module, which means that developers can write custom plugins for granting permission for on-demand certificates. Kicking myself that we didn't do it this way at the beginning, but who coulda known... * Lint * Error on conflicting config * Fix bad merge --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>
491 lines
12 KiB
Go
491 lines
12 KiB
Go
// Copyright 2015 Matthew Holt and The Caddy Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package httpcaddyfile
|
|
|
|
import (
|
|
"strconv"
|
|
|
|
"github.com/caddyserver/certmagic"
|
|
"github.com/mholt/acmez/acme"
|
|
|
|
"github.com/caddyserver/caddy/v2"
|
|
"github.com/caddyserver/caddy/v2/caddyconfig"
|
|
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
|
|
"github.com/caddyserver/caddy/v2/modules/caddytls"
|
|
)
|
|
|
|
func init() {
|
|
RegisterGlobalOption("debug", parseOptTrue)
|
|
RegisterGlobalOption("http_port", parseOptHTTPPort)
|
|
RegisterGlobalOption("https_port", parseOptHTTPSPort)
|
|
RegisterGlobalOption("default_bind", parseOptStringList)
|
|
RegisterGlobalOption("grace_period", parseOptDuration)
|
|
RegisterGlobalOption("shutdown_delay", parseOptDuration)
|
|
RegisterGlobalOption("default_sni", parseOptSingleString)
|
|
RegisterGlobalOption("fallback_sni", parseOptSingleString)
|
|
RegisterGlobalOption("order", parseOptOrder)
|
|
RegisterGlobalOption("storage", parseOptStorage)
|
|
RegisterGlobalOption("storage_clean_interval", parseOptDuration)
|
|
RegisterGlobalOption("renew_interval", parseOptDuration)
|
|
RegisterGlobalOption("ocsp_interval", parseOptDuration)
|
|
RegisterGlobalOption("acme_ca", parseOptSingleString)
|
|
RegisterGlobalOption("acme_ca_root", parseOptSingleString)
|
|
RegisterGlobalOption("acme_dns", parseOptACMEDNS)
|
|
RegisterGlobalOption("acme_eab", parseOptACMEEAB)
|
|
RegisterGlobalOption("cert_issuer", parseOptCertIssuer)
|
|
RegisterGlobalOption("skip_install_trust", parseOptTrue)
|
|
RegisterGlobalOption("email", parseOptSingleString)
|
|
RegisterGlobalOption("admin", parseOptAdmin)
|
|
RegisterGlobalOption("on_demand_tls", parseOptOnDemand)
|
|
RegisterGlobalOption("local_certs", parseOptTrue)
|
|
RegisterGlobalOption("key_type", parseOptSingleString)
|
|
RegisterGlobalOption("auto_https", parseOptAutoHTTPS)
|
|
RegisterGlobalOption("servers", parseServerOptions)
|
|
RegisterGlobalOption("ocsp_stapling", parseOCSPStaplingOptions)
|
|
RegisterGlobalOption("log", parseLogOptions)
|
|
RegisterGlobalOption("preferred_chains", parseOptPreferredChains)
|
|
RegisterGlobalOption("persist_config", parseOptPersistConfig)
|
|
}
|
|
|
|
func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil }
|
|
|
|
func parseOptHTTPPort(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next() // consume option name
|
|
var httpPort int
|
|
var httpPortStr string
|
|
if !d.AllArgs(&httpPortStr) {
|
|
return 0, d.ArgErr()
|
|
}
|
|
var err error
|
|
httpPort, err = strconv.Atoi(httpPortStr)
|
|
if err != nil {
|
|
return 0, d.Errf("converting port '%s' to integer value: %v", httpPortStr, err)
|
|
}
|
|
return httpPort, nil
|
|
}
|
|
|
|
func parseOptHTTPSPort(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next() // consume option name
|
|
var httpsPort int
|
|
var httpsPortStr string
|
|
if !d.AllArgs(&httpsPortStr) {
|
|
return 0, d.ArgErr()
|
|
}
|
|
var err error
|
|
httpsPort, err = strconv.Atoi(httpsPortStr)
|
|
if err != nil {
|
|
return 0, d.Errf("converting port '%s' to integer value: %v", httpsPortStr, err)
|
|
}
|
|
return httpsPort, nil
|
|
}
|
|
|
|
func parseOptOrder(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next() // consume option name
|
|
|
|
// get directive name
|
|
if !d.Next() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
dirName := d.Val()
|
|
if _, ok := registeredDirectives[dirName]; !ok {
|
|
return nil, d.Errf("%s is not a registered directive", dirName)
|
|
}
|
|
|
|
// get positional token
|
|
if !d.Next() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
pos := d.Val()
|
|
|
|
newOrder := directiveOrder
|
|
|
|
// if directive exists, first remove it
|
|
for i, d := range newOrder {
|
|
if d == dirName {
|
|
newOrder = append(newOrder[:i], newOrder[i+1:]...)
|
|
break
|
|
}
|
|
}
|
|
|
|
// act on the positional
|
|
switch pos {
|
|
case "first":
|
|
newOrder = append([]string{dirName}, newOrder...)
|
|
if d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
directiveOrder = newOrder
|
|
return newOrder, nil
|
|
case "last":
|
|
newOrder = append(newOrder, dirName)
|
|
if d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
directiveOrder = newOrder
|
|
return newOrder, nil
|
|
case "before":
|
|
case "after":
|
|
default:
|
|
return nil, d.Errf("unknown positional '%s'", pos)
|
|
}
|
|
|
|
// get name of other directive
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
otherDir := d.Val()
|
|
if d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
|
|
// insert directive into proper position
|
|
for i, d := range newOrder {
|
|
if d == otherDir {
|
|
if pos == "before" {
|
|
newOrder = append(newOrder[:i], append([]string{dirName}, newOrder[i:]...)...)
|
|
} else if pos == "after" {
|
|
newOrder = append(newOrder[:i+1], append([]string{dirName}, newOrder[i+1:]...)...)
|
|
}
|
|
break
|
|
}
|
|
}
|
|
|
|
directiveOrder = newOrder
|
|
|
|
return newOrder, nil
|
|
}
|
|
|
|
func parseOptStorage(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
if !d.Next() { // consume option name
|
|
return nil, d.ArgErr()
|
|
}
|
|
if !d.Next() { // get storage module name
|
|
return nil, d.ArgErr()
|
|
}
|
|
modID := "caddy.storage." + d.Val()
|
|
unm, err := caddyfile.UnmarshalModule(d, modID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
storage, ok := unm.(caddy.StorageConverter)
|
|
if !ok {
|
|
return nil, d.Errf("module %s is not a caddy.StorageConverter", modID)
|
|
}
|
|
return storage, nil
|
|
}
|
|
|
|
func parseOptDuration(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
if !d.Next() { // consume option name
|
|
return nil, d.ArgErr()
|
|
}
|
|
if !d.Next() { // get duration value
|
|
return nil, d.ArgErr()
|
|
}
|
|
dur, err := caddy.ParseDuration(d.Val())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return caddy.Duration(dur), nil
|
|
}
|
|
|
|
func parseOptACMEDNS(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
if !d.Next() { // consume option name
|
|
return nil, d.ArgErr()
|
|
}
|
|
if !d.Next() { // get DNS module name
|
|
return nil, d.ArgErr()
|
|
}
|
|
modID := "dns.providers." + d.Val()
|
|
unm, err := caddyfile.UnmarshalModule(d, modID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
prov, ok := unm.(certmagic.ACMEDNSProvider)
|
|
if !ok {
|
|
return nil, d.Errf("module %s (%T) is not a certmagic.ACMEDNSProvider", modID, unm)
|
|
}
|
|
return prov, nil
|
|
}
|
|
|
|
func parseOptACMEEAB(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
eab := new(acme.EAB)
|
|
d.Next() // consume option name
|
|
if d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
for d.NextBlock(0) {
|
|
switch d.Val() {
|
|
case "key_id":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
eab.KeyID = d.Val()
|
|
|
|
case "mac_key":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
eab.MACKey = d.Val()
|
|
|
|
default:
|
|
return nil, d.Errf("unrecognized parameter '%s'", d.Val())
|
|
}
|
|
}
|
|
return eab, nil
|
|
}
|
|
|
|
func parseOptCertIssuer(d *caddyfile.Dispenser, existing any) (any, error) {
|
|
d.Next() // consume option name
|
|
|
|
var issuers []certmagic.Issuer
|
|
if existing != nil {
|
|
issuers = existing.([]certmagic.Issuer)
|
|
}
|
|
|
|
// get issuer module name
|
|
if !d.Next() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
modID := "tls.issuance." + d.Val()
|
|
unm, err := caddyfile.UnmarshalModule(d, modID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
iss, ok := unm.(certmagic.Issuer)
|
|
if !ok {
|
|
return nil, d.Errf("module %s (%T) is not a certmagic.Issuer", modID, unm)
|
|
}
|
|
issuers = append(issuers, iss)
|
|
return issuers, nil
|
|
}
|
|
|
|
func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next() // consume option name
|
|
if !d.Next() {
|
|
return "", d.ArgErr()
|
|
}
|
|
val := d.Val()
|
|
if d.Next() {
|
|
return "", d.ArgErr()
|
|
}
|
|
return val, nil
|
|
}
|
|
|
|
func parseOptStringList(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next() // consume option name
|
|
val := d.RemainingArgs()
|
|
if len(val) == 0 {
|
|
return "", d.ArgErr()
|
|
}
|
|
return val, nil
|
|
}
|
|
|
|
func parseOptAdmin(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next() // consume option name
|
|
|
|
adminCfg := new(caddy.AdminConfig)
|
|
if d.NextArg() {
|
|
listenAddress := d.Val()
|
|
if listenAddress == "off" {
|
|
adminCfg.Disabled = true
|
|
if d.Next() { // Do not accept any remaining options including block
|
|
return nil, d.Err("No more option is allowed after turning off admin config")
|
|
}
|
|
} else {
|
|
adminCfg.Listen = listenAddress
|
|
if d.NextArg() { // At most 1 arg is allowed
|
|
return nil, d.ArgErr()
|
|
}
|
|
}
|
|
}
|
|
for d.NextBlock(0) {
|
|
switch d.Val() {
|
|
case "enforce_origin":
|
|
adminCfg.EnforceOrigin = true
|
|
|
|
case "origins":
|
|
adminCfg.Origins = d.RemainingArgs()
|
|
|
|
default:
|
|
return nil, d.Errf("unrecognized parameter '%s'", d.Val())
|
|
}
|
|
}
|
|
if adminCfg.Listen == "" && !adminCfg.Disabled {
|
|
adminCfg.Listen = caddy.DefaultAdminListen
|
|
}
|
|
return adminCfg, nil
|
|
}
|
|
|
|
func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next() // consume option name
|
|
if d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
|
|
var ond *caddytls.OnDemandConfig
|
|
|
|
for nesting := d.Nesting(); d.NextBlock(nesting); {
|
|
switch d.Val() {
|
|
case "ask":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
if ond == nil {
|
|
ond = new(caddytls.OnDemandConfig)
|
|
}
|
|
perm := caddytls.PermissionByHTTP{Endpoint: d.Val()}
|
|
ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", "http", nil)
|
|
|
|
case "interval":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
dur, err := caddy.ParseDuration(d.Val())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if ond == nil {
|
|
ond = new(caddytls.OnDemandConfig)
|
|
}
|
|
if ond.RateLimit == nil {
|
|
ond.RateLimit = new(caddytls.RateLimit)
|
|
}
|
|
ond.RateLimit.Interval = caddy.Duration(dur)
|
|
|
|
case "burst":
|
|
if !d.NextArg() {
|
|
return nil, d.ArgErr()
|
|
}
|
|
burst, err := strconv.Atoi(d.Val())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if ond == nil {
|
|
ond = new(caddytls.OnDemandConfig)
|
|
}
|
|
if ond.RateLimit == nil {
|
|
ond.RateLimit = new(caddytls.RateLimit)
|
|
}
|
|
ond.RateLimit.Burst = burst
|
|
|
|
default:
|
|
return nil, d.Errf("unrecognized parameter '%s'", d.Val())
|
|
}
|
|
}
|
|
if ond == nil {
|
|
return nil, d.Err("expected at least one config parameter for on_demand_tls")
|
|
}
|
|
return ond, nil
|
|
}
|
|
|
|
func parseOptPersistConfig(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next() // consume option name
|
|
if !d.Next() {
|
|
return "", d.ArgErr()
|
|
}
|
|
val := d.Val()
|
|
if d.Next() {
|
|
return "", d.ArgErr()
|
|
}
|
|
if val != "off" {
|
|
return "", d.Errf("persist_config must be 'off'")
|
|
}
|
|
return val, nil
|
|
}
|
|
|
|
func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next() // consume option name
|
|
if !d.Next() {
|
|
return "", d.ArgErr()
|
|
}
|
|
val := d.Val()
|
|
if d.Next() {
|
|
return "", d.ArgErr()
|
|
}
|
|
if val != "off" && val != "disable_redirects" && val != "disable_certs" && val != "ignore_loaded_certs" {
|
|
return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', or 'ignore_loaded_certs'")
|
|
}
|
|
return val, nil
|
|
}
|
|
|
|
func parseServerOptions(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
return unmarshalCaddyfileServerOptions(d)
|
|
}
|
|
|
|
func parseOCSPStaplingOptions(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next() // consume option name
|
|
var val string
|
|
if !d.AllArgs(&val) {
|
|
return nil, d.ArgErr()
|
|
}
|
|
if val != "off" {
|
|
return nil, d.Errf("invalid argument '%s'", val)
|
|
}
|
|
return certmagic.OCSPConfig{
|
|
DisableStapling: val == "off",
|
|
}, nil
|
|
}
|
|
|
|
// parseLogOptions parses the global log option. Syntax:
|
|
//
|
|
// log [name] {
|
|
// output <writer_module> ...
|
|
// format <encoder_module> ...
|
|
// level <level>
|
|
// include <namespaces...>
|
|
// exclude <namespaces...>
|
|
// }
|
|
//
|
|
// When the name argument is unspecified, this directive modifies the default
|
|
// logger.
|
|
func parseLogOptions(d *caddyfile.Dispenser, existingVal any) (any, error) {
|
|
currentNames := make(map[string]struct{})
|
|
if existingVal != nil {
|
|
innerVals, ok := existingVal.([]ConfigValue)
|
|
if !ok {
|
|
return nil, d.Errf("existing log values of unexpected type: %T", existingVal)
|
|
}
|
|
for _, rawVal := range innerVals {
|
|
val, ok := rawVal.Value.(namedCustomLog)
|
|
if !ok {
|
|
return nil, d.Errf("existing log value of unexpected type: %T", existingVal)
|
|
}
|
|
currentNames[val.name] = struct{}{}
|
|
}
|
|
}
|
|
|
|
var warnings []caddyconfig.Warning
|
|
// Call out the same parser that handles server-specific log configuration.
|
|
configValues, err := parseLogHelper(
|
|
Helper{
|
|
Dispenser: d,
|
|
warnings: &warnings,
|
|
},
|
|
currentNames,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(warnings) > 0 {
|
|
return nil, d.Errf("warnings found in parsing global log options: %+v", warnings)
|
|
}
|
|
|
|
return configValues, nil
|
|
}
|
|
|
|
func parseOptPreferredChains(d *caddyfile.Dispenser, _ any) (any, error) {
|
|
d.Next()
|
|
return caddytls.ParseCaddyfilePreferredChainsOptions(d)
|
|
}
|