mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-27 23:03:37 -05:00
8e75ae2495
If another ACME client is trying to solve a challenge for a name not being served by Caddy on the same machine where Caddy is running, the HTTP challenge will be consumed by Caddy rather than allowing the owner to use the Caddyfile to proxy the challenge. With this change, we only consume requests for HTTP challenges for hostnames that we recognize. Before doing the challenge, we add the name to a set, and when seeing if we should proxy the challenge, we first check the path of course to see if it is an HTTP challenge; if it is, we then check that set to see if the hostname is in the set. Only if it is, do we consume it. Otherwise, the request is treated like any other, allowing the owner to configure a proxy for such requests to another ACME client.
45 lines
1.1 KiB
Go
45 lines
1.1 KiB
Go
package caddytls
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"log"
|
|
"net/http"
|
|
"net/http/httputil"
|
|
"net/url"
|
|
"strings"
|
|
)
|
|
|
|
const challengeBasePath = "/.well-known/acme-challenge"
|
|
|
|
// HTTPChallengeHandler proxies challenge requests to ACME client if the
|
|
// request path starts with challengeBasePath. It returns true if it
|
|
// handled the request and no more needs to be done; it returns false
|
|
// if this call was a no-op and the request still needs handling.
|
|
func HTTPChallengeHandler(w http.ResponseWriter, r *http.Request, altPort string) bool {
|
|
if !strings.HasPrefix(r.URL.Path, challengeBasePath) {
|
|
return false
|
|
}
|
|
if !namesObtaining.Has(r.Host) {
|
|
return false
|
|
}
|
|
|
|
scheme := "http"
|
|
if r.TLS != nil {
|
|
scheme = "https"
|
|
}
|
|
|
|
upstream, err := url.Parse(scheme + "://localhost:" + altPort)
|
|
if err != nil {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
log.Printf("[ERROR] ACME proxy handler: %v", err)
|
|
return true
|
|
}
|
|
|
|
proxy := httputil.NewSingleHostReverseProxy(upstream)
|
|
proxy.Transport = &http.Transport{
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
|
}
|
|
proxy.ServeHTTP(w, r)
|
|
|
|
return true
|
|
}
|