mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-16 21:56:40 -05:00
f42b138fb1
This should greatly reduce memory usage at scale. Part of an overall effort between Caddy 2 and CertMagic to optimize for large numbers of names.
360 lines
12 KiB
Go
360 lines
12 KiB
Go
package caddyhttp
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"github.com/caddyserver/caddy/v2"
|
|
"github.com/caddyserver/caddy/v2/modules/caddytls"
|
|
"github.com/mholt/certmagic"
|
|
"go.uber.org/zap"
|
|
)
|
|
|
|
// AutoHTTPSConfig is used to disable automatic HTTPS
|
|
// or certain aspects of it for a specific server.
|
|
// HTTPS is enabled automatically and by default when
|
|
// qualifying hostnames are available from the config.
|
|
type AutoHTTPSConfig struct {
|
|
// If true, automatic HTTPS will be entirely disabled.
|
|
Disabled bool `json:"disable,omitempty"`
|
|
|
|
// If true, only automatic HTTP->HTTPS redirects will
|
|
// be disabled.
|
|
DisableRedir bool `json:"disable_redirects,omitempty"`
|
|
|
|
// Hosts/domain names listed here will not be included
|
|
// in automatic HTTPS (they will not have certificates
|
|
// loaded nor redirects applied).
|
|
Skip []string `json:"skip,omitempty"`
|
|
|
|
// Hosts/domain names listed here will still be enabled
|
|
// for automatic HTTPS (unless in the Skip list), except
|
|
// that certificates will not be provisioned and managed
|
|
// for these names.
|
|
SkipCerts []string `json:"skip_certificates,omitempty"`
|
|
|
|
// By default, automatic HTTPS will obtain and renew
|
|
// certificates for qualifying hostnames. However, if
|
|
// a certificate with a matching SAN is already loaded
|
|
// into the cache, certificate management will not be
|
|
// enabled. To force automated certificate management
|
|
// regardless of loaded certificates, set this to true.
|
|
IgnoreLoadedCerts bool `json:"ignore_loaded_certificates,omitempty"`
|
|
|
|
domainSet map[string]struct{}
|
|
}
|
|
|
|
// Skipped returns true if name is in skipSlice, which
|
|
// should be one of the Skip* fields on ahc.
|
|
func (ahc AutoHTTPSConfig) Skipped(name string, skipSlice []string) bool {
|
|
for _, n := range skipSlice {
|
|
if name == n {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|
|
|
|
// automaticHTTPSPhase1 provisions all route matchers, determines
|
|
// which domain names found in the routes qualify for automatic
|
|
// HTTPS, and sets up HTTP->HTTPS redirects. This phase must occur
|
|
// at the beginning of provisioning, because it may add routes and
|
|
// even servers to the app, which still need to be set up with the
|
|
// rest of them during provisioning.
|
|
func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) error {
|
|
// this map will store associations of HTTP listener
|
|
// addresses to the routes that do HTTP->HTTPS redirects
|
|
lnAddrRedirRoutes := make(map[string]Route)
|
|
|
|
for srvName, srv := range app.Servers {
|
|
// as a prerequisite, provision route matchers; this is
|
|
// required for all routes on all servers, and must be
|
|
// done before we attempt to do phase 1 of auto HTTPS,
|
|
// since we have to access the decoded host matchers the
|
|
// handlers will be provisioned later
|
|
if srv.Routes != nil {
|
|
err := srv.Routes.ProvisionMatchers(ctx)
|
|
if err != nil {
|
|
return fmt.Errorf("server %s: setting up route matchers: %v", srvName, err)
|
|
}
|
|
}
|
|
|
|
// prepare for automatic HTTPS
|
|
if srv.AutoHTTPS == nil {
|
|
srv.AutoHTTPS = new(AutoHTTPSConfig)
|
|
}
|
|
if srv.AutoHTTPS.Disabled {
|
|
continue
|
|
}
|
|
|
|
// skip if all listeners use the HTTP port
|
|
if !srv.listenersUseAnyPortOtherThan(app.httpPort()) {
|
|
app.logger.Info("server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server",
|
|
zap.String("server_name", srvName),
|
|
zap.Int("http_port", app.httpPort()),
|
|
)
|
|
srv.AutoHTTPS.Disabled = true
|
|
continue
|
|
}
|
|
|
|
defaultConnPolicies := caddytls.ConnectionPolicies{
|
|
&caddytls.ConnectionPolicy{ALPN: defaultALPN},
|
|
}
|
|
|
|
// if all listeners are on the HTTPS port, make sure
|
|
// there is at least one TLS connection policy; it
|
|
// should be obvious that they want to use TLS without
|
|
// needing to specify one empty policy to enable it
|
|
if srv.TLSConnPolicies == nil &&
|
|
!srv.listenersUseAnyPortOtherThan(app.httpsPort()) {
|
|
app.logger.Info("server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS",
|
|
zap.String("server_name", srvName),
|
|
zap.Int("https_port", app.httpsPort()),
|
|
)
|
|
srv.TLSConnPolicies = defaultConnPolicies
|
|
}
|
|
|
|
// find all qualifying domain names in this server
|
|
srv.AutoHTTPS.domainSet = make(map[string]struct{})
|
|
for routeIdx, route := range srv.Routes {
|
|
for matcherSetIdx, matcherSet := range route.MatcherSets {
|
|
for matcherIdx, m := range matcherSet {
|
|
if hm, ok := m.(*MatchHost); ok {
|
|
for hostMatcherIdx, d := range *hm {
|
|
var err error
|
|
d, err = repl.ReplaceOrErr(d, true, false)
|
|
if err != nil {
|
|
return fmt.Errorf("%s: route %d, matcher set %d, matcher %d, host matcher %d: %v",
|
|
srvName, routeIdx, matcherSetIdx, matcherIdx, hostMatcherIdx, err)
|
|
}
|
|
if certmagic.HostQualifies(d) &&
|
|
!srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.Skip) {
|
|
srv.AutoHTTPS.domainSet[d] = struct{}{}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// nothing more to do here if there are no
|
|
// domains that qualify for automatic HTTPS
|
|
if len(srv.AutoHTTPS.domainSet) == 0 {
|
|
continue
|
|
}
|
|
|
|
// tell the server to use TLS if it is not already doing so
|
|
if srv.TLSConnPolicies == nil {
|
|
srv.TLSConnPolicies = defaultConnPolicies
|
|
}
|
|
|
|
// nothing left to do if auto redirects are disabled
|
|
if srv.AutoHTTPS.DisableRedir {
|
|
continue
|
|
}
|
|
|
|
app.logger.Info("enabling automatic HTTP->HTTPS redirects",
|
|
zap.String("server_name", srvName),
|
|
)
|
|
|
|
// create HTTP->HTTPS redirects
|
|
for _, addr := range srv.Listen {
|
|
netw, host, port, err := caddy.SplitNetworkAddress(addr)
|
|
if err != nil {
|
|
return fmt.Errorf("%s: invalid listener address: %v", srvName, addr)
|
|
}
|
|
|
|
if parts := strings.SplitN(port, "-", 2); len(parts) == 2 {
|
|
port = parts[0]
|
|
}
|
|
redirTo := "https://{http.request.host}"
|
|
|
|
if port != strconv.Itoa(app.httpsPort()) {
|
|
redirTo += ":" + port
|
|
}
|
|
redirTo += "{http.request.uri}"
|
|
|
|
// build the plaintext HTTP variant of this address
|
|
httpRedirLnAddr := caddy.JoinNetworkAddress(netw, host, strconv.Itoa(app.httpPort()))
|
|
|
|
// build the matcher set for this redirect route
|
|
// (note that we happen to bypass Provision and
|
|
// Validate steps for these matcher modules)
|
|
matcherSet := MatcherSet{MatchProtocol("http")}
|
|
if len(srv.AutoHTTPS.Skip) > 0 {
|
|
matcherSet = append(matcherSet, MatchNegate{
|
|
Matchers: MatcherSet{MatchHost(srv.AutoHTTPS.Skip)},
|
|
})
|
|
}
|
|
|
|
// create the route that does the redirect and associate
|
|
// it with the listener address it will be served from
|
|
// (note that we happen to bypass any Provision or Validate
|
|
// steps on the handler modules created here)
|
|
lnAddrRedirRoutes[httpRedirLnAddr] = Route{
|
|
MatcherSets: []MatcherSet{matcherSet},
|
|
Handlers: []MiddlewareHandler{
|
|
StaticResponse{
|
|
StatusCode: WeakString(strconv.Itoa(http.StatusPermanentRedirect)),
|
|
Headers: http.Header{
|
|
"Location": []string{redirTo},
|
|
"Connection": []string{"close"},
|
|
},
|
|
Close: true,
|
|
},
|
|
},
|
|
}
|
|
}
|
|
}
|
|
|
|
// if there are HTTP->HTTPS redirects to add, do so now
|
|
if len(lnAddrRedirRoutes) == 0 {
|
|
return nil
|
|
}
|
|
|
|
var redirServerAddrs []string
|
|
var redirRoutes RouteList
|
|
|
|
// for each redirect listener, see if there's already a
|
|
// server configured to listen on that exact address; if so,
|
|
// simply add the redirect route to the end of its route
|
|
// list; otherwise, we'll create a new server for all the
|
|
// listener addresses that are unused and serve the
|
|
// remaining redirects from it
|
|
redirRoutesLoop:
|
|
for addr, redirRoute := range lnAddrRedirRoutes {
|
|
for srvName, srv := range app.Servers {
|
|
if srv.hasListenerAddress(addr) {
|
|
// user has configured a server for the same address
|
|
// that the redirect runs from; simply append our
|
|
// redirect route to the existing routes, with a
|
|
// caveat that their config might override ours
|
|
app.logger.Warn("server is listening on same interface as redirects, so automatic HTTP->HTTPS redirects might be overridden by your own configuration",
|
|
zap.String("server_name", srvName),
|
|
zap.String("interface", addr),
|
|
)
|
|
srv.Routes = append(srv.Routes, redirRoute)
|
|
continue redirRoutesLoop
|
|
}
|
|
}
|
|
// no server with this listener address exists;
|
|
// save this address and route for custom server
|
|
redirServerAddrs = append(redirServerAddrs, addr)
|
|
redirRoutes = append(redirRoutes, redirRoute)
|
|
}
|
|
|
|
// if there are routes remaining which do not belong
|
|
// in any existing server, make our own to serve the
|
|
// rest of the redirects
|
|
if len(redirServerAddrs) > 0 {
|
|
app.Servers["remaining_auto_https_redirects"] = &Server{
|
|
Listen: redirServerAddrs,
|
|
Routes: redirRoutes,
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// automaticHTTPSPhase2 attaches a TLS app pointer to each
|
|
// server. This phase must occur after provisioning, and
|
|
// at the beginning of the app start, before starting each
|
|
// of the servers.
|
|
func (app *App) automaticHTTPSPhase2() error {
|
|
tlsAppIface, err := app.ctx.App("tls")
|
|
if err != nil {
|
|
return fmt.Errorf("getting tls app: %v", err)
|
|
}
|
|
tlsApp := tlsAppIface.(*caddytls.TLS)
|
|
|
|
// set the tlsApp pointer before starting any
|
|
// challenges, since it is required to solve
|
|
// the ACME HTTP challenge
|
|
for _, srv := range app.Servers {
|
|
srv.tlsApp = tlsApp
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// automaticHTTPSPhase3 begins certificate management for
|
|
// all names in the qualifying domain set for each server.
|
|
// This phase must occur after provisioning and at the end
|
|
// of app start, after all the servers have been started.
|
|
// Doing this last ensures that there won't be any race
|
|
// for listeners on the HTTP or HTTPS ports when management
|
|
// is async (if CertMagic's solvers bind to those ports
|
|
// first, then our servers would fail to bind to them,
|
|
// which would be bad, since CertMagic's bindings are
|
|
// temporary and don't serve the user's sites!).
|
|
func (app *App) automaticHTTPSPhase3() error {
|
|
// begin managing certificates for enabled servers
|
|
for srvName, srv := range app.Servers {
|
|
if srv.AutoHTTPS == nil ||
|
|
srv.AutoHTTPS.Disabled ||
|
|
len(srv.AutoHTTPS.domainSet) == 0 {
|
|
continue
|
|
}
|
|
|
|
// marshal the domains into a slice
|
|
var domains, domainsForCerts []string
|
|
for d := range srv.AutoHTTPS.domainSet {
|
|
domains = append(domains, d)
|
|
if !srv.AutoHTTPS.Skipped(d, srv.AutoHTTPS.SkipCerts) {
|
|
// if a certificate for this name is already loaded,
|
|
// don't obtain another one for it, unless we are
|
|
// supposed to ignore loaded certificates
|
|
if !srv.AutoHTTPS.IgnoreLoadedCerts &&
|
|
len(srv.tlsApp.AllMatchingCertificates(d)) > 0 {
|
|
app.logger.Info("skipping automatic certificate management because one or more matching certificates are already loaded",
|
|
zap.String("domain", d),
|
|
zap.String("server_name", srvName),
|
|
)
|
|
continue
|
|
}
|
|
domainsForCerts = append(domainsForCerts, d)
|
|
}
|
|
}
|
|
|
|
// ensure that these certificates are managed properly;
|
|
// for example, it's implied that the HTTPPort should also
|
|
// be the port the HTTP challenge is solved on, and so
|
|
// for HTTPS port and TLS-ALPN challenge also - we need
|
|
// to tell the TLS app to manage these certs by honoring
|
|
// those port configurations
|
|
acmeManager := &caddytls.ACMEManagerMaker{
|
|
Challenges: &caddytls.ChallengesConfig{
|
|
HTTP: &caddytls.HTTPChallengeConfig{
|
|
AlternatePort: app.HTTPPort, // we specifically want the user-configured port, if any
|
|
},
|
|
TLSALPN: &caddytls.TLSALPNChallengeConfig{
|
|
AlternatePort: app.HTTPSPort, // we specifically want the user-configured port, if any
|
|
},
|
|
},
|
|
}
|
|
if srv.tlsApp.Automation == nil {
|
|
srv.tlsApp.Automation = new(caddytls.AutomationConfig)
|
|
}
|
|
srv.tlsApp.Automation.Policies = append(srv.tlsApp.Automation.Policies,
|
|
&caddytls.AutomationPolicy{
|
|
Hosts: domainsForCerts,
|
|
Management: acmeManager,
|
|
})
|
|
|
|
// manage their certificates
|
|
app.logger.Info("enabling automatic TLS certificate management",
|
|
zap.Strings("domains", domainsForCerts),
|
|
)
|
|
err := srv.tlsApp.Manage(domainsForCerts)
|
|
if err != nil {
|
|
return fmt.Errorf("%s: managing certificate for %s: %s", srvName, domains, err)
|
|
}
|
|
|
|
// no longer needed; allow GC to deallocate
|
|
srv.AutoHTTPS.domainSet = nil
|
|
}
|
|
|
|
return nil
|
|
}
|