From 174fa2ddb93f830370b05058d1ea51ad1512597d Mon Sep 17 00:00:00 2001 From: Matt Holt Date: Sat, 28 Feb 2026 22:03:18 -0700 Subject: [PATCH] caddyhttp: Evaluate tls.client placeholders more accurately (fix #7530) (#7534) --- modules/caddyhttp/replacer.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/caddyhttp/replacer.go b/modules/caddyhttp/replacer.go index 5d600c334..e7974a561 100644 --- a/modules/caddyhttp/replacer.go +++ b/modules/caddyhttp/replacer.go @@ -420,7 +420,16 @@ func getReqTLSReplacement(req *http.Request, key string) (any, bool) { if strings.HasPrefix(field, "client.") { cert := getTLSPeerCert(req.TLS) if cert == nil { - return nil, false + // Instead of returning (nil, false) here, we set it to a dummy + // value to fix #7530. This way, even if there is no client cert, + // evaluating placeholders with ReplaceKnown() will still remove + // the placeholder, which would be expected. It is not expected + // for the placeholder to sometimes get removed based on whether + // the client presented a cert. We also do not return true here + // because we probably should remain accurate about whether a + // placeholder is, in fact, known or not. + // (This allocation may be slightly inefficient.) + cert = new(x509.Certificate) } // subject alternate names (SANs)