Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-04-24 01:49:32 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

caddyhttp: prefer port 443 in auto-HTTPS and add tests (#7666)
Some checks failed
Tests / test (./cmd/caddy/caddy, ~1.26.0, macos-14, 0, 1.26, mac) (push) Waiting to run
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.26.0, windows-latest, True, 1.26, windows) (push) Waiting to run
Details
Lint / lint (macos-14, mac) (push) Waiting to run
Details
Lint / lint (windows-latest, windows) (push) Waiting to run
Details
Tests / test (./cmd/caddy/caddy, ~1.26.0, ubuntu-latest, 0, 1.26, linux) (push) Failing after 1m17s
Details
Tests / test (s390x on IBM Z) (push) Has been skipped
Details
Tests / goreleaser-check (push) Has been skipped
Details
Cross-Build / build (~1.26.0, 1.26, aix) (push) Successful in 1m24s
Details
Cross-Build / build (~1.26.0, 1.26, darwin) (push) Successful in 1m27s
Details
Cross-Build / build (~1.26.0, 1.26, dragonfly) (push) Successful in 1m23s
Details
Cross-Build / build (~1.26.0, 1.26, freebsd) (push) Successful in 1m22s
Details
Cross-Build / build (~1.26.0, 1.26, illumos) (push) Successful in 1m21s
Details
Cross-Build / build (~1.26.0, 1.26, linux) (push) Successful in 1m22s
Details
Cross-Build / build (~1.26.0, 1.26, netbsd) (push) Successful in 1m22s
Details
Cross-Build / build (~1.26.0, 1.26, openbsd) (push) Successful in 1m27s
Details
Cross-Build / build (~1.26.0, 1.26, solaris) (push) Successful in 1m25s
Details
Cross-Build / build (~1.26.0, 1.26, windows) (push) Successful in 1m27s
Details
Lint / lint (ubuntu-latest, linux) (push) Successful in 1m59s
Details
Lint / govulncheck (push) Successful in 1m46s
Details
Lint / dependency-review (push) Failing after 24s
Details
OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 6m45s
Details

Browse Source
This commit is contained in:
Matt Holt 2026-04-23 01:29:03 -06:00 committed by GitHub
parent aed1af5976
commit 441d5eb062
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 97 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
caddytest/integration/autohttps_test.go
View File

@ -55,6 +55,28 @@ func TestAutoHTTPtoHTTPSRedirectsExplicitPortDifferentFromHTTPSPort(t *testing.T
tester.AssertRedirect("http://localhost:9080/", "https://localhost:1234/", http.StatusPermanentRedirect)
}
func TestAutoHTTPtoHTTPSRedirectsPreferHTTPSPortOverAlternatePort(t *testing.T) {
tester := caddytest.NewTester(t)
tester.InitServer(`
{
skip_install_trust
admin localhost:2999
http_port 9080
https_port 9443
local_certs
}
localhost {
respond "Canonical"
}
localhost:10443 {
respond "Alternate"
}
`, "caddyfile")
tester.AssertRedirect("http://localhost:9080/", "https://localhost/", http.StatusPermanentRedirect)
}
func TestAutoHTTPRedirectsWithHTTPListenerFirstInAddresses(t *testing.T) {
tester := caddytest.NewTester(t)
tester.InitServer(`

38
modules/caddyhttp/autohttps.go
View File

@ -258,18 +258,13 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
// an empty string to indicate a catch-all, which we have to
// treat special later
if len(serverDomainSet) == 0 {
redirDomains[""] = append(redirDomains[""], addr)
app.recordAutoHTTPSRedirectAddress(redirDomains, "", addr)
continue
}
// ...and associate it with each domain in this server
for d := range serverDomainSet {
// if this domain is used on more than one HTTPS-enabled
// port, we'll have to choose one, so prefer the HTTPS port
if _, ok := redirDomains[d]; !ok ||
addr.StartPort == uint(app.httpsPort()) {
redirDomains[d] = append(redirDomains[d], addr)
}
app.recordAutoHTTPSRedirectAddress(redirDomains, d, addr)
}
}
}
@ -517,6 +512,35 @@ redirServersLoop:
return nil
}
// recordAutoHTTPSRedirectAddress stores redirect destinations for one domain
// using a single winning port while keeping all bind addresses on that port.
//
// This is needed to avoid two opposite regressions in auto-HTTPS redirects:
// preserve all listener addresses when a site binds multiple addresses on the
// same HTTPS port, but do not mix in alternate HTTPS ports when the canonical
// app HTTPS port is also available.
func (app *App) recordAutoHTTPSRedirectAddress(redirDomains map[string][]caddy.NetworkAddress, domain string, addr caddy.NetworkAddress) {
existing := redirDomains[domain]
if len(existing) == 0 {
redirDomains[domain] = []caddy.NetworkAddress{addr}
return
}
existingPort := existing[0].StartPort
if addr.StartPort != existingPort {
if addr.StartPort == uint(app.httpsPort()) && existingPort != uint(app.httpsPort()) {
redirDomains[domain] = []caddy.NetworkAddress{addr}
}
return
}
if slices.Contains(existing, addr) {
return
}
redirDomains[domain] = append(existing, addr)
}
func (app *App) makeRedirRoute(redirToPort uint, matcherSet MatcherSet) Route {
redirTo := "https://{http.request.host}"

44
modules/caddyhttp/autohttps_test.go Normal file
View File

@ -0,0 +1,44 @@
package caddyhttp
import (
"testing"
"github.com/caddyserver/caddy/v2"
)
func TestRecordAutoHTTPSRedirectAddressPrefersHTTPSPort(t *testing.T) {
app := &App{HTTPSPort: 443}
redirDomains := make(map[string][]caddy.NetworkAddress)
app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", StartPort: 2345, EndPort: 2345})
app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", StartPort: 443, EndPort: 443})
app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", StartPort: 8443, EndPort: 8443})
got := redirDomains["example.com"]
if len(got) != 1 {
t.Fatalf("expected 1 redirect address, got %d: %#v", len(got), got)
}
if got[0].StartPort != 443 {
t.Fatalf("expected redirect to prefer HTTPS port 443, got %#v", got[0])
}
}
func TestRecordAutoHTTPSRedirectAddressKeepsAllBindAddressesOnWinningPort(t *testing.T) {
app := &App{HTTPSPort: 443}
redirDomains := make(map[string][]caddy.NetworkAddress)
app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", Host: "10.0.0.189", StartPort: 8443, EndPort: 8443})
app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", Host: "10.0.0.189", StartPort: 443, EndPort: 443})
app.recordAutoHTTPSRedirectAddress(redirDomains, "example.com", caddy.NetworkAddress{Network: "tcp", Host: "2603:c024:8002:9500:9eb:e5d3:3975:d056", StartPort: 443, EndPort: 443})
got := redirDomains["example.com"]
if len(got) != 2 {
t.Fatalf("expected 2 redirect addresses for both bind addresses on the winning port, got %d: %#v", len(got), got)
}
if got[0].StartPort != 443 || got[1].StartPort != 443 {
t.Fatalf("expected both redirect addresses to stay on HTTPS port 443, got %#v", got)
}
if got[0].Host != "10.0.0.189" || got[1].Host != "2603:c024:8002:9500:9eb:e5d3:3975:d056" {
t.Fatalf("expected both bind addresses to be preserved, got %#v", got)
}
}