mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-26 08:12:43 -04:00 
			
		
		
		
	Merge branch 'macros' of github.com:mholt/caddy into macros
This commit is contained in:
		
						commit
						5c9fc3a473
					
				| @ -100,10 +100,9 @@ func (p *parser) begin() error { | |||||||
| 		if p.definedMacros == nil { | 		if p.definedMacros == nil { | ||||||
| 			p.definedMacros = map[string][]Token{} | 			p.definedMacros = map[string][]Token{} | ||||||
| 		} | 		} | ||||||
| 		if p.definedMacros[name] != nil { | 		if _, found := p.definedMacros[name]; found { | ||||||
| 			p.Errf("redeclaration of previously declared macro %s", name) | 			return p.Errf("redeclaration of previously declared macro %s", name) | ||||||
| 		} | 		} | ||||||
| 
 |  | ||||||
| 		// consume all tokens til matched close brace | 		// consume all tokens til matched close brace | ||||||
| 		tokens, err := p.macroTokens() | 		tokens, err := p.macroTokens() | ||||||
| 		if err != nil { | 		if err != nil { | ||||||
|  | |||||||
| @ -128,8 +128,10 @@ func (cfg *Config) CacheManagedCertificate(domain string) (Certificate, error) { | |||||||
| 
 | 
 | ||||||
| // cacheUnmanagedCertificatePEMFile loads a certificate for host using certFile | // cacheUnmanagedCertificatePEMFile loads a certificate for host using certFile | ||||||
| // and keyFile, which must be in PEM format. It stores the certificate in | // and keyFile, which must be in PEM format. It stores the certificate in | ||||||
| // memory. The Managed and OnDemand flags of the certificate will be set to | // memory after evicting any other entries in the cache keyed by the names | ||||||
| // false. | // on this certificate. In other words, it replaces existing certificates keyed | ||||||
|  | // by the names on this certificate. The Managed and OnDemand flags of the | ||||||
|  | // certificate will be set to false. | ||||||
| // | // | ||||||
| // This function is safe for concurrent use. | // This function is safe for concurrent use. | ||||||
| func cacheUnmanagedCertificatePEMFile(certFile, keyFile string) error { | func cacheUnmanagedCertificatePEMFile(certFile, keyFile string) error { | ||||||
| @ -137,6 +139,16 @@ func cacheUnmanagedCertificatePEMFile(certFile, keyFile string) error { | |||||||
| 	if err != nil { | 	if err != nil { | ||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
|  | 
 | ||||||
|  | 	// since this is manually managed, this call might be part of a reload after | ||||||
|  | 	// the owner renewed a certificate; so clear cache of any previous cert first, | ||||||
|  | 	// otherwise the renewed certificate may never be loaded | ||||||
|  | 	certCacheMu.Lock() | ||||||
|  | 	for _, name := range cert.Names { | ||||||
|  | 		delete(certCache, name) | ||||||
|  | 	} | ||||||
|  | 	certCacheMu.Unlock() | ||||||
|  | 
 | ||||||
| 	cacheCertificate(cert) | 	cacheCertificate(cert) | ||||||
| 	return nil | 	return nil | ||||||
| } | } | ||||||
|  | |||||||
| @ -151,6 +151,13 @@ func stapleOCSP(cert *Certificate, pemBundle []byte) error { | |||||||
| 	// the certificate. If the OCSP response was not loaded from | 	// the certificate. If the OCSP response was not loaded from | ||||||
| 	// storage, we persist it for next time. | 	// storage, we persist it for next time. | ||||||
| 	if ocspResp.Status == ocsp.Good { | 	if ocspResp.Status == ocsp.Good { | ||||||
|  | 		if ocspResp.NextUpdate.After(cert.NotAfter) { | ||||||
|  | 			// uh oh, this OCSP response expires AFTER the certificate does, that's kinda bogus. | ||||||
|  | 			// it was the reason a lot of Symantec-validated sites (not Caddy) went down | ||||||
|  | 			// in October 2017. https://twitter.com/mattiasgeniar/status/919432824708648961 | ||||||
|  | 			return fmt.Errorf("invalid: OCSP response for %v valid after certificate expiration (%s)", | ||||||
|  | 				cert.Names, cert.NotAfter.Sub(ocspResp.NextUpdate)) | ||||||
|  | 		} | ||||||
| 		cert.Certificate.OCSPStaple = ocspBytes | 		cert.Certificate.OCSPStaple = ocspBytes | ||||||
| 		cert.OCSP = ocspResp | 		cert.OCSP = ocspResp | ||||||
| 		if gotNewOCSP { | 		if gotNewOCSP { | ||||||
|  | |||||||
| @ -334,8 +334,15 @@ func DeleteOldStapleFiles() { | |||||||
| // meaning that it is not expedient to get an | // meaning that it is not expedient to get an | ||||||
| // updated response from the OCSP server. | // updated response from the OCSP server. | ||||||
| func freshOCSP(resp *ocsp.Response) bool { | func freshOCSP(resp *ocsp.Response) bool { | ||||||
|  | 	nextUpdate := resp.NextUpdate | ||||||
|  | 	// If there is an OCSP responder certificate, and it expires before the | ||||||
|  | 	// OCSP response, use its expiration date as the end of the OCSP | ||||||
|  | 	// response's validity period. | ||||||
|  | 	if resp.Certificate != nil && resp.Certificate.NotAfter.Before(nextUpdate) { | ||||||
|  | 		nextUpdate = resp.Certificate.NotAfter | ||||||
|  | 	} | ||||||
| 	// start checking OCSP staple about halfway through validity period for good measure | 	// start checking OCSP staple about halfway through validity period for good measure | ||||||
| 	refreshTime := resp.ThisUpdate.Add(resp.NextUpdate.Sub(resp.ThisUpdate) / 2) | 	refreshTime := resp.ThisUpdate.Add(nextUpdate.Sub(resp.ThisUpdate) / 2) | ||||||
| 	return time.Now().Before(refreshTime) | 	return time.Now().Before(refreshTime) | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user