mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-25 15:52:45 -04:00 
			
		
		
		
	caddytls: Allow on-demand w/o ask for internal-only
This commit is contained in:
		
							parent
							
								
									b97c76fb47
								
							
						
					
					
						commit
						a7af7c486e
					
				| @ -165,40 +165,6 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { | ||||
| 		ap.storage = cmStorage | ||||
| 	} | ||||
| 
 | ||||
| 	// on-demand TLS | ||||
| 	var ond *certmagic.OnDemandConfig | ||||
| 	if ap.OnDemand { | ||||
| 		// ask endpoint is now required after a number of negligence cases causing abuse | ||||
| 		if tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "" { | ||||
| 			return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details") | ||||
| 		} | ||||
| 		ond = &certmagic.OnDemandConfig{ | ||||
| 			DecisionFunc: func(name string) error { | ||||
| 				if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil { | ||||
| 					// distinguish true errors from denials, because it's important to elevate actual errors | ||||
| 					if errors.Is(err, errAskDenied) { | ||||
| 						tlsApp.logger.Debug("certificate issuance denied", | ||||
| 							zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask), | ||||
| 							zap.String("domain", name), | ||||
| 							zap.Error(err)) | ||||
| 					} else { | ||||
| 						tlsApp.logger.Error("request to 'ask' endpoint failed", | ||||
| 							zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask), | ||||
| 							zap.String("domain", name), | ||||
| 							zap.Error(err)) | ||||
| 					} | ||||
| 					return err | ||||
| 				} | ||||
| 				// check the rate limiter last because | ||||
| 				// doing so makes a reservation | ||||
| 				if !onDemandRateLimiter.Allow() { | ||||
| 					return fmt.Errorf("on-demand rate limit exceeded") | ||||
| 				} | ||||
| 				return nil | ||||
| 			}, | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	// we don't store loaded modules directly in the certmagic config since | ||||
| 	// policy provisioning may happen more than once (during auto-HTTPS) and | ||||
| 	// loading a module clears its config bytes; thus, load the module and | ||||
| @ -255,6 +221,40 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { | ||||
| 		storage = tlsApp.ctx.Storage() | ||||
| 	} | ||||
| 
 | ||||
| 	// on-demand TLS | ||||
| 	var ond *certmagic.OnDemandConfig | ||||
| 	if ap.OnDemand { | ||||
| 		// ask endpoint is now required after a number of negligence cases causing abuse | ||||
| 		if !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") { | ||||
| 			return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details") | ||||
| 		} | ||||
| 		ond = &certmagic.OnDemandConfig{ | ||||
| 			DecisionFunc: func(name string) error { | ||||
| 				if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil { | ||||
| 					// distinguish true errors from denials, because it's important to elevate actual errors | ||||
| 					if errors.Is(err, errAskDenied) { | ||||
| 						tlsApp.logger.Debug("certificate issuance denied", | ||||
| 							zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask), | ||||
| 							zap.String("domain", name), | ||||
| 							zap.Error(err)) | ||||
| 					} else { | ||||
| 						tlsApp.logger.Error("request to 'ask' endpoint failed", | ||||
| 							zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask), | ||||
| 							zap.String("domain", name), | ||||
| 							zap.Error(err)) | ||||
| 					} | ||||
| 					return err | ||||
| 				} | ||||
| 				// check the rate limiter last because | ||||
| 				// doing so makes a reservation | ||||
| 				if !onDemandRateLimiter.Allow() { | ||||
| 					return fmt.Errorf("on-demand rate limit exceeded") | ||||
| 				} | ||||
| 				return nil | ||||
| 			}, | ||||
| 		} | ||||
| 	} | ||||
| 
 | ||||
| 	template := certmagic.Config{ | ||||
| 		MustStaple:         ap.MustStaple, | ||||
| 		RenewalWindowRatio: ap.RenewalWindowRatio, | ||||
| @ -286,6 +286,14 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { | ||||
| 	return nil | ||||
| } | ||||
| 
 | ||||
| func (ap *AutomationPolicy) onlyInternalIssuer() bool { | ||||
| 	if len(ap.Issuers) != 1 { | ||||
| 		return false | ||||
| 	} | ||||
| 	_, ok := ap.Issuers[0].(*InternalIssuer) | ||||
| 	return ok | ||||
| } | ||||
| 
 | ||||
| // DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults. | ||||
| // This function is experimental and has no compatibility promises. | ||||
| func DefaultIssuers() []certmagic.Issuer { | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user