Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-05-24 02:02:26 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

reverseproxy: Use DialTLSContext if ServerName has placeholder (#6955)
Some checks failed
Tests / test (./cmd/caddy/caddy, ~1.24.1, ubuntu-latest, 0, 1.24, linux) (push) Failing after 1m56s
Details
Tests / test (s390x on IBM Z) (push) Has been skipped
Details
Tests / goreleaser-check (push) Has been skipped
Details
Cross-Build / build (~1.24.1, 1.24, aix) (push) Successful in 1m12s
Details
Cross-Build / build (~1.24.1, 1.24, darwin) (push) Successful in 1m11s
Details
Cross-Build / build (~1.24.1, 1.24, dragonfly) (push) Successful in 1m11s
Details
Cross-Build / build (~1.24.1, 1.24, freebsd) (push) Successful in 1m11s
Details
Cross-Build / build (~1.24.1, 1.24, illumos) (push) Successful in 1m11s
Details
Cross-Build / build (~1.24.1, 1.24, linux) (push) Successful in 1m17s
Details
Cross-Build / build (~1.24.1, 1.24, netbsd) (push) Successful in 1m12s
Details
Cross-Build / build (~1.24.1, 1.24, openbsd) (push) Successful in 1m12s
Details
Cross-Build / build (~1.24.1, 1.24, solaris) (push) Successful in 1m14s
Details
Cross-Build / build (~1.24.1, 1.24, windows) (push) Successful in 1m13s
Details
Lint / lint (ubuntu-latest, linux) (push) Successful in 2m9s
Details
Lint / govulncheck (push) Successful in 1m30s
Details
Lint / lint (macos-14, mac) (push) Has been cancelled
Details
Lint / lint (windows-latest, windows) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy, ~1.24.1, macos-14, 0, 1.24, mac) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.24.1, windows-latest, True, 1.24, windows) (push) Has been cancelled
Details

Browse Source 
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
This commit is contained in:
WeidiDeng 2025-04-28 23:14:09 +08:00 committed by GitHub
parent 54d03ced48
commit aa3d20be3e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 32 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
modules/caddyhttp/reverseproxy/httptransport.go
View File

@ -382,6 +382,36 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
if err != nil { if err != nil {
return nil, fmt.Errorf("making TLS client config: %v", err) return nil, fmt.Errorf("making TLS client config: %v", err)
} }
// servername has a placeholder, so we need to replace it
if strings.Contains(h.TLS.ServerName, "{") {
rt.DialTLSContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
// reuses the dialer from above to establish a plaintext connection
conn, err := dialContext(ctx, network, addr)
if err != nil {
return nil, err
}
// but add our own handshake logic
repl := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
tlsConfig := rt.TLSClientConfig.Clone()
tlsConfig.ServerName = repl.ReplaceAll(tlsConfig.ServerName, "")
tlsConn := tls.Client(conn, tlsConfig)
// complete the handshake before returning the connection
if rt.TLSHandshakeTimeout != 0 {
var cancel context.CancelFunc
ctx, cancel = context.WithTimeout(ctx, rt.TLSHandshakeTimeout)
defer cancel()
}
err = tlsConn.HandshakeContext(ctx)
if err != nil {
_ = tlsConn.Close()
return nil, err
}
return tlsConn, nil
}
}
} }
if h.KeepAlive != nil { if h.KeepAlive != nil {
@ -453,45 +483,9 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
return rt, nil return rt, nil
} }
// replaceTLSServername checks TLS servername to see if it needs replacing
// if it does need replacing, it creates a new cloned HTTPTransport object to avoid any races
// and does the replacing of the TLS servername on that and returns the new object
// if no replacement is necessary it returns the original
func (h *HTTPTransport) replaceTLSServername(repl *caddy.Replacer) *HTTPTransport {
// check whether we have TLS and need to replace the servername in the TLSClientConfig
if h.TLSEnabled() && strings.Contains(h.TLS.ServerName, "{") {
// make a new h, "copy" the parts we don't need to touch, add a new *tls.Config and replace servername
newtransport := &HTTPTransport{
Resolver: h.Resolver,
TLS: h.TLS,
KeepAlive: h.KeepAlive,
Compression: h.Compression,
MaxConnsPerHost: h.MaxConnsPerHost,
DialTimeout: h.DialTimeout,
FallbackDelay: h.FallbackDelay,
ResponseHeaderTimeout: h.ResponseHeaderTimeout,
ExpectContinueTimeout: h.ExpectContinueTimeout,
MaxResponseHeaderSize: h.MaxResponseHeaderSize,
WriteBufferSize: h.WriteBufferSize,
ReadBufferSize: h.ReadBufferSize,
Versions: h.Versions,
Transport: h.Transport.Clone(),
h2cTransport: h.h2cTransport,
}
newtransport.Transport.TLSClientConfig.ServerName = repl.ReplaceAll(newtransport.Transport.TLSClientConfig.ServerName, "")
return newtransport
}
return h
}
// RoundTrip implements http.RoundTripper. // RoundTrip implements http.RoundTripper.
func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) { func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
// Try to replace TLS servername if needed h.SetScheme(req)
repl := req.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
transport := h.replaceTLSServername(repl)
transport.SetScheme(req)
// use HTTP/3 if enabled (TODO: This is EXPERIMENTAL) // use HTTP/3 if enabled (TODO: This is EXPERIMENTAL)
if h.h3Transport != nil { if h.h3Transport != nil {
@ -507,7 +501,7 @@ func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
return h.h2cTransport.RoundTrip(req) return h.h2cTransport.RoundTrip(req)
} }
return transport.Transport.RoundTrip(req) return h.Transport.RoundTrip(req)
} }
// SetScheme ensures that the outbound request req // SetScheme ensures that the outbound request req