mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-25 07:49:19 -04:00 
			
		
		
		
	caddytls: Encrypted ClientHello (ECH) (#6862)
* caddytls: Initial commit of Encrypted ClientHello (ECH) * WIP Caddyfile * Fill out Caddyfile support * Enhance godoc comments * Augment, don't overwrite, HTTPS records * WIP * WIP: publication history * Fix republication logic * Apply global DNS module to ACME challenges This allows DNS challenges to be enabled without locally-configured DNS modules * Ignore false positive from prealloc linter * ci: Use only latest Go version (1.24 currently) We no longer support older Go versions, for security benefits. * Remove old commented code Static ECH keys for now * Implement SendAsRetry
This commit is contained in:
		
							parent
							
								
									eacd7720e9
								
							
						
					
					
						commit
						d7764dfdbb
					
				
							
								
								
									
										6
									
								
								.github/workflows/ci.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										6
									
								
								.github/workflows/ci.yml
									
									
									
									
										vendored
									
									
								
							| @ -23,17 +23,13 @@ jobs: | |||||||
|           - mac |           - mac | ||||||
|           - windows |           - windows | ||||||
|         go: |         go: | ||||||
|           - '1.23' |  | ||||||
|           - '1.24' |           - '1.24' | ||||||
| 
 | 
 | ||||||
|         include: |         include: | ||||||
|         # Set the minimum Go patch version for the given Go minor |         # Set the minimum Go patch version for the given Go minor | ||||||
|         # Usable via ${{ matrix.GO_SEMVER }} |         # Usable via ${{ matrix.GO_SEMVER }} | ||||||
|         - go: '1.23' |  | ||||||
|           GO_SEMVER: '~1.23.6' |  | ||||||
| 
 |  | ||||||
|         - go: '1.24' |         - go: '1.24' | ||||||
|           GO_SEMVER: '~1.24.0' |           GO_SEMVER: '~1.24.1' | ||||||
| 
 | 
 | ||||||
|         # Set some variables per OS, usable via ${{ matrix.VAR }} |         # Set some variables per OS, usable via ${{ matrix.VAR }} | ||||||
|         # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories) |         # OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories) | ||||||
|  | |||||||
							
								
								
									
										6
									
								
								.github/workflows/cross-build.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										6
									
								
								.github/workflows/cross-build.yml
									
									
									
									
										vendored
									
									
								
							| @ -27,17 +27,13 @@ jobs: | |||||||
|           - 'darwin' |           - 'darwin' | ||||||
|           - 'netbsd' |           - 'netbsd' | ||||||
|         go: |         go: | ||||||
|           - '1.23' |  | ||||||
|           - '1.24' |           - '1.24' | ||||||
| 
 | 
 | ||||||
|         include: |         include: | ||||||
|         # Set the minimum Go patch version for the given Go minor |         # Set the minimum Go patch version for the given Go minor | ||||||
|         # Usable via ${{ matrix.GO_SEMVER }} |         # Usable via ${{ matrix.GO_SEMVER }} | ||||||
|         - go: '1.23' |  | ||||||
|           GO_SEMVER: '~1.23.6' |  | ||||||
| 
 |  | ||||||
|         - go: '1.24' |         - go: '1.24' | ||||||
|           GO_SEMVER: '~1.24.0' |           GO_SEMVER: '~1.24.1' | ||||||
| 
 | 
 | ||||||
|     runs-on: ubuntu-latest |     runs-on: ubuntu-latest | ||||||
|     continue-on-error: true |     continue-on-error: true | ||||||
|  | |||||||
							
								
								
									
										2
									
								
								.github/workflows/lint.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.github/workflows/lint.yml
									
									
									
									
										vendored
									
									
								
							| @ -63,5 +63,5 @@ jobs: | |||||||
|       - name: govulncheck |       - name: govulncheck | ||||||
|         uses: golang/govulncheck-action@v1 |         uses: golang/govulncheck-action@v1 | ||||||
|         with: |         with: | ||||||
|           go-version-input: '~1.24.0' |           go-version-input: '~1.24.1' | ||||||
|           check-latest: true |           check-latest: true | ||||||
|  | |||||||
							
								
								
									
										2
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @ -19,7 +19,7 @@ jobs: | |||||||
|         # Set the minimum Go patch version for the given Go minor |         # Set the minimum Go patch version for the given Go minor | ||||||
|         # Usable via ${{ matrix.GO_SEMVER }} |         # Usable via ${{ matrix.GO_SEMVER }} | ||||||
|         - go: '1.24' |         - go: '1.24' | ||||||
|           GO_SEMVER: '~1.24.0' |           GO_SEMVER: '~1.24.1' | ||||||
| 
 | 
 | ||||||
|     runs-on: ${{ matrix.os }} |     runs-on: ${{ matrix.os }} | ||||||
|     # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233 |     # https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233 | ||||||
|  | |||||||
| @ -99,7 +99,7 @@ func parseBind(h Helper) ([]ConfigValue, error) { | |||||||
| //	    ca                            <acme_ca_endpoint> | //	    ca                            <acme_ca_endpoint> | ||||||
| //	    ca_root                       <pem_file> | //	    ca_root                       <pem_file> | ||||||
| //	    key_type                      [ed25519|p256|p384|rsa2048|rsa4096] | //	    key_type                      [ed25519|p256|p384|rsa2048|rsa4096] | ||||||
| //	    dns                           <provider_name> [...] | //	    dns                           [<provider_name> [...]]    (required, though, if DNS is not configured as global option) | ||||||
| //	    propagation_delay             <duration> | //	    propagation_delay             <duration> | ||||||
| //	    propagation_timeout           <duration> | //	    propagation_timeout           <duration> | ||||||
| //	    resolvers                     <dns_servers...> | //	    resolvers                     <dns_servers...> | ||||||
| @ -312,10 +312,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) { | |||||||
| 			certManagers = append(certManagers, certManager) | 			certManagers = append(certManagers, certManager) | ||||||
| 
 | 
 | ||||||
| 		case "dns": | 		case "dns": | ||||||
| 			if !h.NextArg() { |  | ||||||
| 				return nil, h.ArgErr() |  | ||||||
| 			} |  | ||||||
| 			provName := h.Val() |  | ||||||
| 			if acmeIssuer == nil { | 			if acmeIssuer == nil { | ||||||
| 				acmeIssuer = new(caddytls.ACMEIssuer) | 				acmeIssuer = new(caddytls.ACMEIssuer) | ||||||
| 			} | 			} | ||||||
| @ -325,12 +321,19 @@ func parseTLS(h Helper) ([]ConfigValue, error) { | |||||||
| 			if acmeIssuer.Challenges.DNS == nil { | 			if acmeIssuer.Challenges.DNS == nil { | ||||||
| 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig) | 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig) | ||||||
| 			} | 			} | ||||||
| 			modID := "dns.providers." + provName | 			// DNS provider configuration optional, since it may be configured globally via the TLS app with global options | ||||||
| 			unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID) | 			if h.NextArg() { | ||||||
| 			if err != nil { | 				provName := h.Val() | ||||||
| 				return nil, err | 				modID := "dns.providers." + provName | ||||||
|  | 				unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID) | ||||||
|  | 				if err != nil { | ||||||
|  | 					return nil, err | ||||||
|  | 				} | ||||||
|  | 				acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, h.warnings) | ||||||
|  | 			} else if h.Option("dns") == nil { | ||||||
|  | 				// if DNS is omitted locally, it needs to be configured globally | ||||||
|  | 				return nil, h.ArgErr() | ||||||
| 			} | 			} | ||||||
| 			acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, h.warnings) |  | ||||||
| 
 | 
 | ||||||
| 		case "resolvers": | 		case "resolvers": | ||||||
| 			args := h.RemainingArgs() | 			args := h.RemainingArgs() | ||||||
|  | |||||||
| @ -1121,6 +1121,12 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti | |||||||
| 					return nil, fmt.Errorf("two policies with same match criteria have conflicting default SNI: %s vs. %s", | 					return nil, fmt.Errorf("two policies with same match criteria have conflicting default SNI: %s vs. %s", | ||||||
| 						cps[i].DefaultSNI, cps[j].DefaultSNI) | 						cps[i].DefaultSNI, cps[j].DefaultSNI) | ||||||
| 				} | 				} | ||||||
|  | 				if cps[i].FallbackSNI != "" && | ||||||
|  | 					cps[j].FallbackSNI != "" && | ||||||
|  | 					cps[i].FallbackSNI != cps[j].FallbackSNI { | ||||||
|  | 					return nil, fmt.Errorf("two policies with same match criteria have conflicting fallback SNI: %s vs. %s", | ||||||
|  | 						cps[i].FallbackSNI, cps[j].FallbackSNI) | ||||||
|  | 				} | ||||||
| 				if cps[i].ProtocolMin != "" && | 				if cps[i].ProtocolMin != "" && | ||||||
| 					cps[j].ProtocolMin != "" && | 					cps[j].ProtocolMin != "" && | ||||||
| 					cps[i].ProtocolMin != cps[j].ProtocolMin { | 					cps[i].ProtocolMin != cps[j].ProtocolMin { | ||||||
| @ -1161,6 +1167,9 @@ func consolidateConnPolicies(cps caddytls.ConnectionPolicies) (caddytls.Connecti | |||||||
| 				if cps[i].DefaultSNI == "" && cps[j].DefaultSNI != "" { | 				if cps[i].DefaultSNI == "" && cps[j].DefaultSNI != "" { | ||||||
| 					cps[i].DefaultSNI = cps[j].DefaultSNI | 					cps[i].DefaultSNI = cps[j].DefaultSNI | ||||||
| 				} | 				} | ||||||
|  | 				if cps[i].FallbackSNI == "" && cps[j].FallbackSNI != "" { | ||||||
|  | 					cps[i].FallbackSNI = cps[j].FallbackSNI | ||||||
|  | 				} | ||||||
| 				if cps[i].ProtocolMin == "" && cps[j].ProtocolMin != "" { | 				if cps[i].ProtocolMin == "" && cps[j].ProtocolMin != "" { | ||||||
| 					cps[i].ProtocolMin = cps[j].ProtocolMin | 					cps[i].ProtocolMin = cps[j].ProtocolMin | ||||||
| 				} | 				} | ||||||
|  | |||||||
| @ -19,6 +19,7 @@ import ( | |||||||
| 	"strconv" | 	"strconv" | ||||||
| 
 | 
 | ||||||
| 	"github.com/caddyserver/certmagic" | 	"github.com/caddyserver/certmagic" | ||||||
|  | 	"github.com/libdns/libdns" | ||||||
| 	"github.com/mholt/acmez/v3/acme" | 	"github.com/mholt/acmez/v3/acme" | ||||||
| 
 | 
 | ||||||
| 	"github.com/caddyserver/caddy/v2" | 	"github.com/caddyserver/caddy/v2" | ||||||
| @ -45,7 +46,7 @@ func init() { | |||||||
| 	RegisterGlobalOption("ocsp_interval", parseOptDuration) | 	RegisterGlobalOption("ocsp_interval", parseOptDuration) | ||||||
| 	RegisterGlobalOption("acme_ca", parseOptSingleString) | 	RegisterGlobalOption("acme_ca", parseOptSingleString) | ||||||
| 	RegisterGlobalOption("acme_ca_root", parseOptSingleString) | 	RegisterGlobalOption("acme_ca_root", parseOptSingleString) | ||||||
| 	RegisterGlobalOption("acme_dns", parseOptACMEDNS) | 	RegisterGlobalOption("acme_dns", parseOptDNS) | ||||||
| 	RegisterGlobalOption("acme_eab", parseOptACMEEAB) | 	RegisterGlobalOption("acme_eab", parseOptACMEEAB) | ||||||
| 	RegisterGlobalOption("cert_issuer", parseOptCertIssuer) | 	RegisterGlobalOption("cert_issuer", parseOptCertIssuer) | ||||||
| 	RegisterGlobalOption("skip_install_trust", parseOptTrue) | 	RegisterGlobalOption("skip_install_trust", parseOptTrue) | ||||||
| @ -62,6 +63,8 @@ func init() { | |||||||
| 	RegisterGlobalOption("log", parseLogOptions) | 	RegisterGlobalOption("log", parseLogOptions) | ||||||
| 	RegisterGlobalOption("preferred_chains", parseOptPreferredChains) | 	RegisterGlobalOption("preferred_chains", parseOptPreferredChains) | ||||||
| 	RegisterGlobalOption("persist_config", parseOptPersistConfig) | 	RegisterGlobalOption("persist_config", parseOptPersistConfig) | ||||||
|  | 	RegisterGlobalOption("dns", parseOptDNS) | ||||||
|  | 	RegisterGlobalOption("ech", parseOptECH) | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil } | func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil } | ||||||
| @ -238,25 +241,6 @@ func parseOptDuration(d *caddyfile.Dispenser, _ any) (any, error) { | |||||||
| 	return caddy.Duration(dur), nil | 	return caddy.Duration(dur), nil | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| func parseOptACMEDNS(d *caddyfile.Dispenser, _ any) (any, error) { |  | ||||||
| 	if !d.Next() { // consume option name |  | ||||||
| 		return nil, d.ArgErr() |  | ||||||
| 	} |  | ||||||
| 	if !d.Next() { // get DNS module name |  | ||||||
| 		return nil, d.ArgErr() |  | ||||||
| 	} |  | ||||||
| 	modID := "dns.providers." + d.Val() |  | ||||||
| 	unm, err := caddyfile.UnmarshalModule(d, modID) |  | ||||||
| 	if err != nil { |  | ||||||
| 		return nil, err |  | ||||||
| 	} |  | ||||||
| 	prov, ok := unm.(certmagic.DNSProvider) |  | ||||||
| 	if !ok { |  | ||||||
| 		return nil, d.Errf("module %s (%T) is not a certmagic.DNSProvider", modID, unm) |  | ||||||
| 	} |  | ||||||
| 	return prov, nil |  | ||||||
| } |  | ||||||
| 
 |  | ||||||
| func parseOptACMEEAB(d *caddyfile.Dispenser, _ any) (any, error) { | func parseOptACMEEAB(d *caddyfile.Dispenser, _ any) (any, error) { | ||||||
| 	eab := new(acme.EAB) | 	eab := new(acme.EAB) | ||||||
| 	d.Next() // consume option name | 	d.Next() // consume option name | ||||||
| @ -570,3 +554,68 @@ func parseOptPreferredChains(d *caddyfile.Dispenser, _ any) (any, error) { | |||||||
| 	d.Next() | 	d.Next() | ||||||
| 	return caddytls.ParseCaddyfilePreferredChainsOptions(d) | 	return caddytls.ParseCaddyfilePreferredChainsOptions(d) | ||||||
| } | } | ||||||
|  | 
 | ||||||
|  | func parseOptDNS(d *caddyfile.Dispenser, _ any) (any, error) { | ||||||
|  | 	d.Next() // consume option name | ||||||
|  | 
 | ||||||
|  | 	if !d.Next() { // get DNS module name | ||||||
|  | 		return nil, d.ArgErr() | ||||||
|  | 	} | ||||||
|  | 	modID := "dns.providers." + d.Val() | ||||||
|  | 	unm, err := caddyfile.UnmarshalModule(d, modID) | ||||||
|  | 	if err != nil { | ||||||
|  | 		return nil, err | ||||||
|  | 	} | ||||||
|  | 	switch unm.(type) { | ||||||
|  | 	case libdns.RecordGetter, | ||||||
|  | 		libdns.RecordSetter, | ||||||
|  | 		libdns.RecordAppender, | ||||||
|  | 		libdns.RecordDeleter: | ||||||
|  | 	default: | ||||||
|  | 		return nil, d.Errf("module %s (%T) is not a libdns provider", modID, unm) | ||||||
|  | 	} | ||||||
|  | 	return unm, nil | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | func parseOptECH(d *caddyfile.Dispenser, _ any) (any, error) { | ||||||
|  | 	d.Next() // consume option name | ||||||
|  | 
 | ||||||
|  | 	ech := new(caddytls.ECH) | ||||||
|  | 
 | ||||||
|  | 	publicNames := d.RemainingArgs() | ||||||
|  | 	for _, publicName := range publicNames { | ||||||
|  | 		ech.Configs = append(ech.Configs, caddytls.ECHConfiguration{ | ||||||
|  | 			OuterSNI: publicName, | ||||||
|  | 		}) | ||||||
|  | 	} | ||||||
|  | 	if len(ech.Configs) == 0 { | ||||||
|  | 		return nil, d.ArgErr() | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	for nesting := d.Nesting(); d.NextBlock(nesting); { | ||||||
|  | 		switch d.Val() { | ||||||
|  | 		case "dns": | ||||||
|  | 			if !d.Next() { | ||||||
|  | 				return nil, d.ArgErr() | ||||||
|  | 			} | ||||||
|  | 			providerName := d.Val() | ||||||
|  | 			modID := "dns.providers." + providerName | ||||||
|  | 			unm, err := caddyfile.UnmarshalModule(d, modID) | ||||||
|  | 			if err != nil { | ||||||
|  | 				return nil, err | ||||||
|  | 			} | ||||||
|  | 			ech.Publication = append(ech.Publication, &caddytls.ECHPublication{ | ||||||
|  | 				Configs: publicNames, | ||||||
|  | 				PublishersRaw: caddy.ModuleMap{ | ||||||
|  | 					"dns": caddyconfig.JSON(caddytls.ECHDNSPublisher{ | ||||||
|  | 						ProviderRaw: caddyconfig.JSONModuleObject(unm, "name", providerName, nil), | ||||||
|  | 					}, nil), | ||||||
|  | 				}, | ||||||
|  | 			}) | ||||||
|  | 		default: | ||||||
|  | 			return nil, d.Errf("ech: unrecognized subdirective '%s'", d.Val()) | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	return ech, nil | ||||||
|  | } | ||||||
|  | |||||||
| @ -359,6 +359,30 @@ func (st ServerType) buildTLSApp( | |||||||
| 		tlsApp.Automation.OnDemand = onDemand | 		tlsApp.Automation.OnDemand = onDemand | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | 	// set up "global" (to the TLS app) DNS provider config | ||||||
|  | 	if globalDNS, ok := options["dns"]; ok && globalDNS != nil { | ||||||
|  | 		tlsApp.DNSRaw = caddyconfig.JSONModuleObject(globalDNS, "name", globalDNS.(caddy.Module).CaddyModule().ID.Name(), nil) | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	// set up ECH from Caddyfile options | ||||||
|  | 	if ech, ok := options["ech"].(*caddytls.ECH); ok { | ||||||
|  | 		tlsApp.EncryptedClientHello = ech | ||||||
|  | 
 | ||||||
|  | 		// outer server names will need certificates, so make sure they're included | ||||||
|  | 		// in an automation policy for them that applies any global options | ||||||
|  | 		ap, err := newBaseAutomationPolicy(options, warnings, true) | ||||||
|  | 		if err != nil { | ||||||
|  | 			return nil, warnings, err | ||||||
|  | 		} | ||||||
|  | 		for _, cfg := range ech.Configs { | ||||||
|  | 			ap.SubjectsRaw = append(ap.SubjectsRaw, cfg.OuterSNI) | ||||||
|  | 		} | ||||||
|  | 		if tlsApp.Automation == nil { | ||||||
|  | 			tlsApp.Automation = new(caddytls.AutomationConfig) | ||||||
|  | 		} | ||||||
|  | 		tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, ap) | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	// if the storage clean interval is a boolean, then it's "off" to disable cleaning | 	// if the storage clean interval is a boolean, then it's "off" to disable cleaning | ||||||
| 	if sc, ok := options["storage_check"].(string); ok && sc == "off" { | 	if sc, ok := options["storage_check"].(string); ok && sc == "off" { | ||||||
| 		tlsApp.DisableStorageCheck = true | 		tlsApp.DisableStorageCheck = true | ||||||
| @ -553,7 +577,8 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e | |||||||
| 	if globalPreferredChains != nil && acmeIssuer.PreferredChains == nil { | 	if globalPreferredChains != nil && acmeIssuer.PreferredChains == nil { | ||||||
| 		acmeIssuer.PreferredChains = globalPreferredChains.(*caddytls.ChainPreference) | 		acmeIssuer.PreferredChains = globalPreferredChains.(*caddytls.ChainPreference) | ||||||
| 	} | 	} | ||||||
| 	if globalHTTPPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.HTTP == nil || acmeIssuer.Challenges.HTTP.AlternatePort == 0) { | 	// only configure alt HTTP and TLS-ALPN ports if the DNS challenge is not enabled (wouldn't hurt, but isn't necessary since the DNS challenge is exclusive of others) | ||||||
|  | 	if globalHTTPPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.HTTP == nil || acmeIssuer.Challenges.HTTP.AlternatePort == 0) { | ||||||
| 		if acmeIssuer.Challenges == nil { | 		if acmeIssuer.Challenges == nil { | ||||||
| 			acmeIssuer.Challenges = new(caddytls.ChallengesConfig) | 			acmeIssuer.Challenges = new(caddytls.ChallengesConfig) | ||||||
| 		} | 		} | ||||||
| @ -562,7 +587,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e | |||||||
| 		} | 		} | ||||||
| 		acmeIssuer.Challenges.HTTP.AlternatePort = globalHTTPPort.(int) | 		acmeIssuer.Challenges.HTTP.AlternatePort = globalHTTPPort.(int) | ||||||
| 	} | 	} | ||||||
| 	if globalHTTPSPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.TLSALPN == nil || acmeIssuer.Challenges.TLSALPN.AlternatePort == 0) { | 	if globalHTTPSPort != nil && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.DNS == nil) && (acmeIssuer.Challenges == nil || acmeIssuer.Challenges.TLSALPN == nil || acmeIssuer.Challenges.TLSALPN.AlternatePort == 0) { | ||||||
| 		if acmeIssuer.Challenges == nil { | 		if acmeIssuer.Challenges == nil { | ||||||
| 			acmeIssuer.Challenges = new(caddytls.ChallengesConfig) | 			acmeIssuer.Challenges = new(caddytls.ChallengesConfig) | ||||||
| 		} | 		} | ||||||
|  | |||||||
							
								
								
									
										12
									
								
								context.go
									
									
									
									
									
								
							
							
						
						
									
										12
									
								
								context.go
									
									
									
									
									
								
							| @ -385,6 +385,17 @@ func (ctx Context) LoadModuleByID(id string, rawMsg json.RawMessage) (any, error | |||||||
| 		return nil, fmt.Errorf("module value cannot be null") | 		return nil, fmt.Errorf("module value cannot be null") | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | 	// if this is an app module, keep a reference to it, | ||||||
|  | 	// since submodules may need to reference it during | ||||||
|  | 	// provisioning (even though the parent app module | ||||||
|  | 	// may not be fully provisioned yet; this is the case | ||||||
|  | 	// with the tls app's automation policies, which may | ||||||
|  | 	// refer to the tls app to check if a global DNS | ||||||
|  | 	// module has been configured for DNS challenges) | ||||||
|  | 	if appModule, ok := val.(App); ok { | ||||||
|  | 		ctx.cfg.apps[id] = appModule | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	ctx.ancestry = append(ctx.ancestry, val) | 	ctx.ancestry = append(ctx.ancestry, val) | ||||||
| 
 | 
 | ||||||
| 	if prov, ok := val.(Provisioner); ok { | 	if prov, ok := val.(Provisioner); ok { | ||||||
| @ -471,7 +482,6 @@ func (ctx Context) App(name string) (any, error) { | |||||||
| 	if appRaw != nil { | 	if appRaw != nil { | ||||||
| 		ctx.cfg.AppsRaw[name] = nil // allow GC to deallocate | 		ctx.cfg.AppsRaw[name] = nil // allow GC to deallocate | ||||||
| 	} | 	} | ||||||
| 	ctx.cfg.apps[name] = modVal.(App) |  | ||||||
| 	return modVal, nil | 	return modVal, nil | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | |||||||
							
								
								
									
										13
									
								
								go.mod
									
									
									
									
									
								
							
							
						
						
									
										13
									
								
								go.mod
									
									
									
									
									
								
							| @ -8,8 +8,9 @@ require ( | |||||||
| 	github.com/Masterminds/sprig/v3 v3.3.0 | 	github.com/Masterminds/sprig/v3 v3.3.0 | ||||||
| 	github.com/alecthomas/chroma/v2 v2.14.0 | 	github.com/alecthomas/chroma/v2 v2.14.0 | ||||||
| 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b | 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b | ||||||
| 	github.com/caddyserver/certmagic v0.21.7 | 	github.com/caddyserver/certmagic v0.21.8-0.20250220203412-a7894dd6992d | ||||||
| 	github.com/caddyserver/zerossl v0.1.3 | 	github.com/caddyserver/zerossl v0.1.3 | ||||||
|  | 	github.com/cloudflare/circl v1.3.3 | ||||||
| 	github.com/dustin/go-humanize v1.0.1 | 	github.com/dustin/go-humanize v1.0.1 | ||||||
| 	github.com/go-chi/chi/v5 v5.0.12 | 	github.com/go-chi/chi/v5 v5.0.12 | ||||||
| 	github.com/google/cel-go v0.21.0 | 	github.com/google/cel-go v0.21.0 | ||||||
| @ -36,11 +37,11 @@ require ( | |||||||
| 	go.uber.org/automaxprocs v1.6.0 | 	go.uber.org/automaxprocs v1.6.0 | ||||||
| 	go.uber.org/zap v1.27.0 | 	go.uber.org/zap v1.27.0 | ||||||
| 	go.uber.org/zap/exp v0.3.0 | 	go.uber.org/zap/exp v0.3.0 | ||||||
| 	golang.org/x/crypto v0.31.0 | 	golang.org/x/crypto v0.33.0 | ||||||
| 	golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9 | 	golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9 | ||||||
| 	golang.org/x/net v0.33.0 | 	golang.org/x/net v0.33.0 | ||||||
| 	golang.org/x/sync v0.10.0 | 	golang.org/x/sync v0.11.0 | ||||||
| 	golang.org/x/term v0.27.0 | 	golang.org/x/term v0.29.0 | ||||||
| 	golang.org/x/time v0.7.0 | 	golang.org/x/time v0.7.0 | ||||||
| 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 | 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 | ||||||
| 	gopkg.in/yaml.v3 v3.0.1 | 	gopkg.in/yaml.v3 v3.0.1 | ||||||
| @ -114,7 +115,7 @@ require ( | |||||||
| 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect | 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect | ||||||
| 	github.com/jackc/pgtype v1.14.0 // indirect | 	github.com/jackc/pgtype v1.14.0 // indirect | ||||||
| 	github.com/jackc/pgx/v4 v4.18.3 // indirect | 	github.com/jackc/pgx/v4 v4.18.3 // indirect | ||||||
| 	github.com/libdns/libdns v0.2.2 | 	github.com/libdns/libdns v0.2.3 | ||||||
| 	github.com/manifoldco/promptui v0.9.0 // indirect | 	github.com/manifoldco/promptui v0.9.0 // indirect | ||||||
| 	github.com/mattn/go-colorable v0.1.13 // indirect | 	github.com/mattn/go-colorable v0.1.13 // indirect | ||||||
| 	github.com/mattn/go-isatty v0.0.20 // indirect | 	github.com/mattn/go-isatty v0.0.20 // indirect | ||||||
| @ -148,7 +149,7 @@ require ( | |||||||
| 	go.uber.org/multierr v1.11.0 // indirect | 	go.uber.org/multierr v1.11.0 // indirect | ||||||
| 	golang.org/x/mod v0.18.0 // indirect | 	golang.org/x/mod v0.18.0 // indirect | ||||||
| 	golang.org/x/sys v0.30.0 | 	golang.org/x/sys v0.30.0 | ||||||
| 	golang.org/x/text v0.21.0 // indirect | 	golang.org/x/text v0.22.0 // indirect | ||||||
| 	golang.org/x/tools v0.22.0 // indirect | 	golang.org/x/tools v0.22.0 // indirect | ||||||
| 	google.golang.org/grpc v1.67.1 // indirect | 	google.golang.org/grpc v1.67.1 // indirect | ||||||
| 	google.golang.org/protobuf v1.35.1 // indirect | 	google.golang.org/protobuf v1.35.1 // indirect | ||||||
|  | |||||||
							
								
								
									
										26
									
								
								go.sum
									
									
									
									
									
								
							
							
						
						
									
										26
									
								
								go.sum
									
									
									
									
									
								
							| @ -91,8 +91,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= | |||||||
| github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= | github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= | ||||||
| github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= | github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= | ||||||
| github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= | github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= | ||||||
| github.com/caddyserver/certmagic v0.21.7 h1:66KJioPFJwttL43KYSWk7ErSmE6LfaJgCQuhm8Sg6fg= | github.com/caddyserver/certmagic v0.21.8-0.20250220203412-a7894dd6992d h1:9zdfQHH838+rS8pmJ73/RSjpbfHGAyxRX1E79F+1zso= | ||||||
| github.com/caddyserver/certmagic v0.21.7/go.mod h1:LCPG3WLxcnjVKl/xpjzM0gqh0knrKKKiO5WVttX2eEI= | github.com/caddyserver/certmagic v0.21.8-0.20250220203412-a7894dd6992d/go.mod h1:LCPG3WLxcnjVKl/xpjzM0gqh0knrKKKiO5WVttX2eEI= | ||||||
| github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA= | github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA= | ||||||
| github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4= | github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4= | ||||||
| github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= | github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= | ||||||
| @ -111,6 +111,8 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn | |||||||
| github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04= | github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04= | ||||||
| github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= | github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8= | ||||||
| github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= | github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= | ||||||
|  | github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= | ||||||
|  | github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= | ||||||
| github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I= | github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I= | ||||||
| github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= | github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= | ||||||
| github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= | github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= | ||||||
| @ -323,8 +325,8 @@ github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= | |||||||
| github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= | github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= | ||||||
| github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= | github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw= | ||||||
| github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= | github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= | ||||||
| github.com/libdns/libdns v0.2.2 h1:O6ws7bAfRPaBsgAYt8MDe2HcNBGC29hkZ9MX2eUSX3s= | github.com/libdns/libdns v0.2.3 h1:ba30K4ObwMGB/QTmqUxf3H4/GmUrCAIkMWejeGl12v8= | ||||||
| github.com/libdns/libdns v0.2.2/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ= | github.com/libdns/libdns v0.2.3/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfsZqLWQ= | ||||||
| github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI= | github.com/lunixbochs/vtclean v1.0.0/go.mod h1:pHhQNgMf3btfWnGBVipUOjRYhoOsdGqdm/+2c2E2WMI= | ||||||
| github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= | github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= | ||||||
| github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= | github.com/mailru/easyjson v0.0.0-20190312143242-1de009706dbe/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= | ||||||
| @ -596,8 +598,8 @@ golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5y | |||||||
| golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= | golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= | ||||||
| golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= | golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= | ||||||
| golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= | golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= | ||||||
| golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= | golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus= | ||||||
| golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= | golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= | ||||||
| golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9 h1:4cEcP5+OjGppY79LCQ5Go2B1Boix2x0v6pvA01P3FoA= | golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9 h1:4cEcP5+OjGppY79LCQ5Go2B1Boix2x0v6pvA01P3FoA= | ||||||
| golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= | golang.org/x/crypto/x509roots/fallback v0.0.0-20241104001025-71ed71b4faf9/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8= | ||||||
| golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= | golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= | ||||||
| @ -645,8 +647,8 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ | |||||||
| golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||||
| golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||||
| golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | ||||||
| golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= | golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= | ||||||
| golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= | golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= | ||||||
| golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||||||
| golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||||||
| golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= | ||||||
| @ -683,8 +685,8 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX | |||||||
| golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= | golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= | ||||||
| golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= | golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= | ||||||
| golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= | golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= | ||||||
| golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= | golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= | ||||||
| golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= | golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= | ||||||
| golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | ||||||
| golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= | ||||||
| golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= | golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= | ||||||
| @ -695,8 +697,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= | |||||||
| golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= | golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= | ||||||
| golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= | golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= | ||||||
| golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= | golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= | ||||||
| golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= | golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= | ||||||
| golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= | golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= | ||||||
| golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= | golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= | ||||||
| golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= | golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= | ||||||
| golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ= | golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ= | ||||||
|  | |||||||
| @ -205,6 +205,7 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er | |||||||
| 		// for all the hostnames we found, filter them so we have | 		// for all the hostnames we found, filter them so we have | ||||||
| 		// a deduplicated list of names for which to obtain certs | 		// a deduplicated list of names for which to obtain certs | ||||||
| 		// (only if cert management not disabled for this server) | 		// (only if cert management not disabled for this server) | ||||||
|  | 		var echDomains []string | ||||||
| 		if srv.AutoHTTPS.DisableCerts { | 		if srv.AutoHTTPS.DisableCerts { | ||||||
| 			logger.Warn("skipping automated certificate management for server because it is disabled", zap.String("server_name", srvName)) | 			logger.Warn("skipping automated certificate management for server because it is disabled", zap.String("server_name", srvName)) | ||||||
| 		} else { | 		} else { | ||||||
| @ -231,10 +232,14 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er | |||||||
| 					} | 					} | ||||||
| 
 | 
 | ||||||
| 					uniqueDomainsForCerts[d] = struct{}{} | 					uniqueDomainsForCerts[d] = struct{}{} | ||||||
|  | 					echDomains = append(echDomains, d) | ||||||
| 				} | 				} | ||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
| 
 | 
 | ||||||
|  | 		// let the TLS server know we have some hostnames that could be protected behind ECH | ||||||
|  | 		app.tlsApp.RegisterServerNames(echDomains) | ||||||
|  | 
 | ||||||
| 		// tell the server to use TLS if it is not already doing so | 		// tell the server to use TLS if it is not already doing so | ||||||
| 		if srv.TLSConnPolicies == nil { | 		if srv.TLSConnPolicies == nil { | ||||||
| 			srv.TLSConnPolicies = caddytls.ConnectionPolicies{new(caddytls.ConnectionPolicy)} | 			srv.TLSConnPolicies = caddytls.ConnectionPolicies{new(caddytls.ConnectionPolicy)} | ||||||
|  | |||||||
| @ -146,15 +146,30 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error { | |||||||
| 		iss.AccountKey = accountKey | 		iss.AccountKey = accountKey | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	// DNS providers | 	// DNS challenge provider | ||||||
| 	if iss.Challenges != nil && iss.Challenges.DNS != nil && iss.Challenges.DNS.ProviderRaw != nil { | 	if iss.Challenges != nil && iss.Challenges.DNS != nil { | ||||||
| 		val, err := ctx.LoadModule(iss.Challenges.DNS, "ProviderRaw") | 		var prov certmagic.DNSProvider | ||||||
| 		if err != nil { | 		if iss.Challenges.DNS.ProviderRaw != nil { | ||||||
| 			return fmt.Errorf("loading DNS provider module: %v", err) | 			// a challenge provider has been locally configured - use it | ||||||
|  | 			val, err := ctx.LoadModule(iss.Challenges.DNS, "ProviderRaw") | ||||||
|  | 			if err != nil { | ||||||
|  | 				return fmt.Errorf("loading DNS provider module: %v", err) | ||||||
|  | 			} | ||||||
|  | 			prov = val.(certmagic.DNSProvider) | ||||||
|  | 		} else if tlsAppIface, err := ctx.AppIfConfigured("tls"); err == nil { | ||||||
|  | 			// no locally configured DNS challenge provider, but if there is | ||||||
|  | 			// a global DNS module configured with the TLS app, use that | ||||||
|  | 			tlsApp := tlsAppIface.(*TLS) | ||||||
|  | 			if tlsApp.dns != nil { | ||||||
|  | 				prov = tlsApp.dns.(certmagic.DNSProvider) | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 		if prov == nil { | ||||||
|  | 			return fmt.Errorf("DNS challenge enabled, but no DNS provider configured") | ||||||
| 		} | 		} | ||||||
| 		iss.Challenges.DNS.solver = &certmagic.DNS01Solver{ | 		iss.Challenges.DNS.solver = &certmagic.DNS01Solver{ | ||||||
| 			DNSManager: certmagic.DNSManager{ | 			DNSManager: certmagic.DNSManager{ | ||||||
| 				DNSProvider:        val.(certmagic.DNSProvider), | 				DNSProvider:        prov, | ||||||
| 				TTL:                time.Duration(iss.Challenges.DNS.TTL), | 				TTL:                time.Duration(iss.Challenges.DNS.TTL), | ||||||
| 				PropagationDelay:   time.Duration(iss.Challenges.DNS.PropagationDelay), | 				PropagationDelay:   time.Duration(iss.Challenges.DNS.PropagationDelay), | ||||||
| 				PropagationTimeout: time.Duration(iss.Challenges.DNS.PropagationTimeout), | 				PropagationTimeout: time.Duration(iss.Challenges.DNS.PropagationTimeout), | ||||||
|  | |||||||
| @ -93,7 +93,7 @@ func (cp ConnectionPolicies) Provision(ctx caddy.Context) error { | |||||||
| 
 | 
 | ||||||
| // TLSConfig returns a standard-lib-compatible TLS configuration which | // TLSConfig returns a standard-lib-compatible TLS configuration which | ||||||
| // selects the first matching policy based on the ClientHello. | // selects the first matching policy based on the ClientHello. | ||||||
| func (cp ConnectionPolicies) TLSConfig(_ caddy.Context) *tls.Config { | func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config { | ||||||
| 	// using ServerName to match policies is extremely common, especially in configs | 	// using ServerName to match policies is extremely common, especially in configs | ||||||
| 	// with lots and lots of different policies; we can fast-track those by indexing | 	// with lots and lots of different policies; we can fast-track those by indexing | ||||||
| 	// them by SNI, so we don't have to iterate potentially thousands of policies | 	// them by SNI, so we don't have to iterate potentially thousands of policies | ||||||
| @ -104,6 +104,7 @@ func (cp ConnectionPolicies) TLSConfig(_ caddy.Context) *tls.Config { | |||||||
| 			for _, m := range p.matchers { | 			for _, m := range p.matchers { | ||||||
| 				if sni, ok := m.(MatchServerName); ok { | 				if sni, ok := m.(MatchServerName); ok { | ||||||
| 					for _, sniName := range sni { | 					for _, sniName := range sni { | ||||||
|  | 						// index for fast lookups during handshakes | ||||||
| 						indexedBySNI[sniName] = append(indexedBySNI[sniName], p) | 						indexedBySNI[sniName] = append(indexedBySNI[sniName], p) | ||||||
| 					} | 					} | ||||||
| 				} | 				} | ||||||
| @ -111,32 +112,79 @@ func (cp ConnectionPolicies) TLSConfig(_ caddy.Context) *tls.Config { | |||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	return &tls.Config{ | 	getConfigForClient := func(hello *tls.ClientHelloInfo) (*tls.Config, error) { | ||||||
| 		MinVersion: tls.VersionTLS12, | 		// filter policies by SNI first, if possible, to speed things up | ||||||
| 		GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) { | 		// when there may be lots of policies | ||||||
| 			// filter policies by SNI first, if possible, to speed things up | 		possiblePolicies := cp | ||||||
| 			// when there may be lots of policies | 		if indexedPolicies, ok := indexedBySNI[hello.ServerName]; ok { | ||||||
| 			possiblePolicies := cp | 			possiblePolicies = indexedPolicies | ||||||
| 			if indexedPolicies, ok := indexedBySNI[hello.ServerName]; ok { | 		} | ||||||
| 				possiblePolicies = indexedPolicies |  | ||||||
| 			} |  | ||||||
| 
 | 
 | ||||||
| 		policyLoop: | 	policyLoop: | ||||||
| 			for _, pol := range possiblePolicies { | 		for _, pol := range possiblePolicies { | ||||||
| 				for _, matcher := range pol.matchers { | 			for _, matcher := range pol.matchers { | ||||||
| 					if !matcher.Match(hello) { | 				if !matcher.Match(hello) { | ||||||
| 						continue policyLoop | 					continue policyLoop | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 			if pol.Drop { | ||||||
|  | 				return nil, fmt.Errorf("dropping connection") | ||||||
|  | 			} | ||||||
|  | 			return pol.TLSConfig, nil | ||||||
|  | 		} | ||||||
|  | 
 | ||||||
|  | 		return nil, fmt.Errorf("no server TLS configuration available for ClientHello: %+v", hello) | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	tlsCfg := &tls.Config{ | ||||||
|  | 		MinVersion:         tls.VersionTLS12, | ||||||
|  | 		GetConfigForClient: getConfigForClient, | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	// enable ECH, if configured | ||||||
|  | 	if tlsAppIface, err := ctx.AppIfConfigured("tls"); err == nil { | ||||||
|  | 		tlsApp := tlsAppIface.(*TLS) | ||||||
|  | 
 | ||||||
|  | 		if tlsApp.EncryptedClientHello != nil && len(tlsApp.EncryptedClientHello.configs) > 0 { | ||||||
|  | 			// if no publication was configured, we apply ECH to all server names by default, | ||||||
|  | 			// but the TLS app needs to know what they are in this case, since they don't appear | ||||||
|  | 			// in its config (remember, TLS connection policies are used by *other* apps to | ||||||
|  | 			// run TLS servers) -- we skip names with placeholders | ||||||
|  | 			if tlsApp.EncryptedClientHello.Publication == nil { | ||||||
|  | 				var echNames []string | ||||||
|  | 				repl := caddy.NewReplacer() | ||||||
|  | 				for _, p := range cp { | ||||||
|  | 					for _, m := range p.matchers { | ||||||
|  | 						if sni, ok := m.(MatchServerName); ok { | ||||||
|  | 							for _, name := range sni { | ||||||
|  | 								finalName := strings.ToLower(repl.ReplaceAll(name, "")) | ||||||
|  | 								echNames = append(echNames, finalName) | ||||||
|  | 							} | ||||||
|  | 						} | ||||||
| 					} | 					} | ||||||
| 				} | 				} | ||||||
| 				if pol.Drop { | 				tlsApp.RegisterServerNames(echNames) | ||||||
| 					return nil, fmt.Errorf("dropping connection") |  | ||||||
| 				} |  | ||||||
| 				return pol.TLSConfig, nil |  | ||||||
| 			} | 			} | ||||||
| 
 | 
 | ||||||
| 			return nil, fmt.Errorf("no server TLS configuration available for ClientHello: %+v", hello) | 			// TODO: Ideally, ECH keys should be rotated. However, as of Go 1.24, the std lib implementation | ||||||
| 		}, | 			// does not support safely modifying the tls.Config's EncryptedClientHelloKeys field. | ||||||
|  | 			// So, we implement static ECH keys temporarily. See https://github.com/golang/go/issues/71920. | ||||||
|  | 			// Revisit this after Go 1.25 is released and implement key rotation. | ||||||
|  | 			var stdECHKeys []tls.EncryptedClientHelloKey | ||||||
|  | 			for _, echConfigs := range tlsApp.EncryptedClientHello.configs { | ||||||
|  | 				for _, c := range echConfigs { | ||||||
|  | 					stdECHKeys = append(stdECHKeys, tls.EncryptedClientHelloKey{ | ||||||
|  | 						Config:      c.configBin, | ||||||
|  | 						PrivateKey:  c.privKeyBin, | ||||||
|  | 						SendAsRetry: c.sendAsRetry, | ||||||
|  | 					}) | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 			tlsCfg.EncryptedClientHelloKeys = stdECHKeys | ||||||
|  | 		} | ||||||
| 	} | 	} | ||||||
|  | 
 | ||||||
|  | 	return tlsCfg | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| // ConnectionPolicy specifies the logic for handling a TLS handshake. | // ConnectionPolicy specifies the logic for handling a TLS handshake. | ||||||
| @ -409,6 +457,7 @@ func (p ConnectionPolicy) SettingsEmpty() bool { | |||||||
| 		p.ProtocolMax == "" && | 		p.ProtocolMax == "" && | ||||||
| 		p.ClientAuthentication == nil && | 		p.ClientAuthentication == nil && | ||||||
| 		p.DefaultSNI == "" && | 		p.DefaultSNI == "" && | ||||||
|  | 		p.FallbackSNI == "" && | ||||||
| 		p.InsecureSecretsLog == "" | 		p.InsecureSecretsLog == "" | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | |||||||
							
								
								
									
										1074
									
								
								modules/caddytls/ech.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1074
									
								
								modules/caddytls/ech.go
									
									
									
									
									
										Normal file
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										129
									
								
								modules/caddytls/ech_test.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										129
									
								
								modules/caddytls/ech_test.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,129 @@ | |||||||
|  | package caddytls | ||||||
|  | 
 | ||||||
|  | import ( | ||||||
|  | 	"reflect" | ||||||
|  | 	"testing" | ||||||
|  | ) | ||||||
|  | 
 | ||||||
|  | func TestParseSvcParams(t *testing.T) { | ||||||
|  | 	for i, test := range []struct { | ||||||
|  | 		input     string | ||||||
|  | 		expect    svcParams | ||||||
|  | 		shouldErr bool | ||||||
|  | 	}{ | ||||||
|  | 		{ | ||||||
|  | 			input: `alpn="h2,h3" no-default-alpn ipv6hint=2001:db8::1 port=443`, | ||||||
|  | 			expect: svcParams{ | ||||||
|  | 				"alpn":            {"h2", "h3"}, | ||||||
|  | 				"no-default-alpn": {}, | ||||||
|  | 				"ipv6hint":        {"2001:db8::1"}, | ||||||
|  | 				"port":            {"443"}, | ||||||
|  | 			}, | ||||||
|  | 		}, | ||||||
|  | 		{ | ||||||
|  | 			input: `key=value quoted="some string" flag`, | ||||||
|  | 			expect: svcParams{ | ||||||
|  | 				"key":    {"value"}, | ||||||
|  | 				"quoted": {"some string"}, | ||||||
|  | 				"flag":   {}, | ||||||
|  | 			}, | ||||||
|  | 		}, | ||||||
|  | 		{ | ||||||
|  | 			input: `key="nested \"quoted\" value,foobar"`, | ||||||
|  | 			expect: svcParams{ | ||||||
|  | 				"key": {`nested "quoted" value`, "foobar"}, | ||||||
|  | 			}, | ||||||
|  | 		}, | ||||||
|  | 		{ | ||||||
|  | 			input: `alpn=h3,h2 tls-supported-groups=29,23 no-default-alpn ech="foobar"`, | ||||||
|  | 			expect: svcParams{ | ||||||
|  | 				"alpn":                 {"h3", "h2"}, | ||||||
|  | 				"tls-supported-groups": {"29", "23"}, | ||||||
|  | 				"no-default-alpn":      {}, | ||||||
|  | 				"ech":                  {"foobar"}, | ||||||
|  | 			}, | ||||||
|  | 		}, | ||||||
|  | 		{ | ||||||
|  | 			input: `escape=\097`, | ||||||
|  | 			expect: svcParams{ | ||||||
|  | 				"escape": {"a"}, | ||||||
|  | 			}, | ||||||
|  | 		}, | ||||||
|  | 		{ | ||||||
|  | 			input: `escapes=\097\098c`, | ||||||
|  | 			expect: svcParams{ | ||||||
|  | 				"escapes": {"abc"}, | ||||||
|  | 			}, | ||||||
|  | 		}, | ||||||
|  | 	} { | ||||||
|  | 		actual, err := parseSvcParams(test.input) | ||||||
|  | 		if err != nil && !test.shouldErr { | ||||||
|  | 			t.Errorf("Test %d: Expected no error, but got: %v (input=%q)", i, err, test.input) | ||||||
|  | 			continue | ||||||
|  | 		} else if err == nil && test.shouldErr { | ||||||
|  | 			t.Errorf("Test %d: Expected an error, but got no error (input=%q)", i, test.input) | ||||||
|  | 			continue | ||||||
|  | 		} | ||||||
|  | 		if !reflect.DeepEqual(test.expect, actual) { | ||||||
|  | 			t.Errorf("Test %d: Expected %v, got %v (input=%q)", i, test.expect, actual, test.input) | ||||||
|  | 			continue | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | func TestSvcParamsString(t *testing.T) { | ||||||
|  | 	// this test relies on the parser also working | ||||||
|  | 	// because we can't just compare string outputs | ||||||
|  | 	// since map iteration is unordered | ||||||
|  | 	for i, test := range []svcParams{ | ||||||
|  | 
 | ||||||
|  | 		{ | ||||||
|  | 			"alpn":            {"h2", "h3"}, | ||||||
|  | 			"no-default-alpn": {}, | ||||||
|  | 			"ipv6hint":        {"2001:db8::1"}, | ||||||
|  | 			"port":            {"443"}, | ||||||
|  | 		}, | ||||||
|  | 
 | ||||||
|  | 		{ | ||||||
|  | 			"key":    {"value"}, | ||||||
|  | 			"quoted": {"some string"}, | ||||||
|  | 			"flag":   {}, | ||||||
|  | 		}, | ||||||
|  | 		{ | ||||||
|  | 			"key": {`nested "quoted" value`, "foobar"}, | ||||||
|  | 		}, | ||||||
|  | 		{ | ||||||
|  | 			"alpn":                 {"h3", "h2"}, | ||||||
|  | 			"tls-supported-groups": {"29", "23"}, | ||||||
|  | 			"no-default-alpn":      {}, | ||||||
|  | 			"ech":                  {"foobar"}, | ||||||
|  | 		}, | ||||||
|  | 	} { | ||||||
|  | 		combined := test.String() | ||||||
|  | 		parsed, err := parseSvcParams(combined) | ||||||
|  | 		if err != nil { | ||||||
|  | 			t.Errorf("Test %d: Expected no error, but got: %v (input=%q)", i, err, test) | ||||||
|  | 			continue | ||||||
|  | 		} | ||||||
|  | 		if len(parsed) != len(test) { | ||||||
|  | 			t.Errorf("Test %d: Expected %d keys, but got %d", i, len(test), len(parsed)) | ||||||
|  | 			continue | ||||||
|  | 		} | ||||||
|  | 		for key, expectedVals := range test { | ||||||
|  | 			if expected, actual := len(expectedVals), len(parsed[key]); expected != actual { | ||||||
|  | 				t.Errorf("Test %d: Expected key %s to have %d values, but had %d", i, key, expected, actual) | ||||||
|  | 				continue | ||||||
|  | 			} | ||||||
|  | 			for j, expected := range expectedVals { | ||||||
|  | 				if actual := parsed[key][j]; actual != expected { | ||||||
|  | 					t.Errorf("Test %d key %q value %d: Expected '%s' but got '%s'", i, key, j, expected, actual) | ||||||
|  | 					continue | ||||||
|  | 				} | ||||||
|  | 			} | ||||||
|  | 		} | ||||||
|  | 		if !reflect.DeepEqual(parsed, test) { | ||||||
|  | 			t.Errorf("Test %d: Expected %#v, got %#v", i, test, combined) | ||||||
|  | 			continue | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | } | ||||||
| @ -20,12 +20,15 @@ import ( | |||||||
| 	"encoding/json" | 	"encoding/json" | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"log" | 	"log" | ||||||
|  | 	"net" | ||||||
| 	"net/http" | 	"net/http" | ||||||
| 	"runtime/debug" | 	"runtime/debug" | ||||||
|  | 	"strings" | ||||||
| 	"sync" | 	"sync" | ||||||
| 	"time" | 	"time" | ||||||
| 
 | 
 | ||||||
| 	"github.com/caddyserver/certmagic" | 	"github.com/caddyserver/certmagic" | ||||||
|  | 	"github.com/libdns/libdns" | ||||||
| 	"go.uber.org/zap" | 	"go.uber.org/zap" | ||||||
| 	"go.uber.org/zap/zapcore" | 	"go.uber.org/zap/zapcore" | ||||||
| 
 | 
 | ||||||
| @ -79,6 +82,7 @@ type TLS struct { | |||||||
| 	// Disabling OCSP stapling puts clients at greater risk, reduces their | 	// Disabling OCSP stapling puts clients at greater risk, reduces their | ||||||
| 	// privacy, and usually lowers client performance. It is NOT recommended | 	// privacy, and usually lowers client performance. It is NOT recommended | ||||||
| 	// to disable this unless you are able to justify the costs. | 	// to disable this unless you are able to justify the costs. | ||||||
|  | 	// | ||||||
| 	// EXPERIMENTAL. Subject to change. | 	// EXPERIMENTAL. Subject to change. | ||||||
| 	DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"` | 	DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"` | ||||||
| 
 | 
 | ||||||
| @ -89,6 +93,7 @@ type TLS struct { | |||||||
| 	// | 	// | ||||||
| 	// Disabling these checks should only be done when the storage | 	// Disabling these checks should only be done when the storage | ||||||
| 	// can be trusted to have enough capacity and no other problems. | 	// can be trusted to have enough capacity and no other problems. | ||||||
|  | 	// | ||||||
| 	// EXPERIMENTAL. Subject to change. | 	// EXPERIMENTAL. Subject to change. | ||||||
| 	DisableStorageCheck bool `json:"disable_storage_check,omitempty"` | 	DisableStorageCheck bool `json:"disable_storage_check,omitempty"` | ||||||
| 
 | 
 | ||||||
| @ -100,9 +105,23 @@ type TLS struct { | |||||||
| 	// The instance.uuid file is used to identify the instance of Caddy | 	// The instance.uuid file is used to identify the instance of Caddy | ||||||
| 	// in a cluster. The last_clean.json file is used to store the last | 	// in a cluster. The last_clean.json file is used to store the last | ||||||
| 	// time the storage was cleaned. | 	// time the storage was cleaned. | ||||||
|  | 	// | ||||||
| 	// EXPERIMENTAL. Subject to change. | 	// EXPERIMENTAL. Subject to change. | ||||||
| 	DisableStorageClean bool `json:"disable_storage_clean,omitempty"` | 	DisableStorageClean bool `json:"disable_storage_clean,omitempty"` | ||||||
| 
 | 
 | ||||||
|  | 	// Enable Encrypted ClientHello (ECH). ECH protects the server name | ||||||
|  | 	// (SNI) and other sensitive parameters of a normally-plaintext TLS | ||||||
|  | 	// ClientHello during a handshake. | ||||||
|  | 	// | ||||||
|  | 	// EXPERIMENTAL: Subject to change. | ||||||
|  | 	EncryptedClientHello *ECH `json:"encrypted_client_hello,omitempty"` | ||||||
|  | 
 | ||||||
|  | 	// The default DNS provider module to use when a DNS module is needed. | ||||||
|  | 	// | ||||||
|  | 	// EXPERIMENTAL: Subject to change. | ||||||
|  | 	DNSRaw json.RawMessage `json:"dns,omitempty" caddy:"namespace=dns.providers inline_key=name"` | ||||||
|  | 	dns    any             // technically, it should be any/all of the libdns interfaces (RecordSetter, RecordAppender, etc.) | ||||||
|  | 
 | ||||||
| 	certificateLoaders []CertificateLoader | 	certificateLoaders []CertificateLoader | ||||||
| 	automateNames      []string | 	automateNames      []string | ||||||
| 	ctx                caddy.Context | 	ctx                caddy.Context | ||||||
| @ -111,6 +130,9 @@ type TLS struct { | |||||||
| 	logger             *zap.Logger | 	logger             *zap.Logger | ||||||
| 	events             *caddyevents.App | 	events             *caddyevents.App | ||||||
| 
 | 
 | ||||||
|  | 	serverNames   map[string]struct{} | ||||||
|  | 	serverNamesMu *sync.Mutex | ||||||
|  | 
 | ||||||
| 	// set of subjects with managed certificates, | 	// set of subjects with managed certificates, | ||||||
| 	// and hashes of manually-loaded certificates | 	// and hashes of manually-loaded certificates | ||||||
| 	// (managing's value is an optional issuer key, for distinction) | 	// (managing's value is an optional issuer key, for distinction) | ||||||
| @ -136,6 +158,40 @@ func (t *TLS) Provision(ctx caddy.Context) error { | |||||||
| 	t.logger = ctx.Logger() | 	t.logger = ctx.Logger() | ||||||
| 	repl := caddy.NewReplacer() | 	repl := caddy.NewReplacer() | ||||||
| 	t.managing, t.loaded = make(map[string]string), make(map[string]string) | 	t.managing, t.loaded = make(map[string]string), make(map[string]string) | ||||||
|  | 	t.serverNames = make(map[string]struct{}) | ||||||
|  | 	t.serverNamesMu = new(sync.Mutex) | ||||||
|  | 
 | ||||||
|  | 	// set up default DNS module, if any, and make sure it implements all the | ||||||
|  | 	// common libdns interfaces, since it could be used for a variety of things | ||||||
|  | 	// (do this before provisioning other modules, since they may rely on this) | ||||||
|  | 	if len(t.DNSRaw) > 0 { | ||||||
|  | 		dnsMod, err := ctx.LoadModule(t, "DNSRaw") | ||||||
|  | 		if err != nil { | ||||||
|  | 			return fmt.Errorf("loading overall DNS provider module: %v", err) | ||||||
|  | 		} | ||||||
|  | 		switch dnsMod.(type) { | ||||||
|  | 		case interface { | ||||||
|  | 			libdns.RecordAppender | ||||||
|  | 			libdns.RecordDeleter | ||||||
|  | 			libdns.RecordGetter | ||||||
|  | 			libdns.RecordSetter | ||||||
|  | 		}: | ||||||
|  | 		default: | ||||||
|  | 			return fmt.Errorf("DNS module does not implement the most common libdns interfaces: %T", dnsMod) | ||||||
|  | 		} | ||||||
|  | 		t.dns = dnsMod | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
|  | 	// ECH (Encrypted ClientHello) initialization | ||||||
|  | 	if t.EncryptedClientHello != nil { | ||||||
|  | 		t.EncryptedClientHello.configs = make(map[string][]echConfig) | ||||||
|  | 		outerNames, err := t.EncryptedClientHello.Provision(ctx) | ||||||
|  | 		if err != nil { | ||||||
|  | 			return fmt.Errorf("provisioning Encrypted ClientHello components: %v", err) | ||||||
|  | 		} | ||||||
|  | 		// outer names should have certificates to reduce client brittleness | ||||||
|  | 		t.automateNames = append(t.automateNames, outerNames...) | ||||||
|  | 	} | ||||||
| 
 | 
 | ||||||
| 	// set up a new certificate cache; this (re)loads all certificates | 	// set up a new certificate cache; this (re)loads all certificates | ||||||
| 	cacheOpts := certmagic.CacheOptions{ | 	cacheOpts := certmagic.CacheOptions{ | ||||||
| @ -178,7 +234,7 @@ func (t *TLS) Provision(ctx caddy.Context) error { | |||||||
| 				for i, sub := range *automateNames { | 				for i, sub := range *automateNames { | ||||||
| 					subjects[i] = repl.ReplaceAll(sub, "") | 					subjects[i] = repl.ReplaceAll(sub, "") | ||||||
| 				} | 				} | ||||||
| 				t.automateNames = subjects | 				t.automateNames = append(t.automateNames, subjects...) | ||||||
| 			} else { | 			} else { | ||||||
| 				return fmt.Errorf("loading certificates with 'automate' requires array of strings, got: %T", modIface) | 				return fmt.Errorf("loading certificates with 'automate' requires array of strings, got: %T", modIface) | ||||||
| 			} | 			} | ||||||
| @ -339,6 +395,16 @@ func (t *TLS) Start() error { | |||||||
| 		return fmt.Errorf("automate: managing %v: %v", t.automateNames, err) | 		return fmt.Errorf("automate: managing %v: %v", t.automateNames, err) | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | 	// publish ECH configs in the background; does not need to block | ||||||
|  | 	// server startup, as it could take a while | ||||||
|  | 	if t.EncryptedClientHello != nil { | ||||||
|  | 		go func() { | ||||||
|  | 			if err := t.publishECHConfigs(); err != nil { | ||||||
|  | 				t.logger.Named("ech").Error("publication(s) failed", zap.Error(err)) | ||||||
|  | 			} | ||||||
|  | 		}() | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	if !t.DisableStorageClean { | 	if !t.DisableStorageClean { | ||||||
| 		// start the storage cleaner goroutine and ticker, | 		// start the storage cleaner goroutine and ticker, | ||||||
| 		// which cleans out expired certificates and more | 		// which cleans out expired certificates and more | ||||||
| @ -422,11 +488,16 @@ func (t *TLS) Cleanup() error { | |||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
| 	} else { | 	} else { | ||||||
| 		// no more TLS app running, so delete in-memory cert cache | 		// no more TLS app running, so delete in-memory cert cache, if it was created yet | ||||||
| 		certCache.Stop() | 		certCacheMu.RLock() | ||||||
| 		certCacheMu.Lock() | 		hasCache := certCache != nil | ||||||
| 		certCache = nil | 		certCacheMu.RUnlock() | ||||||
| 		certCacheMu.Unlock() | 		if hasCache { | ||||||
|  | 			certCache.Stop() | ||||||
|  | 			certCacheMu.Lock() | ||||||
|  | 			certCache = nil | ||||||
|  | 			certCacheMu.Unlock() | ||||||
|  | 		} | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
| 	return nil | 	return nil | ||||||
| @ -478,6 +549,29 @@ func (t *TLS) Manage(names []string) error { | |||||||
| 	return nil | 	return nil | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | // RegisterServerNames registers the provided DNS names with the TLS app. | ||||||
|  | // This is currently used to auto-publish Encrypted ClientHello (ECH) | ||||||
|  | // configurations, if enabled. Use of this function by apps using the TLS | ||||||
|  | // app removes the need for the user to redundantly specify domain names | ||||||
|  | // in their configuration. This function separates hostname and port | ||||||
|  | // (keeping only the hotsname) and filters IP addresses, which can't be | ||||||
|  | // used with ECH. | ||||||
|  | // | ||||||
|  | // EXPERIMENTAL: This function and its behavior are subject to change. | ||||||
|  | func (t *TLS) RegisterServerNames(dnsNames []string) { | ||||||
|  | 	t.serverNamesMu.Lock() | ||||||
|  | 	for _, name := range dnsNames { | ||||||
|  | 		host, _, err := net.SplitHostPort(name) | ||||||
|  | 		if err != nil { | ||||||
|  | 			host = name | ||||||
|  | 		} | ||||||
|  | 		if strings.TrimSpace(host) != "" && !certmagic.SubjectIsIP(host) { | ||||||
|  | 			t.serverNames[strings.ToLower(host)] = struct{}{} | ||||||
|  | 		} | ||||||
|  | 	} | ||||||
|  | 	t.serverNamesMu.Unlock() | ||||||
|  | } | ||||||
|  | 
 | ||||||
| // HandleHTTPChallenge ensures that the ACME HTTP challenge or ZeroSSL HTTP | // HandleHTTPChallenge ensures that the ACME HTTP challenge or ZeroSSL HTTP | ||||||
| // validation request is handled for the certificate named by r.Host, if it | // validation request is handled for the certificate named by r.Host, if it | ||||||
| // is an HTTP challenge request. It requires that the automation policy for | // is an HTTP challenge request. It requires that the automation policy for | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user