httpcaddyfile: Fix unexpectedly removed policy (#4128)

* httpcaddyfile: Fix unexpectedly removed policy When user set on_demand tls option in a catch-all (:443) policy, we expect other policies to not have the on_demand enabled See ex in tls_automation_policies_5.txt Btw, we can remove policies if they are **all** empty. * Update caddyconfig/httpcaddyfile/tlsapp.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2025-11-04 03:27:23 -05:00 · 2021-04-29 18:56:01 +02:00 · 2021-04-29 18:56:01 +02:00 · ff6ca577ec
commit ff6ca577ec
parent 9017557169
2 changed files with 69 additions and 3 deletions
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@ -480,15 +480,19 @@ func consolidateAutomationPolicies(aps []*caddytls.AutomationPolicy) []*caddytls
 		return len(aps[i].Subjects) > len(aps[j].Subjects)
 	})

-	// remove any empty policies (except subjects, of course)
+	emptyAPCount := 0
+	// compute the number of empty policies (disregarding subjects) - see #4128
 	emptyAP := new(caddytls.AutomationPolicy)
 	for i := 0; i < len(aps); i++ {
 		emptyAP.Subjects = aps[i].Subjects
 		if reflect.DeepEqual(aps[i], emptyAP) {
-			aps = append(aps[:i], aps[i+1:]...)
-			i--
+			emptyAPCount++
 		}
 	}
+	// If all policies are empty, we can return nil, as there is no need to set any policy
+	if emptyAPCount == len(aps) {
+		return nil
+	}

 	// remove or combine duplicate policies
 outer:
--- a/caddytest/integration/caddyfile_adapt/tls_automation_policies_5.txt
+++ b/caddytest/integration/caddyfile_adapt/tls_automation_policies_5.txt
@ -0,0 +1,62 @@
+a.example.com {
+}
+
+b.example.com {
+}
+
+:443 {
+	tls {
+		on_demand
+	}
+}
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"a.example.com"
+									]
+								}
+							],
+							"terminal": true
+						},
+						{
+							"match": [
+								{
+									"host": [
+										"b.example.com"
+									]
+								}
+							],
+							"terminal": true
+						}
+					]
+				}
+			}
+		},
+		"tls": {
+			"automation": {
+				"policies": [
+					{
+						"subjects": [
+							"a.example.com",
+							"b.example.com"
+						]
+					},
+					{
+						"on_demand": true
+					}
+				]
+			}
+		}
+	}
+}