Matt Holt
c8adb1b553
cmd: Better error handling when reloading ( #6601 )
...
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Waiting to run
Lint / lint (macos-14, mac) (push) Waiting to run
Lint / lint (windows-latest, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Failing after 1m44s
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Successful in 28s
Cross-Build / build (~1.22.3, 1.22, aix) (push) Successful in 1m29s
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Successful in 1m29s
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Successful in 1m31s
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Successful in 1m30s
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Failing after 12m16s
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Successful in 1m29s
Cross-Build / build (~1.22.3, 1.22, linux) (push) Successful in 1m30s
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Successful in 1m30s
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Successful in 1m41s
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Successful in 1m29s
Cross-Build / build (~1.22.3, 1.22, windows) (push) Successful in 1m31s
Cross-Build / build (~1.23.0, 1.23, aix) (push) Successful in 1m21s
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Successful in 1m21s
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, linux) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, windows) (push) Successful in 1m21s
Lint / lint (ubuntu-latest, linux) (push) Successful in 2m12s
Lint / govulncheck (push) Successful in 1m34s
* caddyhttp: Limit auto-HTTPS error logs to 100 domains
* Improve error message and increase error size limit
2024-10-01 20:31:30 -06:00
Matt Holt
9b4acc2449
caddytls: Support new tls.context module ( #6369 )
...
* caddytls: Support new tls.context module
This allows modules to manipulate the context passed into CertMagic's GetCertificate function, which can be useful for tracing/metrics, or other
custom logic.
This is experimental and may resolve the request of a sponsor, so we'll see how it goes!
* Derpy derp
2024-10-01 17:18:17 -06:00
Mohammed Al Sahaf
1a345b4fa6
doc: remove docs of deprecated directives ( #6566 )
...
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Successful in 24s
Cross-Build / build (~1.22.3, 1.22, aix) (push) Successful in 1m35s
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Successful in 1m36s
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Successful in 1m31s
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Successful in 1m28s
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Successful in 1m34s
Cross-Build / build (~1.22.3, 1.22, linux) (push) Successful in 1m35s
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Successful in 1m33s
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Successful in 1m28s
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Successful in 1m31s
Cross-Build / build (~1.22.3, 1.22, windows) (push) Successful in 1m31s
Cross-Build / build (~1.23.0, 1.23, aix) (push) Successful in 1m21s
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Successful in 1m23s
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Successful in 1m23s
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, linux) (push) Successful in 1m22s
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Successful in 1m22s
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Successful in 1m21s
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Successful in 1m22s
Cross-Build / build (~1.23.0, 1.23, windows) (push) Successful in 1m21s
Lint / lint (ubuntu-latest, linux) (push) Successful in 2m0s
Lint / govulncheck (push) Successful in 1m20s
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Has been cancelled
Lint / lint (macos-14, mac) (push) Has been cancelled
Lint / lint (windows-latest, windows) (push) Has been cancelled
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-09-29 09:12:52 +00:00
Francis Lavoie
2faeac0a10
chore: Use slices package where possible ( #6585 )
...
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Waiting to run
Lint / lint (macos-14, mac) (push) Waiting to run
Lint / lint (windows-latest, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Failing after 1m34s
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Failing after 1m25s
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Successful in 24s
Cross-Build / build (~1.22.3, 1.22, aix) (push) Successful in 1m31s
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Successful in 1m32s
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Successful in 1m41s
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Successful in 1m34s
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Successful in 1m31s
Cross-Build / build (~1.22.3, 1.22, linux) (push) Successful in 1m31s
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Successful in 1m30s
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Successful in 1m31s
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Successful in 1m32s
Cross-Build / build (~1.22.3, 1.22, windows) (push) Successful in 1m31s
Cross-Build / build (~1.23.0, 1.23, aix) (push) Successful in 1m24s
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Successful in 1m22s
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Successful in 1m21s
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Successful in 1m22s
Cross-Build / build (~1.23.0, 1.23, linux) (push) Successful in 1m23s
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Successful in 1m20s
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Successful in 1m22s
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Successful in 1m24s
Cross-Build / build (~1.23.0, 1.23, windows) (push) Successful in 1m21s
Lint / lint (ubuntu-latest, linux) (push) Successful in 2m12s
Lint / govulncheck (push) Successful in 1m20s
* chore: Use slices package where possible
* More, mostly using ContainsFunc
* Even more slice operations
2024-09-25 14:30:56 -06:00
Francis Lavoie
9dda8fbf84
caddytls: Give a better error message when given encrypted private keys ( #6591 )
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Waiting to run
Lint / lint (macos-14, mac) (push) Waiting to run
Lint / lint (windows-latest, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Failing after 1m42s
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Failing after 1m32s
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Successful in 23s
Cross-Build / build (~1.22.3, 1.22, aix) (push) Successful in 1m39s
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Successful in 1m43s
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Successful in 1m39s
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Successful in 1m41s
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Successful in 1m42s
Cross-Build / build (~1.22.3, 1.22, linux) (push) Successful in 1m38s
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Successful in 1m43s
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Successful in 1m47s
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Successful in 1m38s
Cross-Build / build (~1.22.3, 1.22, windows) (push) Successful in 1m40s
Cross-Build / build (~1.23.0, 1.23, aix) (push) Successful in 1m28s
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Successful in 1m29s
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Successful in 1m30s
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Successful in 1m28s
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Successful in 1m33s
Cross-Build / build (~1.23.0, 1.23, linux) (push) Successful in 1m30s
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Successful in 1m27s
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Successful in 1m31s
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Successful in 1m30s
Cross-Build / build (~1.23.0, 1.23, windows) (push) Successful in 1m29s
Lint / lint (ubuntu-latest, linux) (push) Successful in 2m21s
Lint / govulncheck (push) Successful in 1m24s
2024-09-25 06:00:48 -06:00
Kévin Dunglas
f4bf4e0097
perf: use zap's Check() to prevent useless allocs ( #6560 )
...
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Successful in 40s
Cross-Build / build (~1.22.3, 1.22, aix) (push) Successful in 2m55s
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Successful in 3m1s
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Successful in 3m1s
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Successful in 3m1s
Cross-Build / build (~1.22.3, 1.22, windows) (push) Successful in 3m1s
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Failing after 13m23s
Cross-Build / build (~1.23.0, 1.23, aix) (push) Successful in 2m40s
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Failing after 11m51s
Cross-Build / build (~1.22.3, 1.22, linux) (push) Failing after 11m47s
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Successful in 2m29s
Cross-Build / build (~1.23.0, 1.23, linux) (push) Successful in 2m39s
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Failing after 13m27s
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Failing after 13m27s
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Successful in 2m41s
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Successful in 2m54s
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Successful in 2m40s
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Failing after 14m19s
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Failing after 14m10s
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Failing after 14m2s
Cross-Build / build (~1.23.0, 1.23, windows) (push) Failing after 11m58s
Lint / lint (ubuntu-latest, linux) (push) Failing after 3m44s
Lint / govulncheck (push) Successful in 2m18s
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Has been cancelled
Lint / lint (macos-14, mac) (push) Has been cancelled
Lint / lint (windows-latest, windows) (push) Has been cancelled
* perf: use zap's Check() to prevent useless allocs
* fix
* fix
* fix
* fix
* restore previous replacer behavior
* fix linter
2024-09-13 11:16:37 -06:00
vnxme
2d12fb7ac6
caddytls: Add sni_regexp matcher ( #6569 )
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Failing after 2m28s
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Successful in 28s
Cross-Build / build (~1.22.3, 1.22, aix) (push) Successful in 2m59s
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Failing after 12m25s
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Successful in 3m25s
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Failing after 14m5s
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Failing after 14m0s
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Failing after 13m57s
Cross-Build / build (~1.22.3, 1.22, linux) (push) Failing after 13m52s
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Failing after 13m48s
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Successful in 3m4s
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Successful in 2m53s
Cross-Build / build (~1.22.3, 1.22, windows) (push) Successful in 3m9s
Cross-Build / build (~1.23.0, 1.23, aix) (push) Successful in 2m42s
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Successful in 2m52s
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Successful in 2m36s
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Successful in 2m49s
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Successful in 2m53s
Cross-Build / build (~1.23.0, 1.23, linux) (push) Successful in 2m42s
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Successful in 2m49s
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Successful in 2m39s
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Successful in 2m40s
Cross-Build / build (~1.23.0, 1.23, windows) (push) Successful in 2m40s
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Has been cancelled
2024-09-11 20:51:59 -06:00
Bas Westerbaan
dcbf38d0b3
tls: use Go default kex for the moment that include PQC ( #6542 )
...
Tests / test (s390x on IBM Z) (push) Has been skipped
Tests / goreleaser-check (push) Successful in 32s
Cross-Build / build (~1.22.3, 1.22, aix) (push) Successful in 2m23s
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Successful in 2m13s
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Successful in 2m27s
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Successful in 2m12s
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Successful in 2m18s
Cross-Build / build (~1.22.3, 1.22, linux) (push) Successful in 2m6s
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Successful in 2m10s
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Successful in 2m3s
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Successful in 2m8s
Cross-Build / build (~1.22.3, 1.22, windows) (push) Successful in 2m6s
Cross-Build / build (~1.23.0, 1.23, aix) (push) Successful in 2m3s
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Successful in 1m52s
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Successful in 2m2s
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Successful in 1m59s
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Successful in 1m54s
Cross-Build / build (~1.23.0, 1.23, linux) (push) Successful in 2m8s
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Successful in 1m57s
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Successful in 1m53s
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Successful in 1m54s
Cross-Build / build (~1.23.0, 1.23, windows) (push) Successful in 2m2s
Lint / lint (ubuntu-latest, linux) (push) Failing after 2m53s
Lint / govulncheck (push) Successful in 1m54s
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Has been cancelled
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Has been cancelled
Lint / lint (macos-14, mac) (push) Has been cancelled
Lint / lint (windows-latest, windows) (push) Has been cancelled
By default Go 1.23 enables X25519Kyber768, a post-quantum key agreement
method that is enabled by default on Chrome. Go 1.23 does not expose
the CurveID, so we cannot add it by specifying it in CurvePreferences.
The reason is that X25519Kyber768 is a preliminary key agreement that
will be supplanted by X25519MLKEM768. For the moment there is value
in enabling it.
A consequence of this is that by default Caddy will enable support
for P-384 and P-521.
This PR also removes the special code to add support for X25519Kyber768
via the Cloudflare Go branch.
Cf #6540
2024-08-27 17:08:16 -06:00
vnxme
7cf8376e63
matchers: fix a regression in #6480 ( #6510 )
...
The context may have no replacer
2024-08-12 10:01:09 +03:00
vnxme
59cbb2c83a
caddytls,caddyhttp: Placeholders for some TLS and HTTP matchers ( #6480 )
...
Tests / test (./cmd/caddy/caddy, ~1.21.0, macos-14, 0, 1.21, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.21.0, ubuntu-latest, 0, 1.21, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.21.0, windows-latest, True, 1.21, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
Tests / test (s390x on IBM Z) (push) Waiting to run
Tests / goreleaser-check (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, aix) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, linux) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, windows) (push) Waiting to run
Lint / lint (macos-14, mac) (push) Waiting to run
Lint / lint (ubuntu-latest, linux) (push) Waiting to run
Lint / lint (windows-latest, windows) (push) Waiting to run
Lint / govulncheck (push) Waiting to run
* Runtime placeholders for caddytls matchers (1/3):
- remove IPs validation in UnmarshalCaddyfile
* Runtime placeholders for caddytls matchers (2/3):
- add placeholder replacement for IPs in Provision
* Runtime placeholders for caddytls matchers (3/3):
- add placeholder replacement for other strings
* Runtime placeholders for caddyhttp matchers (1/1):
- add placeholder replacement for IPs in Provision
* Runtime placeholders for caddyhttp/caddytls matchers:
- move PrivateRandesCIDR under internal
2024-08-07 11:02:23 -06:00
vnxme
3579815a6c
caddytls: Caddyfile support for TLS conn and cert sel policies ( #6462 )
...
* Caddyfile support for TLS custom certificate selection policy
* Caddyfile support for TLS connection policy
2024-07-24 11:01:06 -06:00
vnxme
61fe152c60
caddytls: Caddyfile support for TLS handshake matchers ( #6461 )
...
* Caddyfile support for TLS handshake matchers:
- caddytls.MatchLocalIP
- caddytls.MatchRemoteIP
- caddytls.MatchServerName
* Caddyfile support for TLS handshake matchers:
- fix imports order
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-07-24 09:26:09 -06:00
Andreas Kohn
e7ecc7ede2
Make it possible to configure the DisableStorageCheck setting for certmagic ( #6368 )
...
See discussion about this setting in https://github.com/caddyserver/certmagic/issues/201
2024-06-04 07:00:15 -06:00
Matthew Holt
01308b4bae
I'm so tired of typos
2024-06-01 20:43:35 -06:00
Matthew Holt
b7280e6949
caddytls: Implement certmagic.RenewalInfoGetter
...
Fixes ARI errors reported here:
https://caddy.community/t/error-in-logs-with-updating-ari-after-upgrading-to-caddy-v2-8-1/24320
2024-06-01 18:02:49 -06:00
Francis Lavoie
a6a45ff6c5
context: AppIfConfigured returns error; consider not-yet-provisioned modules ( #6292 )
...
* context: Add new `AppStrict()` method to avoid instantiating empty apps
* Rename AppStrict -> AppIfConfigured
---------
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2024-05-20 11:14:58 -06:00
Matthew Holt
73e094e1dd
Fix lint error about deprecated method in smallstep/certificates/authority
2024-05-20 10:56:25 -06:00
Will Norris
db3e19b7b5
caddytls: fix permission requirement with AutomationPolicy ( #6328 )
...
Certificate automation has permission modules that are designed to
prevent inappropriate issuance of unbounded or wildcard certificates.
When an explicit cert manager is used, no additional permission should
be necessary. For example, this should be a valid caddyfile:
https:// {
tls {
get_certificate tailscale
}
respond OK
}
This is accomplished when provisioning an AutomationPolicy by tracking
whether there were explicit managers configured directly on the policy
(in the ManagersRaw field). Only when a number of potentially unsafe
conditions are present AND no explicit cert managers are configured is
an error returned.
The problem arises from the fact that ctx.LoadModule deletes the raw
bytes after loading in order to save memory. The first time an
AutomationPolicy is provisioned, the ManagersRaw field is populated, and
everything is fine.
An AutomationPolicy with no subjects is treated as a special "catch-all"
policy. App.createAutomationPolicies ensures that this catch-all policy
has an ACME issuer, and then calls its Provision method again because it
may have changed. This second time Provision is called, ManagesRaw is no
longer populated, and the permission check fails because it appears as
though the policy has no explicit managers.
Address this by storing a new boolean on AutomationPolicy recording
whether it had explicit cert managers configured on it.
Also fix an inverted boolean check on this value when setting
failClosed.
Updates #6060
Updates #6229
Updates #6327
Signed-off-by: Will Norris <will@tailscale.com>
2024-05-20 09:48:59 -06:00
Will Norris
1fc151faec
caddytls: remove ClientHelloSNICtxKey ( #6326 )
2024-05-18 22:47:46 -04:00
Will Norris
e66040a6f0
caddytls: set server name in context ( #6324 )
...
Set the requested server name in a context value for CertGetter
implementations to use. Pass ctx to tscert.GetCertificateWithContext.
Signed-off-by: Will Norris <will@tailscale.com>
2024-05-18 03:52:19 -06:00
Viktor Szépe
d7e3a1974b
Fix typos ( #6311 )
...
* Fix typos
* Revert
* Revert to "htlm"
* fix indentations
2024-05-10 08:08:54 -06:00
WeidiDeng
e60148ecc3
reverseproxy: Pointer to struct when loading modules; remove LazyCertPool ( #6307 )
...
* use pointer when loading modules
* change method to pointer type and remove LazyCertPool
* remove lazy pool test
* remove yet another lazy pool test
2024-05-08 19:13:37 -06:00
Matthew Holt
8d7ac18402
caddytls: Ability to drop connections ( close #6294 )
2024-05-06 19:59:42 -06:00
Matt Holt
d129ae6aec
caddytls: Evict internal certs from cache based on issuer ( #6266 )
...
* caddytls: Evict internal certs from cache based on issuer
During a config reload, we would keep certs in the cache fi they were used by the next config. If one config uses InternalIssuer and the other uses a public CA, this behavior is problematic / unintuitive, because there is a big difference between private/public CAs.
This change should ensure that internal issuers are considered when deciding whether to keep or evict from the cache during a reload, by making them distinct from each other and certs from public CAs.
* Make sure new TLS app manages configured certs
* Actually make it work
2024-04-30 16:15:54 -06:00
Mohammed Al Sahaf
87c7127c28
chore: add warn logs when using deprecated fields ( #6276 )
2024-04-27 15:51:00 -04:00
Mohammed Al Sahaf
c6eb186064
run golangci-lint run --fix --fast ( #6270 )
2024-04-24 15:17:23 -06:00
clauverjat
76c4cf5a56
caddytls: Option to configure certificate lifetime ( #6253 )
...
* Add option to configure certificate lifetime
* Bump CertMagic dep to latest master commit
* Apply suggestions and ran go mod tidy
* Update modules/caddytls/acmeissuer.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-04-24 14:35:14 -06:00
Mohammed Al Sahaf
d2668cdbb0
doc: add verifier in ClientAuthentication caddyfile marshaler doc ( #6263 )
2024-04-23 07:01:54 -06:00
Matthew Holt
6a02999054
caddytls: Add Caddyfile support for on-demand permission module ( close #6260 )
2024-04-22 15:47:09 -06:00
Aziz Rmadi
3609a4af75
caddytls: Remove shim code supporting deprecated lego-dns ( #6231 )
...
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-04-15 21:26:56 +00:00
Mohammed Al Sahaf
26748d06b4
connection policy: add local_ip matcher ( #6074 )
...
* connection policy: add `local_ip`
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-04-15 21:13:24 +03:00
Matt Holt
81413caea2
caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes ( #6229 )
...
* WIP: acmez v2, CertMagic, and ZeroSSL issuer upgrades
* caddytls: ZeroSSLIssuer now uses ZeroSSL API instead of ACME
* Fix go.mod
* caddytls: Fix automation related to managers (fix #6060 )
* Fix typo (appease linter)
* Fix HTTP validation with ZeroSSL API
2024-04-13 21:31:43 -04:00
Matthew Holt
dc9dd2e4b3
caddytls: Still provision permission module if ask is specified
...
Only needed for JSON configs, and only temporarily as the ask property is deprecated and will be removed.
2024-04-13 17:08:11 -06:00
reallylowest
e0bf179c1a
modules: fix some typo in conments ( #6206 )
...
Signed-off-by: reallylowest <sunjinping@outlook.com>
2024-03-30 02:45:42 +00:00
Aziz Rmadi
3ae07a73dc
caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable ( #6050 )
...
* Made trusted leaf certificates pluggable into the tls.client_auth.leaf
module
* Added leaf loaders modules: file, folder, pem aand storage
* Cleaned implementation of leaf cert loader modules
* Added tests for leaf certs file and folder loaders
* cmd: fix the output of the `Usage` section (#6138 )
* core: OnExit hooks (#6128 )
* core: OnExit callbacks
* core: Process-global OnExit callbacks
* ci: bump golangci/golangci-lint-action from 3 to 4 (#6141 )
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action ) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases )
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4 )
---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Added more leaf certificate loaders tests and cleaned up code
* Modified leaf cert loaders json field names and cleaned up storage loader comment
* Update modules/caddytls/leaffileloader.go
* Update LeafStorageLoader certificates field name
* Upgraded protobuf version
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-03-05 14:55:37 -07:00
Mohammed Al Sahaf
03f703a00e
caddytls: verifier: caddyfile: re-add Caddyfile support ( #6127 )
...
* caddytls: verifier: caddyfile: re-add Caddyfile support
* appease the linter
* caddytls: client_auth: verifier: change namespace to `tls.client_auth.verifier`
2024-02-26 00:13:48 +03:00
Matt Holt
57c5b921a4
caddytls: Make on-demand 'ask' permission modular ( #6055 )
...
* caddytls: Make on-demand 'ask' permission modular
This makes the 'ask' endpoint a module, which means that developers can
write custom plugins for granting permission for on-demand certificates.
Kicking myself that we didn't do it this way at the beginning, but who coulda known...
* Lint
* Error on conflicting config
* Fix bad merge
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-01-30 16:11:29 -07:00
Yolan Romailler
2fe69a828f
chore: enabling a few more linters ( #5961 )
...
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-01-25 15:24:58 +00:00
Mohammed Al Sahaf
e965b111cd
tls: modularize trusted CA providers ( #5784 )
...
* tls: modularize client authentication trusted CA
* add `omitempty` to `CARaw`
* docs
* initial caddyfile support
* revert anything related to leaf cert validation
The certs are used differently than the CA pool flow
* complete caddyfile unmarshalling implementation
* Caddyfile syntax documentation
* enhance caddyfile parsing and documentation
Apply suggestions from code review
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* add client_auth caddyfile tests
* add caddyfile unmarshalling tests
* fix and add missed adapt tests
* fix rebase issue
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-01-25 11:44:41 +03:00
Francis Lavoie
750d0b8331
caddyfile: Normalize & flatten all unmarshalers ( #6037 )
2024-01-23 19:36:59 -05:00
Rithvik Vibhu
ed41c924cf
tls: add reuse_private_keys ( #6025 )
2024-01-09 16:00:31 -07:00
Matt Holt
4a09cf0dc0
caddytls: Sync distributed storage cleaning ( #5940 )
...
* caddytls: Log out remote addr to detect abuse
* caddytls: Sync distributed storage cleaning
* Handle errors
* Update certmagic to fix tiny bug
* Split off port when logging remote IP
* Upgrade CertMagic
2023-12-07 11:00:02 -07:00
Andreas Kohn
b24ae63ea6
caddytls: Context to DecisionFunc ( #5923 )
...
See https://github.com/caddyserver/certmagic/pull/255
2023-12-07 10:40:13 -07:00
Mohammed Al Sahaf
4173e2c77a
tls: accept placeholders in string values of certificate loaders ( #5963 )
...
* tls: loader: accept placeholders in string values
* appease the linter
2023-12-04 09:23:15 -07:00
Bas Westerbaan
289934f3d1
tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag ( #5852 )
...
… when compiled with cfgo (https://github.com/cloudflare/go ).
2023-10-11 13:45:37 -06:00
Matt Holt
b377208ede
chore: Appease gosec linter ( #5777 )
...
These happen to be harmless memory aliasing
but I guess the linter can't know that and we
can't really prove it in general.
2023-08-23 20:47:54 -06:00
Jacob Gadikian
d6f86cccf5
ci: use gci linter ( #5708 )
...
* use gofmput to format code
* use gci to format imports
* reconfigure gci
* linter autofixes
* rearrange imports a little
* export GOOS=windows golangci-lint run ./... --fix
2023-08-14 09:41:15 -06:00
Matthew Holt
080db93817
caddytls: Update docs for on-demand config
2023-08-09 11:15:01 -06:00
Jacob Gadikian
b32f265eca
ci: Use gofumpt to format code ( #5707 )
2023-08-07 19:40:31 +00:00
Matt Holt
0e2c7e1d35
caddytls: Reuse certificate cache through reloads ( #5623 )
...
* caddytls: Don't purge cert cache on config reload
* Update CertMagic
This actually avoids reloading managed certs from storage
when already in the cache, d'oh.
* Fix bug; re-implement HasCertificateForSubject
* Update go.mod: CertMagic tag
2023-07-11 19:10:58 +00:00
