1419 Commits

Author	SHA1	Message	Date
vnxme	3a48b03369	Move PrivateRangesCIDR() back: add a pass-through function (#6514)	2024-08-12 05:47:05 -04:00
vnxme	7cf8376e63	matchers: fix a regression in #6480 (#6510) ... The context may have no replacer	2024-08-12 10:01:09 +03:00
WeidiDeng	21af88fefc	reverseproxy: Disable keep alive for h2c requests (#6343)	2024-08-08 06:53:30 -06:00
vnxme	59cbb2c83a	caddytls,caddyhttp: Placeholders for some TLS and HTTP matchers (#6480) ... * Runtime placeholders for caddytls matchers (1/3): - remove IPs validation in UnmarshalCaddyfile * Runtime placeholders for caddytls matchers (2/3): - add placeholder replacement for IPs in Provision * Runtime placeholders for caddytls matchers (3/3): - add placeholder replacement for other strings * Runtime placeholders for caddyhttp matchers (1/1): - add placeholder replacement for IPs in Provision * Runtime placeholders for caddyhttp/caddytls matchers: - move PrivateRandesCIDR under internal	2024-08-07 11:02:23 -06:00
WeidiDeng	a8b0dfa8da	go.mod: update quic-go package (#6498)	2024-08-06 22:08:32 -06:00
lollipopkit🏳️‍⚧️	b198678174	browse: Customizable default sort options (#6468) ... * fileserver: add `sort` options * fix: test * fileserver: check options in `Provison` * fileserver: more obvious err alerts in sort options	2024-08-05 08:27:45 -06:00
Prakhar Awasthi	840094ac65	proxyprotocol: Update WrapListener to use ConnPolicyFunc for PROXY protocol (#6485) ... * proxyprotocol : Update WrapListener to use ConnPolicyFunc for PROXY protocol support * proxyprotocol : Updated dependency pires/go-proxyproto to pseudo latest version	2024-08-03 19:51:50 +03:00
WeidiDeng	976469ca0d	encode: flush already compressed data from the encoder (#6471)	2024-07-27 17:46:56 -06:00
vnxme	3579815a6c	caddytls: Caddyfile support for TLS conn and cert sel policies (#6462) ... * Caddyfile support for TLS custom certificate selection policy * Caddyfile support for TLS connection policy	2024-07-24 11:01:06 -06:00
vnxme	61fe152c60	caddytls: Caddyfile support for TLS handshake matchers (#6461) ... * Caddyfile support for TLS handshake matchers: - caddytls.MatchLocalIP - caddytls.MatchRemoteIP - caddytls.MatchServerName * Caddyfile support for TLS handshake matchers: - fix imports order Co-authored-by: Francis Lavoie <lavofr@gmail.com> --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2024-07-24 09:26:09 -06:00
Matthew Holt	806f5b1117	reverseproxy: Fix panic when using header-related flags (fix #6464)	2024-07-18 21:31:07 -06:00
schultzie	b2492f8567	reverseproxy: add health_upstream subdirective (#6451) ... * Add health_upstream Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com> * Add health_upstream to caddyfile parsing * Add Active Upstream case for health checks * Update ignore health port comment Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com> * Update Upstream json doc Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com> * Update modules/caddyhttp/reverseproxy/healthchecks.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Use error rather than log for health_port override Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com> * Add comment about port being ignore if using upstream Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com> --------- Signed-off-by: Dylan Schultz <9121234+dylanschultzie@users.noreply.github.com> Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2024-07-15 17:00:12 +00:00
Jesper Brix Rosenkilde	07c863637d	reverseproxy: Caddyfile support for health_method (#6454) ... * Add Caddyfile support of setting active health check request method * Add integration test for active health check request method	2024-07-12 17:01:58 -04:00
Jesper Brix Rosenkilde	dc2a5d5c52	reverseproxy: Configurable method for active health checks (#6453) ... * Add option to set which HTTP method to use for active health checks * Default Method to GET if not set	2024-07-11 09:24:13 -04:00
schultzie	4943a4fc52	reverseproxy: Add placeholder for networkAddr in active health check headers (#6450) ... Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2024-07-09 18:08:25 +00:00
Aziz Rmadi	630c62b313	fixed bug in resolving ip version in dynamic upstreams (#6448)	2024-07-09 03:06:30 -04:00
Francis Lavoie	9338741ca7	browse: Exclude symlink target size from total, show arrow on size (#6412) ... * fileserver: Exclude symlink target size from total, show arrow on size * Keep both totals * Linter doesn't like my spelling :( * Stop parallelizing tests for now * Update modules/caddyhttp/fileserver/browse.html * Minor renamings --------- Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>	2024-07-07 07:01:07 -06:00
Steffen Busch	88c7e53da5	browse: fix Content-Security-Policy warnings in Firefox (#6443) ... * Remove 'strict-dynamic' + block-all-mixed-content * CSP: remove 'unsafe-inline' from script-src	2024-07-07 06:56:47 -06:00
Steffen Busch	4ef360745d	browse: add Content-Security-Policy w/ nonce (#6425) ... * browse: add Content-Security-Policy w/ nonce * Add backward-compat values to script-src * Remove dummy "#" href from layout anchors	2024-07-06 10:46:08 -06:00
Francis Lavoie	7142d7c1e4	reverseproxy: Add placeholder for host in active health check headers (#6440)	2024-07-06 10:43:19 -06:00
Matt Holt	c3fb5f4d3f	caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data header when proxying (#6427) ... * caddyhttp: Reject 0-RTT early data in IP matchers and set Early-Data header when proxying See RFC 8470: https://httpwg.org/specs/rfc8470.html Thanks to Michael Wedl (@MWedl) at the University of Applied Sciences St. Poelten for reporting this. * Don't return value for {remote} placeholder in early data * Add Caddyfile support	2024-07-05 10:46:20 -06:00
Kévin Dunglas	15d986e1c9	encode: Don't compress already-compressed fonts (#6432) ... * fix: don't compress already compressed fonts * fix: remove WOFF	2024-07-04 14:57:13 -06:00
klaxa	f350e001b6	reverseproxy: Only log host is up status on change (fixes #6415) (#6419)	2024-07-03 19:05:52 +00:00
Kévin Dunglas	0287009ee5	intercept: fix http.intercept.header.* placeholder (#6429)	2024-07-03 08:43:13 -06:00
Matthew Holt	f8861ca16b	reverseproxy: Wire up TLS options for H3 transport	2024-06-28 12:15:41 -06:00
Aziz Rmadi	c2ccf8690f	fileserver: Remove newline characters from precomputed etags (#6394) ... * Removed newline characters from precomputed etags * Update modules/caddyhttp/fileserver/staticfiles.go --------- Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2024-06-19 13:27:10 +00:00
Matthew Holt	99dcdf7e42	caddyhttp: Convert IDNs to ASCII when provisioning Host matcher	2024-06-18 14:44:05 -06:00
Jason Yuan	fab6375a8b	reverseproxy: add Max-Age option to sticky cookie (#6398) ... * reverseproxy: add Max-Age option to sticky cookie * Update selectionpolicies.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * Update selectionpolicies.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2024-06-15 07:50:31 -06:00
Ririsoft	8e0d3e1ec5	logging: set file mode when the file already exist (#6391) ... 101d3e7 introduced a configuration option to set the log file mode. This option was not taken into account if the file already exists, making users having to delete their logs to have new logs created with the right mode.	2024-06-12 15:17:46 -06:00
Omar Ramadan	d85cc2ec10	logging: Customizable zap cores (#6381)	2024-06-10 09:03:24 -06:00
Ririsoft	0bc27e5fb1	logging: fix file mode configuration parsing (#6383) ... Commit 101d3e7 introduced file mode setting, but was missing a JSON Marshaller so that CaddyFile can be converted to JSON safely.	2024-06-08 11:34:18 -06:00
Andreas Kohn	9be4f194e0	caddyhttp: Write header if needed in responseRecorder.WriteResponse (#6380)	2024-06-07 07:25:36 -06:00
Ririsoft	101d3e7407	logging: Customize log file permissions (#6314) ... Adding a "mode" option to overwrite the default logfile permissions. Default remains "0600" which is the one currently used by lumberjack.	2024-06-06 08:33:34 -06:00
Matthew Holt	3f1add6c9f	events: Getters for event info (close #6377)	2024-06-06 07:11:28 -06:00
Matt Holt	198f4385d2	caddyhttp: Add test cases to corpus (#6374) ... * caddyhttp: Add test case to corpus * One more test case * Clean up stray comment * More tests	2024-06-04 14:23:55 -06:00
Andreas Kohn	e7ecc7ede2	Make it possible to configure the DisableStorageCheck setting for certmagic (#6368) ... See discussion about this setting in https://github.com/caddyserver/certmagic/issues/201	2024-06-04 07:00:15 -06:00
Will Norris	f8a2c60297	caddyhttp: properly sanitize requests for root path (#6360) ... SanitizePathJoin protects against directory traversal attacks by checking for requests whose URL path look like they are trying to request something other than a local file, and returns the root directory in those cases. The method is also careful to ensure that requests which contain a trailing slash include a trailing slash in the returned value. However, for requests that contain only a slash (requests for the root path), the IsLocal check returns early before the matching trailing slash is re-added. This change updates SanitizePathJoin to only perform the filepath.IsLocal check if the cleaned request URL path is non-empty. --- This change also updates the existing SanitizePathJoin tests to use filepath.FromSlash rather than filepath.Join. This makes the expected value a little easier to read, but also has the advantage of not being processed by filepath.Clean like filepath.Join is. This means that the exact expect value will be compared, not the result of first cleaning it. Fixes #6352	2024-06-02 03:40:59 +00:00
Matthew Holt	01308b4bae	I'm so tired of typos	2024-06-01 20:43:35 -06:00
Matthew Holt	b7280e6949	caddytls: Implement certmagic.RenewalInfoGetter ... Fixes ARI errors reported here: https://caddy.community/t/error-in-logs-with-updating-ari-after-upgrading-to-caddy-v2-8-1/24320	2024-06-01 18:02:49 -06:00
Francis Lavoie	40c582ce82	caddyhttp: Fix merging consecutive client_ip or remote_ip matchers (#6350)	2024-05-30 07:32:17 -06:00
Ranveer Avhad	e6f46c8d78	acmeserver: Add sign_with_root for Caddyfile (#6345) ... * Added sign_with_root option available in the Caddyfile * Added tests for sign_with_root to validate the adapted JSON config	2024-05-27 20:06:54 -04:00
a	61917c3443	fix a typo (#6333)	2024-05-21 18:41:41 -04:00
Francis Lavoie	224316eaec	autohttps: Move log WARN to INFO, reduce confusion (#6185) ... * autohttps: Move log WARN to INFO, reduce confusion * Change implicit condition back to WARN --------- Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>	2024-05-20 13:14:39 -06:00
Matt Holt	5f6758dab5	reverseproxy: Support HTTP/3 transport to backend (#6312) ... Closes #5086	2024-05-20 13:06:43 -06:00
Francis Lavoie	a6a45ff6c5	context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292) ... * context: Add new `AppStrict()` method to avoid instantiating empty apps * Rename AppStrict -> AppIfConfigured --------- Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>	2024-05-20 11:14:58 -06:00
Matthew Holt	73e094e1dd	Fix lint error about deprecated method in smallstep/certificates/authority	2024-05-20 10:56:25 -06:00
Will Norris	db3e19b7b5	caddytls: fix permission requirement with AutomationPolicy (#6328) ... Certificate automation has permission modules that are designed to prevent inappropriate issuance of unbounded or wildcard certificates. When an explicit cert manager is used, no additional permission should be necessary. For example, this should be a valid caddyfile: https:// { tls { get_certificate tailscale } respond OK } This is accomplished when provisioning an AutomationPolicy by tracking whether there were explicit managers configured directly on the policy (in the ManagersRaw field). Only when a number of potentially unsafe conditions are present AND no explicit cert managers are configured is an error returned. The problem arises from the fact that ctx.LoadModule deletes the raw bytes after loading in order to save memory. The first time an AutomationPolicy is provisioned, the ManagersRaw field is populated, and everything is fine. An AutomationPolicy with no subjects is treated as a special "catch-all" policy. App.createAutomationPolicies ensures that this catch-all policy has an ACME issuer, and then calls its Provision method again because it may have changed. This second time Provision is called, ManagesRaw is no longer populated, and the permission check fails because it appears as though the policy has no explicit managers. Address this by storing a new boolean on AutomationPolicy recording whether it had explicit cert managers configured on it. Also fix an inverted boolean check on this value when setting failClosed. Updates #6060 Updates #6229 Updates #6327 Signed-off-by: Will Norris <will@tailscale.com>	2024-05-20 09:48:59 -06:00
Will Norris	1fc151faec	caddytls: remove ClientHelloSNICtxKey (#6326)	2024-05-18 22:47:46 -04:00
Matt Holt	9ba999141b	caddyhttp: Trace individual middleware handlers (#6313) ... * caddyhttp: Trace individual middleware handlers * Fix typo	2024-05-18 14:48:42 -06:00
deneb	f98f449f05	templates: Add pathEscape template function and use it in file browser (#6278) ... * use url.PathEscape in file-server browse template - add `pathEscape` to c.tpl.Funcs, using `url.PathEscape` - use `pathEscape` in browse.html in place of `replace` * document `pathEscape` * Remove unnecessary pipe of img src to `html`	2024-05-18 12:55:36 -06:00