caddy

mirror of https://github.com/caddyserver/caddy.git synced 2025-10-31 10:37:24 -04:00

Author	SHA1	Message	Date
Matt Holt	d129ae6aec	caddytls: Evict internal certs from cache based on issuer (#6266 ) * caddytls: Evict internal certs from cache based on issuer During a config reload, we would keep certs in the cache fi they were used by the next config. If one config uses InternalIssuer and the other uses a public CA, this behavior is problematic / unintuitive, because there is a big difference between private/public CAs. This change should ensure that internal issuers are considered when deciding whether to keep or evict from the cache during a reload, by making them distinct from each other and certs from public CAs. * Make sure new TLS app manages configured certs * Actually make it work	2024-04-30 16:15:54 -06:00
Mohammed Al Sahaf	87c7127c28	chore: add warn logs when using deprecated fields (#6276 )	2024-04-27 15:51:00 -04:00
Mohammed Al Sahaf	c6eb186064	run `golangci-lint run --fix --fast` (#6270 )	2024-04-24 15:17:23 -06:00
clauverjat	76c4cf5a56	caddytls: Option to configure certificate lifetime (#6253 ) * Add option to configure certificate lifetime * Bump CertMagic dep to latest master commit * Apply suggestions and ran go mod tidy * Update modules/caddytls/acmeissuer.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> --------- Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2024-04-24 14:35:14 -06:00
Mohammed Al Sahaf	d2668cdbb0	doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc (#6263 )	2024-04-23 07:01:54 -06:00
Matthew Holt	6a02999054	caddytls: Add Caddyfile support for on-demand permission module (close #6260 )	2024-04-22 15:47:09 -06:00
Aziz Rmadi	3609a4af75	caddytls: Remove shim code supporting deprecated lego-dns (#6231 ) Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2024-04-15 21:26:56 +00:00
Mohammed Al Sahaf	26748d06b4	connection policy: add `local_ip` matcher (#6074 ) * connection policy: add `local_ip` Co-authored-by: Matt Holt <mholt@users.noreply.github.com> --------- Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2024-04-15 21:13:24 +03:00
Matt Holt	81413caea2	caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229 ) * WIP: acmez v2, CertMagic, and ZeroSSL issuer upgrades * caddytls: ZeroSSLIssuer now uses ZeroSSL API instead of ACME * Fix go.mod * caddytls: Fix automation related to managers (fix #6060) * Fix typo (appease linter) * Fix HTTP validation with ZeroSSL API	2024-04-13 21:31:43 -04:00
Matthew Holt	dc9dd2e4b3	caddytls: Still provision permission module if ask is specified Only needed for JSON configs, and only temporarily as the ask property is deprecated and will be removed.	2024-04-13 17:08:11 -06:00
reallylowest	e0bf179c1a	modules: fix some typo in conments (#6206 ) Signed-off-by: reallylowest <sunjinping@outlook.com>	2024-03-30 02:45:42 +00:00
Aziz Rmadi	3ae07a73dc	caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050 ) * Made trusted leaf certificates pluggable into the tls.client_auth.leaf module * Added leaf loaders modules: file, folder, pem aand storage * Cleaned implementation of leaf cert loader modules * Added tests for leaf certs file and folder loaders * cmd: fix the output of the `Usage` section (#6138) * core: OnExit hooks (#6128) * core: OnExit callbacks * core: Process-global OnExit callbacks * ci: bump golangci/golangci-lint-action from 3 to 4 (#6141) Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Added more leaf certificate loaders tests and cleaned up code * Modified leaf cert loaders json field names and cleaned up storage loader comment * Update modules/caddytls/leaffileloader.go * Update LeafStorageLoader certificates field name * Upgraded protobuf version --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2024-03-05 14:55:37 -07:00
Mohammed Al Sahaf	03f703a00e	caddytls: verifier: caddyfile: re-add Caddyfile support (#6127 ) * caddytls: verifier: caddyfile: re-add Caddyfile support * appease the linter * caddytls: client_auth: verifier: change namespace to `tls.client_auth.verifier`	2024-02-26 00:13:48 +03:00
Matt Holt	57c5b921a4	caddytls: Make on-demand 'ask' permission modular (#6055 ) * caddytls: Make on-demand 'ask' permission modular This makes the 'ask' endpoint a module, which means that developers can write custom plugins for granting permission for on-demand certificates. Kicking myself that we didn't do it this way at the beginning, but who coulda known... * Lint * Error on conflicting config * Fix bad merge --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2024-01-30 16:11:29 -07:00
Yolan Romailler	2fe69a828f	chore: enabling a few more linters (#5961 ) Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2024-01-25 15:24:58 +00:00
Mohammed Al Sahaf	e965b111cd	tls: modularize trusted CA providers (#5784 ) * tls: modularize client authentication trusted CA * add `omitempty` to `CARaw` * docs * initial caddyfile support * revert anything related to leaf cert validation The certs are used differently than the CA pool flow * complete caddyfile unmarshalling implementation * Caddyfile syntax documentation * enhance caddyfile parsing and documentation Apply suggestions from code review Co-authored-by: Francis Lavoie <lavofr@gmail.com> * add client_auth caddyfile tests * add caddyfile unmarshalling tests * fix and add missed adapt tests * fix rebase issue --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2024-01-25 11:44:41 +03:00
Francis Lavoie	750d0b8331	caddyfile: Normalize & flatten all unmarshalers (#6037 )	2024-01-23 19:36:59 -05:00
Rithvik Vibhu	ed41c924cf	tls: add reuse_private_keys (#6025 )	2024-01-09 16:00:31 -07:00
Matt Holt	4a09cf0dc0	caddytls: Sync distributed storage cleaning (#5940 ) * caddytls: Log out remote addr to detect abuse * caddytls: Sync distributed storage cleaning * Handle errors * Update certmagic to fix tiny bug * Split off port when logging remote IP * Upgrade CertMagic	2023-12-07 11:00:02 -07:00
Andreas Kohn	b24ae63ea6	caddytls: Context to DecisionFunc (#5923 ) See https://github.com/caddyserver/certmagic/pull/255	2023-12-07 10:40:13 -07:00
Mohammed Al Sahaf	4173e2c77a	tls: accept placeholders in string values of certificate loaders (#5963 ) * tls: loader: accept placeholders in string values * appease the linter	2023-12-04 09:23:15 -07:00
Bas Westerbaan	289934f3d1	tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (#5852 ) … when compiled with cfgo (https://github.com/cloudflare/go).	2023-10-11 13:45:37 -06:00
Matt Holt	b377208ede	chore: Appease gosec linter (#5777 ) These happen to be harmless memory aliasing but I guess the linter can't know that and we can't really prove it in general.	2023-08-23 20:47:54 -06:00
Jacob Gadikian	d6f86cccf5	ci: use gci linter (#5708 ) * use gofmput to format code * use gci to format imports * reconfigure gci * linter autofixes * rearrange imports a little * export GOOS=windows golangci-lint run ./... --fix	2023-08-14 09:41:15 -06:00
Matthew Holt	080db93817	caddytls: Update docs for on-demand config	2023-08-09 11:15:01 -06:00
Jacob Gadikian	b32f265eca	ci: Use gofumpt to format code (#5707 )	2023-08-07 19:40:31 +00:00
Matt Holt	0e2c7e1d35	caddytls: Reuse certificate cache through reloads (#5623 ) * caddytls: Don't purge cert cache on config reload * Update CertMagic This actually avoids reloading managed certs from storage when already in the cache, d'oh. * Fix bug; re-implement HasCertificateForSubject * Update go.mod: CertMagic tag	2023-07-11 19:10:58 +00:00
Matthew Holt	4ba03c9d38	caddytls: Clarify some JSON config docs	2023-06-04 22:15:50 -06:00
Matt Holt	96919acc9d	caddyhttp: Refactor cert Managers (fix #5415 ) (#5533 )	2023-05-15 10:47:30 -06:00
Matt Holt	a02ecb0f88	caddytls: Check for nil ALPN; close #5470 (#5473 ) * Check for nil ALPN; close #5470 * Apply patch * Actually I want to try this	2023-05-13 07:09:20 -06:00
Matt Holt	faf0399e80	caddytls: Configurable fallback SNI (#5527 ) * Initial implementation of fallback_sni * Apply upstream patch	2023-05-10 14:29:29 -06:00
Francis Lavoie	e16a886814	caddytls: Eval replacer on automation policy subjects (#5459 ) Also renamed the field to SubjectsRaw, which can be considered a breaking change but I don't expect this to affect much.	2023-03-27 21:16:22 +00:00
Matt Holt	0cc49c053f	caddytls: Zero out throttle window first (#5443 ) * caddytls: Zero out throttle window first * Don't error for on-demand Fixes `b97c76fb47` --------- Co-authored-by: Francis Lavoie <lavofr@gmail.com>	2023-03-20 12:06:00 -06:00
Matthew Holt	a7af7c486e	caddytls: Allow on-demand w/o ask for internal-only	2023-03-14 10:29:27 -06:00
Matthew Holt	b97c76fb47	caddytls: Require 'ask' endpoint for on-demand TLS	2023-03-14 10:02:44 -06:00
Francis Lavoie	be53e432fc	caddytls: Relax the warning for on-demand (#5384 )	2023-02-22 11:41:01 -07:00
Matthew Holt	0a3efd1641	caddytls: Debug log for ask endpoint	2023-01-30 09:30:53 -07:00
Yannick Ihmels	55035d327a	caddytls: Add `dns_ttl` config, improve Caddyfile `tls` options (#5287 )	2023-01-06 14:44:00 -05:00
Matthew Holt	e43b6d8178	core: Variadic Context.Logger(); soft deprecation Ideally I'd just remove the parameter to caddy.Context.Logger(), but this would break most Caddy plugins. Instead, I'm making it variadic and marking it as partially deprecated. In the future, I might completely remove the parameter once most plugins have updated.	2022-09-16 16:55:36 -06:00
David Manouchehri	616418281b	caddyhttp: Support TLS key logging for debugging (#4808 ) * Add SSL key logging. * Resolve merge conflict with master * Add Caddyfile support; various fixes * Also commit go.mod and go.sum, oops * Appease linter * Minor tweaks * Add doc comment Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2022-09-16 14:05:37 -06:00
Matthew Holt	258071d857	caddytls: Debug log on implicit tailscale error (#5041 )	2022-09-16 09:42:05 -06:00
Matthew Holt	d35f618b10	caddytls: Error if placeholder is empty in 'ask' Fixes #5036	2022-09-13 08:59:03 -06:00
Francis Lavoie	d4d8bbcfc6	events: Implement event system (#4912 ) Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2022-08-31 15:01:30 -06:00
Matthew Holt	3aabbc49a2	caddytls: Log error if ask request fails Errors returned from the DecisionFunc (whether to get a cert on-demand) are used as a signal whether to allow a cert or not; any error will forbid cert issuance. We bubble up the error all the way to the caller, but that caller is the Go standard library which might gobble it up. Now we explicitly log connection errors so sysadmins can ensure their ask endpoints are working. Thanks to our sponsor AppCove for reporting this!	2022-08-23 22:28:15 -06:00
WilczyńskiT	c7772588bd	core: Change net.IP to netip.Addr; use netip.Prefix (#4966 ) Co-authored-by: Matt Holt <mholt@users.noreply.github.com>	2022-08-17 16:10:57 -06:00
Matt Holt	c79c08627d	caddyhttp: Enable HTTP/3 by default (#4707 )	2022-08-15 12:01:58 -06:00
Matthew Holt	b9618b8b98	Improve docs for ZeroSSL issuer	2022-08-08 12:50:06 -06:00
Francis Lavoie	141872ed80	chore: Bump up to Go 1.19, minimum 1.18 (#4925 )	2022-08-02 16:39:09 -04:00
Matthew Holt	1bdd451913	caddytls: Remove PreferServerCipherSuites It has been deprecated by Go	2022-07-28 14:50:51 -06:00
Matt Holt	412dcc07d3	caddytls: Reuse issuer between PreCheck and Issue (#4866 ) This enables EAB reuse for ZeroSSLIssuer (which is now supported by ZeroSSL).	2022-07-05 18:12:25 -06:00

1 2 3 4 5

245 Commits