Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-05-26 08:42:31 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Compare commits

merge into: Cutlery/caddy:host-match
Branches Tags
Cutlery/caddy:master Cutlery/caddy:reverseproxy-h3-sni-placeholder Cutlery/caddy:add-tests Cutlery/caddy:copilot/upgrade-go-jose-module Cutlery/caddy:proxy-stream-detached Cutlery/caddy:rewrite-modify-query Cutlery/caddy:dependabot/github_actions/actions-deps-690105a6b8 Cutlery/caddy:stripe Cutlery/caddy:test-proxy-unixsocket-ws Cutlery/caddy:concurrent-var-access Cutlery/caddy:fix-ech Cutlery/caddy:release_proposal-v2.11.0 Cutlery/caddy:host-match Cutlery/caddy:fix0port Cutlery/caddy:hurl-tests Cutlery/caddy:internal-tls Cutlery/caddy:pr-6417 Cutlery/caddy:wait-tls-clean Cutlery/caddy:net-wal Cutlery/caddy:custom-metrics-registry Cutlery/caddy:split-commands Cutlery/caddy:rp-low-level-tweak Cutlery/caddy:fastcgi-fix Cutlery/caddy:testing-updates Cutlery/caddy:produce-csr Cutlery/caddy:rwmutex-replacer Cutlery/caddy:acme-database Cutlery/caddy:document-interfaces Cutlery/caddy:2.7 Cutlery/caddy:stripe-debug Cutlery/caddy:config-adapter-fix Cutlery/caddy:proxy-success-ratio Cutlery/caddy:querymatcher Cutlery/caddy:virtualconns Cutlery/caddy:proxy-res-templates Cutlery/caddy:metrics-improvements Cutlery/caddy:strict Cutlery/caddy:proxy-upstream-ids Cutlery/caddy:fuzz-seed-corpus Cutlery/caddy:v1
Cutlery/caddy:v2.11.3 Cutlery/caddy:v2.11.2 Cutlery/caddy:v2.11.1 Cutlery/caddy:v2.11.0 Cutlery/caddy:v2.11.0-beta.2 Cutlery/caddy:v2.11.0-beta.1 Cutlery/caddy:v2.10.2 Cutlery/caddy:v2.10.1 Cutlery/caddy:v2.10.0 Cutlery/caddy:v2.10.0-beta.4 Cutlery/caddy:v2.10.0-beta.3 Cutlery/caddy:v2.10.0-beta.2 Cutlery/caddy:v2.10.0-beta.1 Cutlery/caddy:v2.9.1 Cutlery/caddy:v2.9.0 Cutlery/caddy:v2.9.0-beta.3 Cutlery/caddy:v2.9.0-beta.2 Cutlery/caddy:v2.9.0-beta.1 Cutlery/caddy:v2.8.4 Cutlery/caddy:v2.8.3 Cutlery/caddy:v2.8.2 Cutlery/caddy:v2.8.1 Cutlery/caddy:v2.8.0 Cutlery/caddy:v2.8.0-rc.1 Cutlery/caddy:v2.8.0-beta.2 Cutlery/caddy:v2.8.0-beta.1 Cutlery/caddy:v2.7.6 Cutlery/caddy:v2.7.5 Cutlery/caddy:v2.7.4 Cutlery/caddy:v2.7.3 Cutlery/caddy:v2.7.2 Cutlery/caddy:v2.7.1 Cutlery/caddy:v2.7.0 Cutlery/caddy:v2.7.0-beta.2 Cutlery/caddy:v2.7.0-beta.1 Cutlery/caddy:v2.6.4 Cutlery/caddy:v2.6.3 Cutlery/caddy:v2.6.2 Cutlery/caddy:v2.6.1 Cutlery/caddy:v2.6.0 Cutlery/caddy:v2.6.0-beta.5 Cutlery/caddy:v2.6.0-beta.4 Cutlery/caddy:v2.6.0-beta.3 Cutlery/caddy:v2.6.0-beta.2 Cutlery/caddy:v2.6.0-beta.1 Cutlery/caddy:v2.5.2 Cutlery/caddy:v2.5.1 Cutlery/caddy:v2.5.0 Cutlery/caddy:v2.5.0-rc.1 Cutlery/caddy:v2.5.0-beta.1 Cutlery/caddy:v2.4.6 Cutlery/caddy:v2.4.5 Cutlery/caddy:v2.4.4 Cutlery/caddy:v2.4.3 Cutlery/caddy:v2.4.2 Cutlery/caddy:v2.4.1 Cutlery/caddy:v2.4.0 Cutlery/caddy:v2.4.0-rc.1 Cutlery/caddy:v2.4.0-beta.2 Cutlery/caddy:v2.4.0-beta.1 Cutlery/caddy:v2.3.0 Cutlery/caddy:v2.3.0-rc.2 Cutlery/caddy:v2.2.3 Cutlery/caddy:v2.3.0-rc.1 Cutlery/caddy:v2.3.0-beta.1 Cutlery/caddy:v2.2.1 Cutlery/caddy:v2.2.0 Cutlery/caddy:v2.2.0-rc.3 Cutlery/caddy:v2.2.0-rc.2 Cutlery/caddy:v2.2.0-rc.1 Cutlery/caddy:v2.1.1 Cutlery/caddy:v2.1.0 Cutlery/caddy:v2.1.0-beta.2 Cutlery/caddy:v2.1.0-beta.1 Cutlery/caddy:v2.0.0 Cutlery/caddy:v2.0.0-rc.3 Cutlery/caddy:v2.0.0-rc.2 Cutlery/caddy:v2.0.0-rc.1 Cutlery/caddy:v2.0.0-beta.20 Cutlery/caddy:v2.0.0-beta.19 Cutlery/caddy:v2.0.0-beta.18 Cutlery/caddy:v2.0.0-beta.17 Cutlery/caddy:v2.0.0-beta.16 Cutlery/caddy:v1.0.5 Cutlery/caddy:v2.0.0-beta.15 Cutlery/caddy:v2.0.0-beta.14 Cutlery/caddy:v2.0.0-beta.13 Cutlery/caddy:v2.0.0-beta12 Cutlery/caddy:v2.0.0-beta11 Cutlery/caddy:v2.0.0-beta10 Cutlery/caddy:v1.0.4 Cutlery/caddy:v2.0.0-beta9 Cutlery/caddy:v2.0.0-beta8 Cutlery/caddy:v2.0.0-beta7 Cutlery/caddy:v2.0.0-beta6 Cutlery/caddy:v2.0.0-beta5 Cutlery/caddy:v2.0.0-beta4 Cutlery/caddy:v2.0.0-beta3 Cutlery/caddy:v2.0.0-beta2 Cutlery/caddy:v2.0.0-beta1 Cutlery/caddy:v1.0.3 Cutlery/caddy:v1.0.2 Cutlery/caddy:v1.0.1 Cutlery/caddy:v1.0.0 Cutlery/caddy:v1.0.0-beta2 Cutlery/caddy:v1.0.0-beta1 Cutlery/caddy:v0.11.5 Cutlery/caddy:v0.11.4 Cutlery/caddy:v0.11.3 Cutlery/caddy:v0.11.2 Cutlery/caddy:v0.11.1 Cutlery/caddy:v0.11.0 Cutlery/caddy:v0.10.14 Cutlery/caddy:v0.10.13 Cutlery/caddy:v0.10.12 Cutlery/caddy:v0.10.11 Cutlery/caddy:v0.10.10 Cutlery/caddy:v0.10.9 Cutlery/caddy:v0.10.8 Cutlery/caddy:v0.10.7 Cutlery/caddy:v0.10.6 Cutlery/caddy:v0.10.5 Cutlery/caddy:v0.10.4 Cutlery/caddy:v0.10.3 Cutlery/caddy:v0.10.2 Cutlery/caddy:v0.10.1 Cutlery/caddy:v0.10.0 Cutlery/caddy:v0.9.5 Cutlery/caddy:v0.9.4 Cutlery/caddy:v0.9.3 Cutlery/caddy:v0.9.2 Cutlery/caddy:v0.9.1 Cutlery/caddy:v0.9.0 Cutlery/caddy:v0.9-beta.2 Cutlery/caddy:v0.9-beta.1 Cutlery/caddy:v0.8.3 Cutlery/caddy:v0.8.2 Cutlery/caddy:v0.8.1 Cutlery/caddy:v0.8.0 Cutlery/caddy:v0.8-beta.4 Cutlery/caddy:v0.8-beta.3 Cutlery/caddy:v0.8-beta.2 Cutlery/caddy:v0.8-beta.1 Cutlery/caddy:v0.7.6 Cutlery/caddy:v0.7.5 Cutlery/caddy:v0.7.4 Cutlery/caddy:v0.7.3 Cutlery/caddy:v0.7.2 Cutlery/caddy:v0.7.1 Cutlery/caddy:v0.7.0 Cutlery/caddy:v0.6.0 Cutlery/caddy:v0.5.1 Cutlery/caddy:v0.5.0
..
pull from: Cutlery/caddy:hurl-tests
Branches Tags
Cutlery/caddy:reverseproxy-h3-sni-placeholder Cutlery/caddy:master Cutlery/caddy:add-tests Cutlery/caddy:copilot/upgrade-go-jose-module Cutlery/caddy:proxy-stream-detached Cutlery/caddy:rewrite-modify-query Cutlery/caddy:dependabot/github_actions/actions-deps-690105a6b8 Cutlery/caddy:stripe Cutlery/caddy:test-proxy-unixsocket-ws Cutlery/caddy:concurrent-var-access Cutlery/caddy:fix-ech Cutlery/caddy:release_proposal-v2.11.0 Cutlery/caddy:host-match Cutlery/caddy:fix0port Cutlery/caddy:hurl-tests Cutlery/caddy:internal-tls Cutlery/caddy:pr-6417 Cutlery/caddy:wait-tls-clean Cutlery/caddy:net-wal Cutlery/caddy:custom-metrics-registry Cutlery/caddy:split-commands Cutlery/caddy:rp-low-level-tweak Cutlery/caddy:fastcgi-fix Cutlery/caddy:testing-updates Cutlery/caddy:produce-csr Cutlery/caddy:rwmutex-replacer Cutlery/caddy:acme-database Cutlery/caddy:document-interfaces Cutlery/caddy:2.7 Cutlery/caddy:stripe-debug Cutlery/caddy:config-adapter-fix Cutlery/caddy:proxy-success-ratio Cutlery/caddy:querymatcher Cutlery/caddy:virtualconns Cutlery/caddy:proxy-res-templates Cutlery/caddy:metrics-improvements Cutlery/caddy:strict Cutlery/caddy:proxy-upstream-ids Cutlery/caddy:fuzz-seed-corpus Cutlery/caddy:v1
Cutlery/caddy:v2.11.3 Cutlery/caddy:v2.11.2 Cutlery/caddy:v2.11.1 Cutlery/caddy:v2.11.0 Cutlery/caddy:v2.11.0-beta.2 Cutlery/caddy:v2.11.0-beta.1 Cutlery/caddy:v2.10.2 Cutlery/caddy:v2.10.1 Cutlery/caddy:v2.10.0 Cutlery/caddy:v2.10.0-beta.4 Cutlery/caddy:v2.10.0-beta.3 Cutlery/caddy:v2.10.0-beta.2 Cutlery/caddy:v2.10.0-beta.1 Cutlery/caddy:v2.9.1 Cutlery/caddy:v2.9.0 Cutlery/caddy:v2.9.0-beta.3 Cutlery/caddy:v2.9.0-beta.2 Cutlery/caddy:v2.9.0-beta.1 Cutlery/caddy:v2.8.4 Cutlery/caddy:v2.8.3 Cutlery/caddy:v2.8.2 Cutlery/caddy:v2.8.1 Cutlery/caddy:v2.8.0 Cutlery/caddy:v2.8.0-rc.1 Cutlery/caddy:v2.8.0-beta.2 Cutlery/caddy:v2.8.0-beta.1 Cutlery/caddy:v2.7.6 Cutlery/caddy:v2.7.5 Cutlery/caddy:v2.7.4 Cutlery/caddy:v2.7.3 Cutlery/caddy:v2.7.2 Cutlery/caddy:v2.7.1 Cutlery/caddy:v2.7.0 Cutlery/caddy:v2.7.0-beta.2 Cutlery/caddy:v2.7.0-beta.1 Cutlery/caddy:v2.6.4 Cutlery/caddy:v2.6.3 Cutlery/caddy:v2.6.2 Cutlery/caddy:v2.6.1 Cutlery/caddy:v2.6.0 Cutlery/caddy:v2.6.0-beta.5 Cutlery/caddy:v2.6.0-beta.4 Cutlery/caddy:v2.6.0-beta.3 Cutlery/caddy:v2.6.0-beta.2 Cutlery/caddy:v2.6.0-beta.1 Cutlery/caddy:v2.5.2 Cutlery/caddy:v2.5.1 Cutlery/caddy:v2.5.0 Cutlery/caddy:v2.5.0-rc.1 Cutlery/caddy:v2.5.0-beta.1 Cutlery/caddy:v2.4.6 Cutlery/caddy:v2.4.5 Cutlery/caddy:v2.4.4 Cutlery/caddy:v2.4.3 Cutlery/caddy:v2.4.2 Cutlery/caddy:v2.4.1 Cutlery/caddy:v2.4.0 Cutlery/caddy:v2.4.0-rc.1 Cutlery/caddy:v2.4.0-beta.2 Cutlery/caddy:v2.4.0-beta.1 Cutlery/caddy:v2.3.0 Cutlery/caddy:v2.3.0-rc.2 Cutlery/caddy:v2.2.3 Cutlery/caddy:v2.3.0-rc.1 Cutlery/caddy:v2.3.0-beta.1 Cutlery/caddy:v2.2.1 Cutlery/caddy:v2.2.0 Cutlery/caddy:v2.2.0-rc.3 Cutlery/caddy:v2.2.0-rc.2 Cutlery/caddy:v2.2.0-rc.1 Cutlery/caddy:v2.1.1 Cutlery/caddy:v2.1.0 Cutlery/caddy:v2.1.0-beta.2 Cutlery/caddy:v2.1.0-beta.1 Cutlery/caddy:v2.0.0 Cutlery/caddy:v2.0.0-rc.3 Cutlery/caddy:v2.0.0-rc.2 Cutlery/caddy:v2.0.0-rc.1 Cutlery/caddy:v2.0.0-beta.20 Cutlery/caddy:v2.0.0-beta.19 Cutlery/caddy:v2.0.0-beta.18 Cutlery/caddy:v2.0.0-beta.17 Cutlery/caddy:v2.0.0-beta.16 Cutlery/caddy:v1.0.5 Cutlery/caddy:v2.0.0-beta.15 Cutlery/caddy:v2.0.0-beta.14 Cutlery/caddy:v2.0.0-beta.13 Cutlery/caddy:v2.0.0-beta12 Cutlery/caddy:v2.0.0-beta11 Cutlery/caddy:v2.0.0-beta10 Cutlery/caddy:v1.0.4 Cutlery/caddy:v2.0.0-beta9 Cutlery/caddy:v2.0.0-beta8 Cutlery/caddy:v2.0.0-beta7 Cutlery/caddy:v2.0.0-beta6 Cutlery/caddy:v2.0.0-beta5 Cutlery/caddy:v2.0.0-beta4 Cutlery/caddy:v2.0.0-beta3 Cutlery/caddy:v2.0.0-beta2 Cutlery/caddy:v2.0.0-beta1 Cutlery/caddy:v1.0.3 Cutlery/caddy:v1.0.2 Cutlery/caddy:v1.0.1 Cutlery/caddy:v1.0.0 Cutlery/caddy:v1.0.0-beta2 Cutlery/caddy:v1.0.0-beta1 Cutlery/caddy:v0.11.5 Cutlery/caddy:v0.11.4 Cutlery/caddy:v0.11.3 Cutlery/caddy:v0.11.2 Cutlery/caddy:v0.11.1 Cutlery/caddy:v0.11.0 Cutlery/caddy:v0.10.14 Cutlery/caddy:v0.10.13 Cutlery/caddy:v0.10.12 Cutlery/caddy:v0.10.11 Cutlery/caddy:v0.10.10 Cutlery/caddy:v0.10.9 Cutlery/caddy:v0.10.8 Cutlery/caddy:v0.10.7 Cutlery/caddy:v0.10.6 Cutlery/caddy:v0.10.5 Cutlery/caddy:v0.10.4 Cutlery/caddy:v0.10.3 Cutlery/caddy:v0.10.2 Cutlery/caddy:v0.10.1 Cutlery/caddy:v0.10.0 Cutlery/caddy:v0.9.5 Cutlery/caddy:v0.9.4 Cutlery/caddy:v0.9.3 Cutlery/caddy:v0.9.2 Cutlery/caddy:v0.9.1 Cutlery/caddy:v0.9.0 Cutlery/caddy:v0.9-beta.2 Cutlery/caddy:v0.9-beta.1 Cutlery/caddy:v0.8.3 Cutlery/caddy:v0.8.2 Cutlery/caddy:v0.8.1 Cutlery/caddy:v0.8.0 Cutlery/caddy:v0.8-beta.4 Cutlery/caddy:v0.8-beta.3 Cutlery/caddy:v0.8-beta.2 Cutlery/caddy:v0.8-beta.1 Cutlery/caddy:v0.7.6 Cutlery/caddy:v0.7.5 Cutlery/caddy:v0.7.4 Cutlery/caddy:v0.7.3 Cutlery/caddy:v0.7.2 Cutlery/caddy:v0.7.1 Cutlery/caddy:v0.7.0 Cutlery/caddy:v0.6.0 Cutlery/caddy:v0.5.1 Cutlery/caddy:v0.5.0

31 Commits
host-match .. hurl-tests

Author SHA1 Message Date
Mohammed Al Sahaf 01828e38bb Merge branch 'master' into hurl-tests 2025-11-12 02:05:15 +03:00
Mohammed Al Sahaf 59aa8588c9 add delay because CI hosts aren't fast enough 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2025-11-12 01:50:33 +03:00
Mohammed Al Sahaf a63a87e4ef ci upgrades 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2025-11-12 01:42:27 +03:00
Mohammed Al Sahaf 501f525d35 fix Tests workflow 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2025-11-12 01:39:32 +03:00
Mohammed Al Sahaf 47ef562bbd add route tests 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2025-11-12 01:37:04 +03:00
Mohammed Al Sahaf d87760adab add vars tests 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2025-11-12 01:33:09 +03:00
Mohammed Al Sahaf 1904c37234 add request_header cases 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2025-11-12 01:16:11 +03:00
Mohammed Al Sahaf cb72512d17 Merge branch 'master' into hurl-tests 2025-11-03 08:43:02 +03:00
Mohammed Al Sahaf 8d422f0d7f spec: uri handler 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2025-11-02 20:59:26 +03:00
Mohammed Al Sahaf 336d514797 spec: forward_auth handler 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2025-11-02 20:46:53 +03:00
Mohammed Al Sahaf 6d89bc3942 spec: error handler 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2025-11-02 20:42:20 +03:00
Mohammed Al Sahaf d186879da5 Merge branch 'master' into hurl-tests 2025-10-21 01:35:18 +03:00
Mohammed Al Sahaf 9f9f5ab4de pin deps 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2025-06-16 23:55:22 +03:00
Mohammed Al Sahaf 535e40c342 Merge branch 'master' into hurl-tests 2025-06-16 23:48:47 +03:00
Mohammed Al Sahaf 218b3b192b Merge branch 'master' into hurl-tests 2024-12-30 17:51:38 +03:00
Mohammed Al Sahaf df59b09cad Merge branch 'master' into hurl-tests 2024-12-29 12:42:12 +03:00
Mohammed Al Sahaf c718744483 Keep report to HTML only 2024-10-31 07:39:31 +00:00
Mohammed Al Sahaf e75fca007e include txt and html coverage profile 2024-10-31 07:30:50 +00:00
Mohammed Al Sahaf 25d94ffe2a generate coverage profile 2024-10-29 22:03:13 +00:00
Mohammed Al Sahaf 7ea59f0d49 remove of --cafile in hurl 2024-10-29 21:23:34 +00:00
Mohammed Al Sahaf ddc2ca3e10 use Caddy CA in hurl options 2024-10-29 21:19:04 +00:00
Mohammed Al Sahaf b34c13c5cf limit hurl jobs to 1 2024-10-29 21:10:09 +00:00
Mohammed Al Sahaf 18a15d84ef Merge branch 'master' into hurl-tests 2024-10-29 21:03:10 +00:00
Mohammed Al Sahaf 9ba7ea76a9 add test case for request_body handler 2024-10-29 20:53:52 +00:00
Mohammed Al Sahaf 01ae168f92 print curl and hurl versions
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Failing after 2m47s
Details
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Failing after 2m14s
Details
Tests / spec-test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Failing after 2m17s
Details
Tests / test (s390x on IBM Z) (push) Has been skipped
Details
Tests / goreleaser-check (push) Successful in 27s
Details
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Has been cancelled
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Has been cancelled
Details
2024-09-09 11:27:38 +00:00
Mohammed Al Sahaf 8d2ed344c1 update hurl to 5.0.1
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Waiting to run
Details
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Waiting to run
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
Details
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Waiting to run
Details
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Failing after 3m33s
Details
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Failing after 2m52s
Details
Tests / spec-test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Successful in 2m59s
Details
Tests / test (s390x on IBM Z) (push) Has been skipped
Details
Tests / goreleaser-check (push) Successful in 28s
Details
2024-09-09 08:29:23 +00:00
Mohammed Al Sahaf 3bdc6c035a Merge branch 'master' into hurl-tests 2024-09-09 10:20:16 +03:00
Mohammed Al Sahaf c1cdc25b77 add file_server test 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2024-06-20 20:24:19 +03:00
Mohammed Al Sahaf 0ecb1ba262 add basic_auth test 
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
 2024-06-15 00:48:08 +03:00
Mohammed Al Sahaf eb6934f784 Merge branch 'master' into hurl-tests 2024-06-06 12:52:46 +03:00
Mohammed Al Sahaf 1b4bd3ee1b testing: use Hurl in CI to test Caddy against spec 2024-04-20 14:49:56 +03:00
121 changed files with 2380 additions and 4740 deletions
Expand all files Collapse all files
.github/SECURITY.md
+1 -3
View File
@@ -18,7 +18,7 @@ A security report must demonstrate a security bug in the source code from this r
Some security problems are the result of interplay between different components of the Web, rather than a vulnerability in the web server itself. Please only report vulnerabilities in the web server itself, as we cannot coerce the rest of the Web to be fixed (for example, we do not consider IP spoofing, BGP hijacks, or missing/misconfigured HTTP headers a vulnerability in the Caddy web server).
Vulnerabilities caused by misconfigurations are out of scope. Yes, it is entirely possible to craft and use a configuration that is unsafe, just like with every other web server; we recommend against doing that. Similarly, external misconfigurations are out of scope. For example, an open or forwarded port from a public network to a Caddy instance intended to serve only internal clients is not a vulnerability in Caddy.
Vulnerabilities caused by misconfigurations are out of scope. Yes, it is entirely possible to craft and use a configuration that is unsafe, just like with every other web server; we recommend against doing that.
We do not accept reports if the steps imply or require a compromised system or third-party software, as we cannot control those. We expect that users secure their own systems and keep all their software patched. For example, if untrusted users are able to upload/write/host arbitrary files in the web root directory, it is NOT a security bug in Caddy if those files get served to clients; however, it _would_ be a valid report if a bug in Caddy's source code unintentionally gave unauthorized users the ability to upload unsafe files or delete files without relying on an unpatched system or piece of software.
@@ -33,8 +33,6 @@ We get a lot of difficult reports that turn out to be invalid. Clear, obvious re
First please ensure your report falls within the accepted scope of security bugs (above).
**YOU MUST DISCLOSE THE USE OF LLMs ("AI") INVOLVED IN ANY WAY.** Whether you are using AI for discovery, as part of writing the report or its replies, and/or testing or validating proofs and changes, we require you to mention the extent of it. **FAILURE TO INCLUDE A DISCLOSURE MAY LEAD TO IMMEDIATE DISMISSAL OF YOUR REPORT AND POTENTIAL BLOCKLISTING.**
We'll need enough information to verify the bug and make a patch. To speed things up, please include:
- Most minimal possible config (without redactions!)
.github/workflows/auto-release-pr.yml
-221
View File
@@ -1,221 +0,0 @@
name: Release Proposal Approval Tracker
on:
pull_request_review:
types: [submitted, dismissed]
pull_request:
types: [labeled, unlabeled, synchronize, closed]
permissions:
contents: read
pull-requests: write
issues: write
jobs:
check-approvals:
name: Track Maintainer Approvals
runs-on: ubuntu-latest
# Only run on PRs with release-proposal label
if: contains(github.event.pull_request.labels.*.name, 'release-proposal') && github.event.pull_request.state == 'open'
steps:
- name: Check approvals and update PR
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
MAINTAINER_LOGINS: ${{ secrets.MAINTAINER_LOGINS }}
with:
script: |
const pr = context.payload.pull_request;
// Extract version from PR title (e.g., "Release Proposal: v1.2.3")
const versionMatch = pr.title.match(/Release Proposal:\s*(v[\d.]+(?:-[\w.]+)?)/);
const commitMatch = pr.body.match(/\*\*Target Commit:\*\*\s*`([a-f0-9]+)`/);
if (!versionMatch || !commitMatch) {
console.log('Could not extract version from title or commit from body');
return;
}
const version = versionMatch[1];
const targetCommit = commitMatch[1];
console.log(`Version: ${version}, Target Commit: ${targetCommit}`);
// Get all reviews
const reviews = await github.rest.pulls.listReviews({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: pr.number
});
// Get list of maintainers
const maintainerLoginsRaw = process.env.MAINTAINER_LOGINS || '';
const maintainerLogins = maintainerLoginsRaw
.split(/[,;]/)
.map(login => login.trim())
.filter(login => login.length > 0);
console.log(`Maintainer logins: ${maintainerLogins.join(', ')}`);
// Get the latest review from each user
const latestReviewsByUser = {};
reviews.data.forEach(review => {
const username = review.user.login;
if (!latestReviewsByUser[username] || new Date(review.submitted_at) > new Date(latestReviewsByUser[username].submitted_at)) {
latestReviewsByUser[username] = review;
}
});
// Count approvals from maintainers
const maintainerApprovals = Object.entries(latestReviewsByUser)
.filter(([username, review]) =>
maintainerLogins.includes(username) &&
review.state === 'APPROVED'
)
.map(([username, review]) => username);
const approvalCount = maintainerApprovals.length;
console.log(`Found ${approvalCount} maintainer approvals from: ${maintainerApprovals.join(', ')}`);
// Get current labels
const currentLabels = pr.labels.map(label => label.name);
const hasApprovedLabel = currentLabels.includes('approved');
const hasAwaitingApprovalLabel = currentLabels.includes('awaiting-approval');
if (approvalCount >= 2 && !hasApprovedLabel) {
console.log('✅ Quorum reached! Updating PR...');
// Remove awaiting-approval label if present
if (hasAwaitingApprovalLabel) {
await github.rest.issues.removeLabel({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
name: 'awaiting-approval'
}).catch(e => console.log('Label not found:', e.message));
}
// Add approved label
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
labels: ['approved']
});
// Add comment with tagging instructions
const approversList = maintainerApprovals.map(u => `@${u}`).join(', ');
const commentBody = [
'## ✅ Approval Quorum Reached',
'',
`This release proposal has been approved by ${approvalCount} maintainers: ${approversList}`,
'',
'### Tagging Instructions',
'',
'A maintainer should now create and push the signed tag:',
'',
'```bash',
`git checkout ${targetCommit}`,
`git tag -s ${version} -m "Release ${version}"`,
`git push origin ${version}`,
`git checkout -`,
'```',
'',
'The release workflow will automatically start when the tag is pushed.'
].join('\n');
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
body: commentBody
});
console.log('Posted tagging instructions');
} else if (approvalCount < 2 && hasApprovedLabel) {
console.log('⚠️ Approval count dropped below quorum, removing approved label');
// Remove approved label
await github.rest.issues.removeLabel({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
name: 'approved'
}).catch(e => console.log('Label not found:', e.message));
// Add awaiting-approval label
if (!hasAwaitingApprovalLabel) {
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
labels: ['awaiting-approval']
});
}
} else {
console.log(`⏳ Waiting for more approvals (${approvalCount}/2 required)`);
}
handle-pr-closed:
name: Handle PR Closed Without Tag
runs-on: ubuntu-latest
if: |
contains(github.event.pull_request.labels.*.name, 'release-proposal') &&
github.event.action == 'closed' && !contains(github.event.pull_request.labels.*.name, 'released')
steps:
- name: Add cancelled label and comment
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const pr = context.payload.pull_request;
// Check if the release-in-progress label is present
const hasReleaseInProgress = pr.labels.some(label => label.name === 'release-in-progress');
if (hasReleaseInProgress) {
// PR was closed while release was in progress - this is unusual
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
body: '⚠️ **Warning:** This PR was closed while a release was in progress. This may indicate an error. Please verify the release status.'
});
} else {
// PR was closed before tag was created - this is normal cancellation
const versionMatch = pr.title.match(/Release Proposal:\s*(v[\d.]+(?:-[\w.]+)?)/);
const version = versionMatch ? versionMatch[1] : 'unknown';
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
body: `## 🚫 Release Proposal Cancelled\n\nThis release proposal for ${version} was closed without creating the tag.\n\nIf you want to proceed with this release later, you can create a new release proposal.`
});
}
// Add cancelled label
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
labels: ['cancelled']
});
// Remove other workflow labels if present
const labelsToRemove = ['awaiting-approval', 'approved', 'release-in-progress'];
for (const label of labelsToRemove) {
try {
await github.rest.issues.removeLabel({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
name: label
});
} catch (e) {
console.log(`Label ${label} not found or already removed`);
}
}
console.log('Added cancelled label and cleaned up workflow labels');
.github/workflows/ci.yml
+110 -4
View File
@@ -31,13 +31,13 @@ jobs:
- mac
- windows
go:
- '1.26'
- '1.25'
include:
# Set the minimum Go patch version for the given Go minor
# Usable via ${{ matrix.GO_SEMVER }}
- go: '1.26'
GO_SEMVER: '~1.26.0'
- go: '1.25'
GO_SEMVER: '~1.25.0'
# Set some variables per OS, usable via ${{ matrix.VAR }}
# OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
@@ -63,6 +63,7 @@ jobs:
contents: read
pull-requests: read
actions: write # to allow uploading artifacts and cache
checks: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -152,6 +153,111 @@ jobs:
# echo "step_test ${{ steps.step_test.outputs.status }}\n"
# exit 1
spec-test:
permissions:
checks: write
pull-requests: write
strategy:
matrix:
os:
- linux
go:
- '1.25'
include:
# Set the minimum Go patch version for the given Go minor
# Usable via ${{ matrix.GO_SEMVER }}
- go: '1.25'
GO_SEMVER: '~1.25.0'
# Set some variables per OS, usable via ${{ matrix.VAR }}
# OS_LABEL: the VM label from GitHub Actions (see https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners#standard-github-hosted-runners-for-public-repositories)
# CADDY_BIN_PATH: the path to the compiled Caddy binary, for artifact publishing
# SUCCESS: the typical value for $? per OS (Windows/pwsh returns 'True')
- os: linux
OS_LABEL: ubuntu-latest
CADDY_BIN_PATH: ./cmd/caddy/caddy
SUCCESS: 0
runs-on: ${{ matrix.OS_LABEL }}
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Install Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: ${{ matrix.GO_SEMVER }}
check-latest: true
- name: Print Go version and environment
id: vars
shell: bash
run: |
printf "curl version: $(curl --version)\n"
printf "Using go at: $(which go)\n"
printf "Go version: $(go version)\n"
printf "\n\nGo environment:\n\n"
go env
printf "\n\nSystem environment:\n\n"
env
printf "Git version: $(git version)\n\n"
# Calculate the short SHA1 hash of the git commit
echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Get dependencies
run: |
go get -v -t ./...
# mkdir test-results
- name: Build Caddy
working-directory: ./cmd/caddy
env:
CGO_ENABLED: 0
run: |
go build -cover -tags nobadger,nopgx,nomysql -trimpath -ldflags="-w -s" -v
- name: Install Hurl
env:
HURL_VERSION: "7.0.0"
run: |
curl --location --remote-name https://github.com/Orange-OpenSource/hurl/releases/download/${HURL_VERSION}/hurl_${HURL_VERSION}_amd64.deb
sudo dpkg -i hurl_${HURL_VERSION}_amd64.deb
hurl --version
- name: Run Caddy
run: |
./cmd/caddy/caddy environ
mkdir coverdir
export GOCOVERDIR=./coverdir
./cmd/caddy/caddy start
sleep 5
- name: Run tests with Hurl
run: |
mkdir hurl-report
find . -name *.hurl -exec hurl --jobs 1 --variables-file caddytest/spec/hurl_vars.properties --very-verbose --verbose --test --report-junit hurl-report/junit.xml --color {} \;
- name: Publish Test Results
uses: EnricoMi/publish-unit-test-result-action@3a74b2957438d0b6e2e61d67b05318aa25c9e6c6 # v2.20.0
with:
files: |
hurl-report/junit.xml
- name: Generate Coverage Data
run: |
export GOCOVERDIR=./coverdir
./cmd/caddy/caddy stop
go tool covdata textfmt -i=coverdir -o hurl-report/caddy_cover_${{ steps.vars.outputs.short_sha }}.txt
go tool cover -html hurl-report/caddy_cover_${{ steps.vars.outputs.short_sha }}.txt -o hurl-report/caddy_cover_${{ steps.vars.outputs.short_sha }}.html
- name: Publish Coverage Profile
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
path: hurl-report/caddy_cover_${{ steps.vars.outputs.short_sha }}.html
compression-level: 0
s390x-test:
name: test (s390x on IBM Z)
permissions:
@@ -235,7 +341,7 @@ jobs:
- name: Install Go
uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version: "~1.26"
go-version: "~1.25"
check-latest: true
- name: Install xcaddy
run: |
.github/workflows/cross-build.yml
+3 -3
View File
@@ -36,13 +36,13 @@ jobs:
- 'darwin'
- 'netbsd'
go:
- '1.26'
- '1.25'
include:
# Set the minimum Go patch version for the given Go minor
# Usable via ${{ matrix.GO_SEMVER }}
- go: '1.26'
GO_SEMVER: '~1.26.0'
- go: '1.25'
GO_SEMVER: '~1.25.0'
runs-on: ubuntu-latest
permissions:
.github/workflows/lint.yml
+2 -2
View File
@@ -52,7 +52,7 @@ jobs:
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version: '~1.26'
go-version: '~1.25'
check-latest: true
- name: golangci-lint
@@ -80,7 +80,7 @@ jobs:
- name: govulncheck
uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
with:
go-version-input: '~1.26.0'
go-version-input: '~1.25.0'
check-latest: true
dependency-review:
.github/workflows/release-proposal.yml
-249
View File
@@ -1,249 +0,0 @@
name: Release Proposal
# This workflow creates a release proposal as a PR that requires approval from maintainers
# Triggered manually by maintainers when ready to prepare a release
on:
workflow_dispatch:
inputs:
version:
description: 'Version to release (e.g., v2.8.0)'
required: true
type: string
commit_hash:
description: 'Commit hash to release from'
required: true
type: string
permissions:
contents: read
jobs:
create-proposal:
name: Create Release Proposal
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: Trim and validate inputs
id: inputs
run: |
# Trim whitespace from inputs
VERSION=$(echo "${{ inputs.version }}" | xargs)
COMMIT_HASH=$(echo "${{ inputs.commit_hash }}" | xargs)
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "commit_hash=$COMMIT_HASH" >> $GITHUB_OUTPUT
# Validate version format
if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
echo "Error: Version must follow semver format (e.g., v2.8.0 or v2.8.0-beta.1)"
exit 1
fi
# Validate commit hash format
if [[ ! "$COMMIT_HASH" =~ ^[a-f0-9]{7,40}$ ]]; then
echo "Error: Commit hash must be a valid SHA (7-40 characters)"
exit 1
fi
# Check if commit exists
if ! git cat-file -e "$COMMIT_HASH"; then
echo "Error: Commit $COMMIT_HASH does not exist"
exit 1
fi
- name: Check if tag already exists
run: |
if git rev-parse "${{ steps.inputs.outputs.version }}" >/dev/null 2>&1; then
echo "Error: Tag ${{ steps.inputs.outputs.version }} already exists"
exit 1
fi
- name: Check for existing proposal PR
id: check_existing
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const version = '${{ steps.inputs.outputs.version }}';
// Search for existing open PRs with release-proposal label that match this version
const openPRs = await github.rest.pulls.list({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open',
sort: 'updated',
direction: 'desc'
});
const existingOpenPR = openPRs.data.find(pr =>
pr.title.includes(version) &&
pr.labels.some(label => label.name === 'release-proposal')
);
if (existingOpenPR) {
const hasReleased = existingOpenPR.labels.some(label => label.name === 'released');
const hasReleaseInProgress = existingOpenPR.labels.some(label => label.name === 'release-in-progress');
if (hasReleased || hasReleaseInProgress) {
core.setFailed(`A release for ${version} is already in progress or completed: ${existingOpenPR.html_url}`);
} else {
core.setFailed(`An open release proposal already exists for ${version}: ${existingOpenPR.html_url}\n\nPlease use the existing PR or close it first.`);
}
return;
}
// Check for closed PRs with this version that were cancelled
const closedPRs = await github.rest.pulls.list({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'closed',
sort: 'updated',
direction: 'desc'
});
const cancelledPR = closedPRs.data.find(pr =>
pr.title.includes(version) &&
pr.labels.some(label => label.name === 'release-proposal') &&
pr.labels.some(label => label.name === 'cancelled')
);
if (cancelledPR) {
console.log(`Found previously cancelled proposal for ${version}: ${cancelledPR.html_url}`);
console.log('Creating new proposal to replace cancelled one...');
} else {
console.log(`No existing proposal found for ${version}, proceeding...`);
}
- name: Generate changelog and create branch
id: setup
run: |
VERSION="${{ steps.inputs.outputs.version }}"
COMMIT_HASH="${{ steps.inputs.outputs.commit_hash }}"
# Create a new branch for the release proposal
BRANCH_NAME="release_proposal-$VERSION"
git checkout -b "$BRANCH_NAME"
# Calculate how many commits behind HEAD
COMMITS_BEHIND=$(git rev-list --count ${COMMIT_HASH}..HEAD)
if [ "$COMMITS_BEHIND" -eq 0 ]; then
BEHIND_INFO="This is the latest commit (HEAD)"
else
BEHIND_INFO="This commit is **${COMMITS_BEHIND} commits behind HEAD**"
fi
echo "commits_behind=$COMMITS_BEHIND" >> $GITHUB_OUTPUT
echo "behind_info=$BEHIND_INFO" >> $GITHUB_OUTPUT
# Get the last tag
LAST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
if [ -z "$LAST_TAG" ]; then
echo "No previous tag found, generating full changelog"
COMMITS=$(git log --pretty=format:"- %s (%h)" --reverse "$COMMIT_HASH")
else
echo "Generating changelog since $LAST_TAG"
COMMITS=$(git log --pretty=format:"- %s (%h)" --reverse "${LAST_TAG}..$COMMIT_HASH")
fi
# Store changelog for PR body
CLEANSED_COMMITS=$(echo "$COMMITS" | sed 's/`/\\`/g')
echo "changelog<<EOF" >> $GITHUB_OUTPUT
echo "$CLEANSED_COMMITS" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
# Create empty commit for the PR
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git commit --allow-empty -m "Release proposal for $VERSION"
# Push the branch
git push origin "$BRANCH_NAME"
echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
- name: Create release proposal PR
id: create_pr
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const changelog = `${{ steps.setup.outputs.changelog }}`;
const pr = await github.rest.pulls.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `Release Proposal: ${{ steps.inputs.outputs.version }}`,
head: '${{ steps.setup.outputs.branch_name }}',
base: 'master',
body: `## Release Proposal: ${{ steps.inputs.outputs.version }}
**Target Commit:** \`${{ steps.inputs.outputs.commit_hash }}\`
**Requested by:** @${{ github.actor }}
**Commit Status:** ${{ steps.setup.outputs.behind_info }}
This PR proposes creating release tag \`${{ steps.inputs.outputs.version }}\` at commit \`${{ steps.inputs.outputs.commit_hash }}\`.
### Approval Process
This PR requires **approval from 2+ maintainers** before the tag can be created.
### What happens next?
1. Maintainers review this proposal
2. When 2+ maintainer approvals are received, an automated workflow will post tagging instructions
3. A maintainer manually creates and pushes the signed tag
4. The release workflow is triggered automatically by the tag push
5. Upon release completion, this PR is closed and the branch is deleted
### Changes Since Last Release
${changelog}
### Release Checklist
- [ ] All tests pass
- [ ] Security review completed
- [ ] Documentation updated
- [ ] Breaking changes documented
---
**Note:** Tag creation is manual and requires a signed tag from a maintainer.`,
draft: true
});
// Add labels
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.data.number,
labels: ['release-proposal', 'awaiting-approval']
});
console.log(`Created PR: ${pr.data.html_url}`);
return { number: pr.data.number, url: pr.data.html_url };
result-encoding: json
- name: Post summary
run: |
echo "## Release Proposal PR Created! 🚀" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Version: **${{ steps.inputs.outputs.version }}**" >> $GITHUB_STEP_SUMMARY
echo "Commit: **${{ steps.inputs.outputs.commit_hash }}**" >> $GITHUB_STEP_SUMMARY
echo "Status: ${{ steps.setup.outputs.behind_info }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "PR: ${{ fromJson(steps.create_pr.outputs.result).url }}" >> $GITHUB_STEP_SUMMARY
.github/workflows/release.yml
+13 -388
View File
@@ -13,334 +13,20 @@ permissions:
contents: read
jobs:
verify-tag:
name: Verify Tag Signature and Approvals
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
outputs:
verification_passed: ${{ steps.verify.outputs.passed }}
tag_version: ${{ steps.info.outputs.version }}
proposal_issue_number: ${{ steps.find_proposal.outputs.result && fromJson(steps.find_proposal.outputs.result).number || '' }}
steps:
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
# Force fetch upstream tags -- because 65 minutes
# tl;dr: actions/checkout@v3 runs this line:
# git -c protocol.version=2 fetch --no-tags --prune --progress --no-recurse-submodules --depth=1 origin +ebc278ec98bb24f2852b61fde2a9bf2e3d83818b:refs/tags/
# which makes its own local lightweight tag, losing all the annotations in the process. Our earlier script ran:
# git fetch --prune --unshallow
# which doesn't overwrite that tag because that would be destructive.
# Credit to @francislavoie for the investigation.
# https://github.com/actions/checkout/issues/290#issuecomment-680260080
- name: Force fetch upstream tags
run: git fetch --tags --force
- name: Get tag info
id: info
run: |
echo "version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
# https://github.community/t5/GitHub-Actions/How-to-get-just-the-tag-name/m-p/32167/highlight/true#M1027
- name: Print Go version and environment
id: vars
run: |
printf "Using go at: $(which go)\n"
printf "Go version: $(go version)\n"
printf "\n\nGo environment:\n\n"
go env
printf "\n\nSystem environment:\n\n"
env
echo "version_tag=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
echo "short_sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
# Add "pip install" CLI tools to PATH
echo ~/.local/bin >> $GITHUB_PATH
# Parse semver
TAG=${GITHUB_REF/refs\/tags\//}
SEMVER_RE='[^0-9]*\([0-9]*\)[.]\([0-9]*\)[.]\([0-9]*\)\([0-9A-Za-z\.-]*\)'
TAG_MAJOR=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\1#"`
TAG_MINOR=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\2#"`
TAG_PATCH=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\3#"`
TAG_SPECIAL=`echo ${TAG#v} | sed -e "s#$SEMVER_RE#\4#"`
echo "tag_major=${TAG_MAJOR}" >> $GITHUB_OUTPUT
echo "tag_minor=${TAG_MINOR}" >> $GITHUB_OUTPUT
echo "tag_patch=${TAG_PATCH}" >> $GITHUB_OUTPUT
echo "tag_special=${TAG_SPECIAL}" >> $GITHUB_OUTPUT
- name: Validate commits and tag signatures
id: verify
env:
signing_keys: ${{ secrets.SIGNING_KEYS }}
run: |
# Read the string into an array, splitting by IFS
IFS=";" read -ra keys_collection <<< "$signing_keys"
# ref: https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#example-usage-of-the-runner-context
touch "${{ runner.temp }}/allowed_signers"
# Iterate and print the split elements
for item in "${keys_collection[@]}"; do
# trim leading whitespaces
item="${item##*( )}"
# trim trailing whitespaces
item="${item%%*( )}"
IFS=" " read -ra key_components <<< "$item"
# git wants it in format: email address, type, public key
# ssh has it in format: type, public key, email address
echo "${key_components[2]} namespaces=\"git\" ${key_components[0]} ${key_components[1]}" >> "${{ runner.temp }}/allowed_signers"
done
git config set --global gpg.ssh.allowedSignersFile "${{ runner.temp }}/allowed_signers"
echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}"
# Verify the tag is signed
if ! git verify-tag -v "${{ steps.vars.outputs.version_tag }}" 2>&1; then
echo "❌ Tag verification failed!"
echo "passed=false" >> $GITHUB_OUTPUT
git push --delete origin "${{ steps.vars.outputs.version_tag }}"
exit 1
fi
# Run it again to capture the output
git verify-tag -v "${{ steps.vars.outputs.version_tag }}" 2>&1 | tee /tmp/verify-output.txt;
# SSH verification output typically includes the key fingerprint
# Use GNU grep with Perl regex for cleaner extraction (Linux environment)
KEY_SHA256=$(grep -oP "SHA256:[\"']?\K[A-Za-z0-9+/=]+(?=[\"']?)" /tmp/verify-output.txt | head -1 || echo "")
if [ -z "$KEY_SHA256" ]; then
# Try alternative pattern with "key" prefix
KEY_SHA256=$(grep -oP "key SHA256:[\"']?\K[A-Za-z0-9+/=]+(?=[\"']?)" /tmp/verify-output.txt | head -1 || echo "")
fi
if [ -z "$KEY_SHA256" ]; then
# Fallback: extract any base64-like string (40+ chars)
KEY_SHA256=$(grep -oP '[A-Za-z0-9+/]{40,}=?' /tmp/verify-output.txt | head -1 || echo "")
fi
if [ -z "$KEY_SHA256" ]; then
echo "Somehow could not extract SSH key fingerprint from git verify-tag output"
echo "Cancelling flow and deleting tag"
echo "passed=false" >> $GITHUB_OUTPUT
git push --delete origin "${{ steps.vars.outputs.version_tag }}"
exit 1
fi
echo "✅ Tag verification succeeded!"
echo "passed=true" >> $GITHUB_OUTPUT
echo "key_id=$KEY_SHA256" >> $GITHUB_OUTPUT
- name: Find related release proposal
id: find_proposal
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const version = '${{ steps.vars.outputs.version_tag }}';
// Search for PRs with release-proposal label that match this version
const prs = await github.rest.pulls.list({
owner: context.repo.owner,
repo: context.repo.repo,
state: 'open', // Changed to 'all' to find both open and closed PRs
sort: 'updated',
direction: 'desc'
});
// Find the most recent PR for this version
const proposal = prs.data.find(pr =>
pr.title.includes(version) &&
pr.labels.some(label => label.name === 'release-proposal')
);
if (!proposal) {
console.log(`⚠️ No release proposal PR found for ${version}`);
console.log('This might be a hotfix or emergency release');
return { number: null, approved: true, approvals: 0, proposedCommit: null };
}
console.log(`Found proposal PR #${proposal.number} for version ${version}`);
// Extract commit hash from PR body
const commitMatch = proposal.body.match(/\*\*Target Commit:\*\*\s*`([a-f0-9]+)`/);
const proposedCommit = commitMatch ? commitMatch[1] : null;
if (proposedCommit) {
console.log(`Proposal was for commit: ${proposedCommit}`);
} else {
console.log('⚠️ No target commit hash found in PR body');
}
// Get PR reviews to extract approvers
let approvers = 'Validated by automation';
let approvalCount = 2; // Minimum required
try {
const reviews = await github.rest.pulls.listReviews({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: proposal.number
});
// Get latest review per user and filter for approvals
const latestReviewsByUser = {};
reviews.data.forEach(review => {
const username = review.user.login;
if (!latestReviewsByUser[username] || new Date(review.submitted_at) > new Date(latestReviewsByUser[username].submitted_at)) {
latestReviewsByUser[username] = review;
}
});
const approvalReviews = Object.values(latestReviewsByUser).filter(review =>
review.state === 'APPROVED'
);
if (approvalReviews.length > 0) {
approvers = approvalReviews.map(r => '@' + r.user.login).join(', ');
approvalCount = approvalReviews.length;
console.log(`Found ${approvalCount} approvals from: ${approvers}`);
}
} catch (error) {
console.log(`Could not fetch reviews: ${error.message}`);
}
return {
number: proposal.number,
approved: true,
approvals: approvalCount,
approvers: approvers,
proposedCommit: proposedCommit
};
result-encoding: json
- name: Verify proposal commit
run: |
APPROVALS='${{ steps.find_proposal.outputs.result }}'
# Parse JSON
PROPOSED_COMMIT=$(echo "$APPROVALS" | jq -r '.proposedCommit')
CURRENT_COMMIT="${{ steps.info.outputs.sha }}"
echo "Proposed commit: $PROPOSED_COMMIT"
echo "Current commit: $CURRENT_COMMIT"
# Check if commits match (if proposal had a target commit)
if [ "$PROPOSED_COMMIT" != "null" ] && [ -n "$PROPOSED_COMMIT" ]; then
# Normalize both commits to full SHA for comparison
PROPOSED_FULL=$(git rev-parse "$PROPOSED_COMMIT" 2>/dev/null || echo "")
CURRENT_FULL=$(git rev-parse "$CURRENT_COMMIT" 2>/dev/null || echo "")
if [ -z "$PROPOSED_FULL" ]; then
echo "⚠️ Could not resolve proposed commit: $PROPOSED_COMMIT"
elif [ "$PROPOSED_FULL" != "$CURRENT_FULL" ]; then
echo "❌ Commit mismatch!"
echo "The tag points to commit $CURRENT_FULL but the proposal was for $PROPOSED_FULL"
echo "This indicates an error in tag creation."
# Delete the tag remotely
git push --delete origin "${{ steps.vars.outputs.version_tag }}"
echo "Tag ${{steps.vars.outputs.version_tag}} has been deleted"
exit 1
else
echo "✅ Commit hash matches proposal"
fi
else
echo "⚠️ No target commit found in proposal (might be legacy release)"
fi
echo "✅ Tag verification completed"
- name: Update release proposal PR
if: fromJson(steps.find_proposal.outputs.result).number != null
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const result = ${{ steps.find_proposal.outputs.result }};
if (result.number) {
// Add in-progress label
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: result.number,
labels: ['release-in-progress']
});
// Remove approved label if present
try {
await github.rest.issues.removeLabel({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: result.number,
name: 'approved'
});
} catch (e) {
console.log('Approved label not found:', e.message);
}
const commentBody = [
'## 🚀 Release Workflow Started',
'',
'- **Tag:** ${{ steps.info.outputs.version }}',
'- **Signed by key:** ${{ steps.verify.outputs.key_id }}',
'- **Commit:** ${{ steps.info.outputs.sha }}',
'- **Approved by:** ' + result.approvers,
'',
'Release workflow is now running. This PR will be updated when the release is published.'
].join('\n');
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: result.number,
body: commentBody
});
}
- name: Summary
run: |
APPROVALS='${{ steps.find_proposal.outputs.result }}'
PROPOSED_COMMIT=$(echo "$APPROVALS" | jq -r '.proposedCommit // "N/A"')
APPROVERS=$(echo "$APPROVALS" | jq -r '.approvers // "N/A"')
echo "## Tag Verification Summary 🔐" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "- **Tag:** ${{ steps.info.outputs.version }}" >> $GITHUB_STEP_SUMMARY
echo "- **Commit:** ${{ steps.info.outputs.sha }}" >> $GITHUB_STEP_SUMMARY
echo "- **Proposed Commit:** $PROPOSED_COMMIT" >> $GITHUB_STEP_SUMMARY
echo "- **Signature:** ✅ Verified" >> $GITHUB_STEP_SUMMARY
echo "- **Signed by:** ${{ steps.verify.outputs.key_id }}" >> $GITHUB_STEP_SUMMARY
echo "- **Approvals:** ✅ Sufficient" >> $GITHUB_STEP_SUMMARY
echo "- **Approved by:** $APPROVERS" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Proceeding with release build..." >> $GITHUB_STEP_SUMMARY
release:
name: Release
needs: verify-tag
if: ${{ needs.verify-tag.outputs.verification_passed == 'true' }}
strategy:
matrix:
os:
- ubuntu-latest
go:
- '1.26'
- '1.25'
include:
# Set the minimum Go patch version for the given Go minor
# Usable via ${{ matrix.GO_SEMVER }}
- go: '1.26'
GO_SEMVER: '~1.26.0'
- go: '1.25'
GO_SEMVER: '~1.25.0'
runs-on: ${{ matrix.os }}
# https://github.com/sigstore/cosign/issues/1258#issuecomment-1002251233
@@ -350,8 +36,6 @@ jobs:
# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps#permission-on-contents
# "Releases" is part of `contents`, so it needs the `write`
contents: write
issues: write
pull-requests: write
steps:
- name: Harden the runner (Audit all outbound calls)
@@ -414,6 +98,16 @@ jobs:
- name: Install Cloudsmith CLI
run: pip install --upgrade cloudsmith-cli
- name: Validate commits and tag signatures
run: |
# Import Matt Holt's key
curl 'https://github.com/mholt.gpg' | gpg --import
echo "Verifying the tag: ${{ steps.vars.outputs.version_tag }}"
# tags are only accepted if signed by Matt's key
git verify-tag "${{ steps.vars.outputs.version_tag }}" || exit 1
- name: Install Cosign
uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # main
- name: Cosign version
@@ -494,72 +188,3 @@ jobs:
echo "Pushing $filename to 'testing'"
cloudsmith push deb caddy/testing/any-distro/any-version $filename
done
- name: Update release proposal PR
if: needs.verify-tag.outputs.proposal_issue_number != ''
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const prNumber = parseInt('${{ needs.verify-tag.outputs.proposal_issue_number }}');
if (prNumber) {
// Get PR details to find the branch
const pr = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: prNumber
});
const branchName = pr.data.head.ref;
// Remove in-progress label
try {
await github.rest.issues.removeLabel({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
name: 'release-in-progress'
});
} catch (e) {
console.log('Label not found:', e.message);
}
// Add released label
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
labels: ['released']
});
// Add final comment
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: prNumber,
body: '## ✅ Release Published\n\nThe release has been successfully published and is now available.'
});
// Close the PR if it's still open
if (pr.data.state === 'open') {
await github.rest.pulls.update({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: prNumber,
state: 'closed'
});
console.log(`Closed PR #${prNumber}`);
}
// Delete the branch
try {
await github.rest.git.deleteRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: `heads/${branchName}`
});
console.log(`Deleted branch: ${branchName}`);
} catch (e) {
console.log(`Could not delete branch ${branchName}: ${e.message}`);
}
}
README.md
+25 -48
View File
@@ -12,52 +12,24 @@
<hr>
<h3 align="center">Every site on HTTPS</h3>
<p align="center">Caddy is an extensible server platform that uses TLS by default.</p>
<p align="center">
<a href="https://github.com/caddyserver/caddy/actions/workflows/ci.yml"><img src="https://github.com/caddyserver/caddy/actions/workflows/ci.yml/badge.svg"></a>
<a href="https://www.bestpractices.dev/projects/7141"><img src="https://www.bestpractices.dev/projects/7141/badge"></a>
<a href="https://pkg.go.dev/github.com/caddyserver/caddy/v2"><img src="https://img.shields.io/badge/godoc-reference-%23007d9c.svg"></a>
<br>
<a href="https://x.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/twitter/follow/caddyserver" alt="@caddyserver on Twitter"></a>
<a href="https://caddy.community" title="Caddy Forum"><img src="https://img.shields.io/badge/community-forum-ff69b4.svg" alt="Caddy Forum"></a>
<br>
<a href="https://sourcegraph.com/github.com/caddyserver/caddy?badge" title="Caddy on Sourcegraph"><img src="https://sourcegraph.com/github.com/caddyserver/caddy/-/badge.svg" alt="Caddy on Sourcegraph"></a>
<a href="https://cloudsmith.io/~caddy/repos/"><img src="https://img.shields.io/badge/OSS%20hosting%20by-cloudsmith-blue?logo=cloudsmith" alt="Cloudsmith"></a>
</p>
<p align="center">
<a href="https://github.com/caddyserver/caddy/releases">Releases</a> ·
<a href="https://caddyserver.com/docs/">Documentation</a> ·
<a href="https://caddy.community">Get Help</a>
</p>
<p align="center">
<a href="https://github.com/caddyserver/caddy/actions/workflows/ci.yml"><img src="https://github.com/caddyserver/caddy/actions/workflows/ci.yml/badge.svg"></a>
&nbsp;
<a href="https://www.bestpractices.dev/projects/7141"><img src="https://www.bestpractices.dev/projects/7141/badge"></a>
&nbsp;
<a href="https://pkg.go.dev/github.com/caddyserver/caddy/v2"><img src="https://img.shields.io/badge/godoc-reference-%23007d9c.svg"></a>
&nbsp;
<a href="https://x.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/twitter/follow/caddyserver" alt="@caddyserver on Twitter"></a>
&nbsp;
<a href="https://caddy.community" title="Caddy Forum"><img src="https://img.shields.io/badge/community-forum-ff69b4.svg" alt="Caddy Forum"></a>
<br>
<a href="https://sourcegraph.com/github.com/caddyserver/caddy?badge" title="Caddy on Sourcegraph"><img src="https://sourcegraph.com/github.com/caddyserver/caddy/-/badge.svg" alt="Caddy on Sourcegraph"></a>
&nbsp;
<a href="https://cloudsmith.io/~caddy/repos/"><img src="https://img.shields.io/badge/OSS%20hosting%20by-cloudsmith-blue?logo=cloudsmith" alt="Cloudsmith"></a>
</p>
<p align="center">
<b>Powered by</b>
<br>
<a href="https://github.com/caddyserver/certmagic">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://user-images.githubusercontent.com/55066419/206946718-740b6371-3df3-4d72-a822-47e4c48af999.png">
<source media="(prefers-color-scheme: light)" srcset="https://user-images.githubusercontent.com/1128849/49704830-49d37200-fbd5-11e8-8385-767e0cd033c3.png">
<img src="https://user-images.githubusercontent.com/1128849/49704830-49d37200-fbd5-11e8-8385-767e0cd033c3.png" alt="CertMagic" width="250">
</picture>
</a>
</p>
<!-- Warp sponsorship requests this section -->
<div align="center" markdown="1">
<hr>
<sup>Special thanks to:</sup>
<br>
<a href="https://go.warp.dev/caddy">
<img alt="Warp sponsorship" width="400" src="https://github.com/user-attachments/assets/c8efffde-18c7-4af4-83ed-b1aba2dda394">
</a>
### [Warp, built for coding with multiple AI agents](https://go.warp.dev/caddy)
[Available for MacOS, Linux, & Windows](https://go.warp.dev/caddy)<br>
</div>
<hr>
### Menu
@@ -72,6 +44,18 @@
- [Getting help](#getting-help)
- [About](#about)
<p align="center">
<b>Powered by</b>
<br>
<a href="https://github.com/caddyserver/certmagic">
<picture>
<source media="(prefers-color-scheme: dark)" srcset="https://user-images.githubusercontent.com/55066419/206946718-740b6371-3df3-4d72-a822-47e4c48af999.png">
<source media="(prefers-color-scheme: light)" srcset="https://user-images.githubusercontent.com/1128849/49704830-49d37200-fbd5-11e8-8385-767e0cd033c3.png">
<img src="https://user-images.githubusercontent.com/1128849/49704830-49d37200-fbd5-11e8-8385-767e0cd033c3.png" alt="CertMagic" width="250">
</picture>
</a>
</p>
## [Features](https://caddyserver.com/features)
@@ -133,18 +117,11 @@ username ALL=(ALL:ALL) NOPASSWD: /usr/sbin/setcap
replacing `username` with your actual username. Please be careful and only do this if you know what you are doing! We are only qualified to document how to use Caddy, not Go tooling or your computer, and we are providing these instructions for convenience only; please learn how to use your own computer at your own risk and make any needful adjustments.
Then you can run the tests in all modules or a specific one:
```bash
$ go test ./...
$ go test ./modules/caddyhttp/tracing/
```
### With version information and/or plugins
Using [our builder tool, `xcaddy`](https://github.com/caddyserver/xcaddy)...
```bash
```
$ xcaddy build
```
@@ -220,6 +197,6 @@ Matthew Holt began developing Caddy in 2014 while studying computer science at B
- _Project on X: [@caddyserver](https://x.com/caddyserver)_
- _Author on X: [@mholt6](https://x.com/mholt6)_
Caddy is a project of [ZeroSSL](https://zerossl.com), an HID Global company.
Caddy is a project of [ZeroSSL](https://zerossl.com), a Stack Holdings company.
Debian package repository hosting is graciously provided by [Cloudsmith](https://cloudsmith.com). Cloudsmith is the only fully hosted, cloud-native, universal package management solution, that enables your organization to create, store and share packages in any format, to any place, with total confidence.
admin.go
+4 -51
View File
@@ -47,12 +47,6 @@ import (
"go.uber.org/zap/zapcore"
)
// testCertMagicStorageOverride is a package-level test hook. Tests may set
// this variable to provide a temporary certmagic.Storage so that cert
// management in tests does not hit the real default storage on disk.
// This must NOT be set in production code.
var testCertMagicStorageOverride certmagic.Storage
func init() {
// The hard-coded default `DefaultAdminListen` can be overridden
// by setting the `CADDY_ADMIN` environment variable.
@@ -639,19 +633,8 @@ func (ident *IdentityConfig) certmagicConfig(logger *zap.Logger, makeCache bool)
// certmagic config, although it'll be mostly useless for remote management
ident = new(IdentityConfig)
}
// Choose storage: prefer the package-level test override when present,
// otherwise use the configured DefaultStorage. Tests may set an override
// to divert storage into a temporary location. Otherwise, in production
// we use the DefaultStorage since we don't want to act as part of a
// cluster; this storage is for the server's local identity only.
var storage certmagic.Storage
if testCertMagicStorageOverride != nil {
storage = testCertMagicStorageOverride
} else {
storage = DefaultStorage
}
template := certmagic.Config{
Storage: storage,
Storage: DefaultStorage, // do not act as part of a cluster (this is for the server's local identity)
Logger: logger,
Issuers: ident.issuers,
}
@@ -824,38 +807,13 @@ func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
}
}
// common mitigations in browser contexts
if strings.Contains(r.Header.Get("Upgrade"), "websocket") {
// I've never been able demonstrate a vulnerability myself, but apparently
// WebSocket connections originating from browsers aren't subject to CORS
// restrictions, so we'll just be on the safe side
h.handleError(w, r, APIError{
HTTPStatus: http.StatusBadRequest,
Err: errors.New("websocket connections aren't allowed"),
Message: "WebSocket connections aren't allowed.",
})
h.handleError(w, r, fmt.Errorf("websocket connections aren't allowed"))
return
}
if strings.Contains(r.Header.Get("Sec-Fetch-Mode"), "no-cors") {
// turns out web pages can just disable the same-origin policy (!???!?)
// but at least browsers let us know that's the case, holy heck
h.handleError(w, r, APIError{
HTTPStatus: http.StatusBadRequest,
Err: errors.New("client attempted to make request by disabling same-origin policy using no-cors mode"),
Message: "Disabling same-origin restrictions is not allowed.",
})
return
}
if r.Header.Get("Origin") == "null" {
// bug in Firefox in certain cross-origin situations (yikes?)
// (not strictly a security vuln on its own, but it's red flaggy,
// since it seems to manifest in cross-origin contexts)
h.handleError(w, r, APIError{
HTTPStatus: http.StatusBadRequest,
Err: errors.New("invalid origin 'null'"),
Message: "Buggy browser is sending null Origin header.",
})
}
if h.enforceHost {
// DNS rebinding mitigation
@@ -866,9 +824,7 @@ func (h adminHandler) serveHTTP(w http.ResponseWriter, r *http.Request) {
}
}
_, hasOriginHeader := r.Header["Origin"]
_, hasSecHeader := r.Header["Sec-Fetch-Mode"]
if h.enforceOrigin || hasOriginHeader || hasSecHeader {
if h.enforceOrigin {
// cross-site mitigation
origin, err := h.checkOrigin(r)
if err != nil {
@@ -1154,10 +1110,7 @@ func unsyncedConfigAccess(method, path string, body []byte, out io.Writer) error
if len(body) > 0 {
err = json.Unmarshal(body, &val)
if err != nil {
if jsonErr, ok := err.(*json.SyntaxError); ok {
return fmt.Errorf("decoding request body: %w, at offset %d", jsonErr, jsonErr.Offset)
}
return fmt.Errorf("decoding request body: %w", err)
return fmt.Errorf("decoding request body: %v", err)
}
}
admin_test.go
+9 -40
View File
@@ -22,11 +22,9 @@ import (
"maps"
"net/http"
"net/http/httptest"
"os"
"reflect"
"sync"
"testing"
"time"
"github.com/caddyserver/certmagic"
"github.com/prometheus/client_golang/prometheus"
@@ -277,12 +275,13 @@ func TestAdminHandlerBuiltinRouteErrors(t *testing.T) {
},
}
// Build the admin handler directly (no listener active)
addr, err := ParseNetworkAddress("localhost:2019")
err := replaceLocalAdminServer(cfg, Context{})
if err != nil {
t.Fatalf("Failed to parse address: %v", err)
t.Fatalf("setting up admin server: %v", err)
}
handler := cfg.Admin.newAdminHandler(addr, false, Context{})
defer func() {
stopAdminServer(localAdminServer)
}()
tests := []struct {
name string
@@ -315,7 +314,7 @@ func TestAdminHandlerBuiltinRouteErrors(t *testing.T) {
req := httptest.NewRequest(test.method, fmt.Sprintf("http://localhost:2019%s", test.path), nil)
rr := httptest.NewRecorder()
handler.ServeHTTP(rr, req)
localAdminServer.Handler.ServeHTTP(rr, req)
if rr.Code != test.expectedStatus {
t.Errorf("expected status %d but got %d", test.expectedStatus, rr.Code)
@@ -800,24 +799,8 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRS0LmTwUT0iwP
...
-----END PRIVATE KEY-----`)
tmpDir, err := os.MkdirTemp("", "TestManageIdentity-")
if err != nil {
t.Fatal(err)
}
testStorage := certmagic.FileStorage{Path: tmpDir}
// Clean up the temp dir after the test finishes. Ensure any background
// certificate maintenance is stopped first to avoid RemoveAll races.
t.Cleanup(func() {
if identityCertCache != nil {
identityCertCache.Stop()
identityCertCache = nil
}
// Give goroutines a moment to exit and release file handles.
time.Sleep(50 * time.Millisecond)
_ = os.RemoveAll(tmpDir)
})
err = testStorage.Store(context.Background(), "localhost/localhost.crt", certPEM)
testStorage := certmagic.FileStorage{Path: t.TempDir()}
err := testStorage.Store(context.Background(), "localhost/localhost.crt", certPEM)
if err != nil {
t.Fatal(err)
}
@@ -879,7 +862,7 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRS0LmTwUT0iwP
},
},
},
storage: &testStorage,
storage: &certmagic.FileStorage{Path: "testdata"},
},
checkState: func(t *testing.T, cfg *Config) {
if len(cfg.Admin.Identity.issuers) != 1 {
@@ -917,13 +900,6 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRS0LmTwUT0iwP
identityCertCache.Stop()
identityCertCache = nil
}
// Ensure any cache started by manageIdentity is stopped at the end
defer func() {
if identityCertCache != nil {
identityCertCache.Stop()
identityCertCache = nil
}
}()
ctx := Context{
Context: context.Background(),
@@ -931,13 +907,6 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDRS0LmTwUT0iwP
moduleInstances: make(map[string][]Module),
}
// If this test provided a FileStorage, set the package-level
// testCertMagicStorageOverride so certmagicConfig will use it.
if test.cfg != nil && test.cfg.storage != nil {
testCertMagicStorageOverride = test.cfg.storage
defer func() { testCertMagicStorageOverride = nil }()
}
err := manageIdentity(ctx, test.cfg)
if test.wantErr {
caddy.go
+7 -7
View File
@@ -147,8 +147,8 @@ func Load(cfgJSON []byte, forceReload bool) error {
// the new value (if applicable; i.e. "DELETE" doesn't have an input).
// If the resulting config is the same as the previous, no reload will
// occur unless forceReload is true. If the config is unchanged and not
// forcefully reloaded, then errConfigUnchanged is returned. This function
// is safe for concurrent use.
// forcefully reloaded, then errConfigUnchanged This function is safe for
// concurrent use.
// The ifMatchHeader can optionally be given a string of the format:
//
// "<path> <hash>"
@@ -1092,7 +1092,7 @@ type Event struct {
}
// NewEvent creates a new event, but does not emit the event. To emit an
// event, call Emit() on the current instance of the caddyevents app instead.
// event, call Emit() on the current instance of the caddyevents app insteaad.
//
// EXPERIMENTAL: Subject to change.
func NewEvent(ctx Context, name string, data map[string]any) (Event, error) {
@@ -1250,10 +1250,10 @@ func getLastConfig() (file, adapter string, fn reloadFromSourceFunc) {
// lastConfigMatches returns true if the provided source file and/or adapter
// matches the recorded last-config. Matching rules (in priority order):
// 1. If srcAdapter is provided and differs from the recorded adapter, no match.
// 2. If srcFile exactly equals the recorded file, match.
// 3. If both sides can be made absolute and equal, match.
// 4. If basenames are equal, match.
// 1. If srcAdapter is provided and differs from the recorded adapter, no match.
// 2. If srcFile exactly equals the recorded file, match.
// 3. If both sides can be made absolute and equal, match.
// 4. If basenames are equal, match.
func lastConfigMatches(srcFile, srcAdapter string) bool {
lf, la, _ := getLastConfig()
caddyconfig/caddyfile/formatter.go
-10
View File
@@ -18,7 +18,6 @@ import (
"bytes"
"io"
"slices"
"strings"
"unicode"
)
@@ -210,15 +209,6 @@ func Format(input []byte) []byte {
}
}
if strings.Contains(quotes, "`") {
if ch == '`' && space && !beginningOfLine {
write(' ')
}
write(ch)
space = false
continue
}
if unicode.IsSpace(ch) {
space = true
heredocEscaped = false
caddyconfig/caddyfile/formatter_test.go
-11
View File
@@ -464,17 +464,6 @@ block2 {
}
`,
},
{
description: "issue #7425: multiline backticked string indentation",
input: `https://localhost:8953 {
respond ` + "`" + `Here are some random numbers:
{{randNumeric 16}}
Hope this helps.` + "`" + `
}`,
expect: "https://localhost:8953 {\n\trespond `Here are some random numbers:\n\n{{randNumeric 16}}\n\nHope this helps.`\n}",
},
} {
// the formatter should output a trailing newline,
// even if the tests aren't written to expect that
caddyconfig/caddyfile/parse.go
+1 -1
View File
@@ -761,7 +761,7 @@ type ServerBlock struct {
}
func (sb ServerBlock) GetKeysText() []string {
res := make([]string, 0, len(sb.Keys))
res := []string{}
for _, k := range sb.Keys {
res = append(res, k.Text)
}
caddyconfig/configadapters.go
+1 -5
View File
@@ -81,11 +81,7 @@ func JSONModuleObject(val any, fieldName, fieldVal string, warnings *[]Warning)
err = json.Unmarshal(enc, &tmp)
if err != nil {
if warnings != nil {
message := err.Error()
if jsonErr, ok := err.(*json.SyntaxError); ok {
message = fmt.Sprintf("%v, at offset %d", jsonErr.Error(), jsonErr.Offset)
}
*warnings = append(*warnings, Warning{Message: message})
*warnings = append(*warnings, Warning{Message: err.Error()})
}
return nil
}
caddyconfig/httpcaddyfile/builtins.go
-25
View File
@@ -113,7 +113,6 @@ func parseBind(h Helper) ([]ConfigValue, error) {
// issuer <module_name> [...]
// get_certificate <module_name> [...]
// insecure_secrets_log <log_file>
// renewal_window_ratio <ratio>
// }
func parseTLS(h Helper) ([]ConfigValue, error) {
h.Next() // consume directive name
@@ -130,7 +129,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
var onDemand bool
var reusePrivateKeys bool
var forceAutomate bool
var renewalWindowRatio float64
// Track which DNS challenge options are set
var dnsOptionsSet []string
@@ -475,20 +473,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
}
cp.InsecureSecretsLog = h.Val()
case "renewal_window_ratio":
arg := h.RemainingArgs()
if len(arg) != 1 {
return nil, h.ArgErr()
}
ratio, err := strconv.ParseFloat(arg[0], 64)
if err != nil {
return nil, h.Errf("parsing renewal_window_ratio: %v", err)
}
if ratio <= 0 || ratio >= 1 {
return nil, h.Errf("renewal_window_ratio must be between 0 and 1 (exclusive)")
}
renewalWindowRatio = ratio
default:
return nil, h.Errf("unknown subdirective: %s", h.Val())
}
@@ -613,14 +597,6 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
})
}
// renewal window ratio
if renewalWindowRatio > 0 {
configVals = append(configVals, ConfigValue{
Class: "tls.renewal_window_ratio",
Value: renewalWindowRatio,
})
}
// if enabled, the names in the site addresses will be
// added to the automation policies
if forceAutomate {
@@ -954,7 +930,6 @@ func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue
// modifications to the parsing behavior.
parseAsGlobalOption := globalLogNames != nil
// nolint:prealloc
var configValues []ConfigValue
// Logic below expects that a name is always present when a
caddyconfig/httpcaddyfile/httptype.go
-14
View File
@@ -851,20 +851,6 @@ func (st *ServerType) serversFromPairings(
srv.ListenerWrappersRaw = append(srv.ListenerWrappersRaw, jsonListenerWrapper)
}
// Look for any config values that provide packet conn wrappers on the server block
for _, listenerConfig := range sblock.pile["packet_conn_wrapper"] {
packetConnWrapper, ok := listenerConfig.Value.(caddy.PacketConnWrapper)
if !ok {
return nil, fmt.Errorf("config for a packet conn wrapper did not provide a value that implements caddy.PacketConnWrapper")
}
jsonPacketConnWrapper := caddyconfig.JSONModuleObject(
packetConnWrapper,
"wrapper",
packetConnWrapper.(caddy.Module).CaddyModule().ID.Name(),
warnings)
srv.PacketConnWrappersRaw = append(srv.PacketConnWrappersRaw, jsonPacketConnWrapper)
}
// set up each handler directive, making sure to honor directive order
dirRoutes := sblock.pile["route"]
siteSubroute, err := buildSubroute(dirRoutes, groupCounter, true)
caddyconfig/httpcaddyfile/options.go
+2 -23
View File
@@ -65,7 +65,6 @@ func init() {
RegisterGlobalOption("persist_config", parseOptPersistConfig)
RegisterGlobalOption("dns", parseOptDNS)
RegisterGlobalOption("ech", parseOptECH)
RegisterGlobalOption("renewal_window_ratio", parseOptRenewalWindowRatio)
}
func parseOptTrue(d *caddyfile.Dispenser, _ any) (any, error) { return true, nil }
@@ -458,8 +457,9 @@ func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ any) (any, error) {
case "disable_redirects":
case "disable_certs":
case "ignore_loaded_certs":
case "prefer_wildcard":
default:
return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', or 'ignore_loaded_certs'")
return "", d.Errf("auto_https must be one of 'off', 'disable_redirects', 'disable_certs', 'ignore_loaded_certs', or 'prefer_wildcard'")
}
}
return val, nil
@@ -472,8 +472,6 @@ func unmarshalCaddyfileMetricsOptions(d *caddyfile.Dispenser) (any, error) {
switch d.Val() {
case "per_host":
metrics.PerHost = true
case "observe_catchall_hosts":
metrics.ObserveCatchallHosts = true
default:
return nil, d.Errf("unrecognized servers option '%s'", d.Val())
}
@@ -625,22 +623,3 @@ func parseOptECH(d *caddyfile.Dispenser, _ any) (any, error) {
return ech, nil
}
func parseOptRenewalWindowRatio(d *caddyfile.Dispenser, _ any) (any, error) {
d.Next() // consume option name
if !d.Next() {
return 0, d.ArgErr()
}
val := d.Val()
ratio, err := strconv.ParseFloat(val, 64)
if err != nil {
return 0, d.Errf("parsing renewal_window_ratio: %v", err)
}
if ratio <= 0 || ratio >= 1 {
return 0, d.Errf("renewal_window_ratio must be between 0 and 1 (exclusive)")
}
if d.Next() {
return 0, d.ArgErr()
}
return ratio, nil
}
caddyconfig/httpcaddyfile/pkiapp.go
+5 -28
View File
@@ -16,7 +16,6 @@ package httpcaddyfile
import (
"slices"
"strconv"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig"
@@ -28,16 +27,14 @@ func init() {
RegisterGlobalOption("pki", parsePKIApp)
}
// parsePKIApp parses the global pki option. Syntax:
// parsePKIApp parses the global log option. Syntax:
//
// pki {
// ca [<id>] {
// name <name>
// root_cn <name>
// intermediate_cn <name>
// intermediate_lifetime <duration>
// maintenance_interval <duration>
// renewal_window_ratio <ratio>
// name <name>
// root_cn <name>
// intermediate_cn <name>
// intermediate_lifetime <duration>
// root {
// cert <path>
// key <path>
@@ -102,26 +99,6 @@ func parsePKIApp(d *caddyfile.Dispenser, existingVal any) (any, error) {
}
pkiCa.IntermediateLifetime = caddy.Duration(dur)
case "maintenance_interval":
if !d.NextArg() {
return nil, d.ArgErr()
}
dur, err := caddy.ParseDuration(d.Val())
if err != nil {
return nil, err
}
pkiCa.MaintenanceInterval = caddy.Duration(dur)
case "renewal_window_ratio":
if !d.NextArg() {
return nil, d.ArgErr()
}
ratio, err := strconv.ParseFloat(d.Val(), 64)
if err != nil || ratio <= 0 || ratio > 1 {
return nil, d.Errf("renewal_window_ratio must be a number in (0, 1], got %s", d.Val())
}
pkiCa.RenewalWindowRatio = ratio
case "root":
if pkiCa.Root == nil {
pkiCa.Root = new(caddypki.KeyPair)
caddyconfig/httpcaddyfile/pkiapp_test.go
-86
View File
@@ -1,86 +0,0 @@
// Copyright 2015 Matthew Holt and The Caddy Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package httpcaddyfile
import (
"encoding/json"
"testing"
"time"
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
)
func TestParsePKIApp_maintenanceIntervalAndRenewalWindowRatio(t *testing.T) {
input := `{
pki {
ca local {
maintenance_interval 5m
renewal_window_ratio 0.15
}
}
}
:8080 {
}
`
adapter := caddyfile.Adapter{ServerType: ServerType{}}
out, _, err := adapter.Adapt([]byte(input), nil)
if err != nil {
t.Fatalf("Adapt failed: %v", err)
}
var cfg struct {
Apps struct {
PKI struct {
CertificateAuthorities map[string]struct {
MaintenanceInterval int64 `json:"maintenance_interval,omitempty"`
RenewalWindowRatio float64 `json:"renewal_window_ratio,omitempty"`
} `json:"certificate_authorities,omitempty"`
} `json:"pki,omitempty"`
} `json:"apps"`
}
if err := json.Unmarshal(out, &cfg); err != nil {
t.Fatalf("unmarshal config: %v", err)
}
ca, ok := cfg.Apps.PKI.CertificateAuthorities["local"]
if !ok {
t.Fatal("expected certificate_authorities.local to exist")
}
wantInterval := 5 * time.Minute.Nanoseconds()
if ca.MaintenanceInterval != wantInterval {
t.Errorf("maintenance_interval = %d, want %d (5m)", ca.MaintenanceInterval, wantInterval)
}
if ca.RenewalWindowRatio != 0.15 {
t.Errorf("renewal_window_ratio = %v, want 0.15", ca.RenewalWindowRatio)
}
}
func TestParsePKIApp_renewalWindowRatioInvalid(t *testing.T) {
input := `{
pki {
ca local {
renewal_window_ratio 1.5
}
}
}
:8080 {
}
`
adapter := caddyfile.Adapter{ServerType: ServerType{}}
_, _, err := adapter.Adapt([]byte(input), nil)
if err == nil {
t.Error("expected error for renewal_window_ratio > 1")
}
}
caddyconfig/httpcaddyfile/serveroptions.go
+20 -57
View File
@@ -36,30 +36,26 @@ type serverOptions struct {
ListenerAddress string
// These will all map 1:1 to the caddyhttp.Server struct
Name string
ListenerWrappersRaw []json.RawMessage
PacketConnWrappersRaw []json.RawMessage
ReadTimeout caddy.Duration
ReadHeaderTimeout caddy.Duration
WriteTimeout caddy.Duration
IdleTimeout caddy.Duration
KeepAliveInterval caddy.Duration
KeepAliveIdle caddy.Duration
KeepAliveCount int
MaxHeaderBytes int
EnableFullDuplex bool
Protocols []string
StrictSNIHost *bool
TrustedProxiesRaw json.RawMessage
TrustedProxiesStrict int
TrustedProxiesUnix bool
ClientIPHeaders []string
ShouldLogCredentials bool
Metrics *caddyhttp.Metrics
Trace bool // TODO: EXPERIMENTAL
// If set, overrides whether QUIC listeners allow 0-RTT (early data).
// If nil, the default behavior is used (currently allowed).
Allow0RTT *bool
Name string
ListenerWrappersRaw []json.RawMessage
ReadTimeout caddy.Duration
ReadHeaderTimeout caddy.Duration
WriteTimeout caddy.Duration
IdleTimeout caddy.Duration
KeepAliveInterval caddy.Duration
KeepAliveIdle caddy.Duration
KeepAliveCount int
MaxHeaderBytes int
EnableFullDuplex bool
Protocols []string
StrictSNIHost *bool
TrustedProxiesRaw json.RawMessage
TrustedProxiesStrict int
TrustedProxiesUnix bool
ClientIPHeaders []string
ShouldLogCredentials bool
Metrics *caddyhttp.Metrics
Trace bool // TODO: EXPERIMENTAL
}
func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
@@ -103,26 +99,6 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
serverOpts.ListenerWrappersRaw = append(serverOpts.ListenerWrappersRaw, jsonListenerWrapper)
}
case "packet_conn_wrappers":
for nesting := d.Nesting(); d.NextBlock(nesting); {
modID := "caddy.packetconns." + d.Val()
unm, err := caddyfile.UnmarshalModule(d, modID)
if err != nil {
return nil, err
}
packetConnWrapper, ok := unm.(caddy.PacketConnWrapper)
if !ok {
return nil, fmt.Errorf("module %s (%T) is not a packet conn wrapper", modID, unm)
}
jsonPacketConnWrapper := caddyconfig.JSONModuleObject(
packetConnWrapper,
"wrapper",
packetConnWrapper.(caddy.Module).CaddyModule().ID.Name(),
nil,
)
serverOpts.PacketConnWrappersRaw = append(serverOpts.PacketConnWrappersRaw, jsonPacketConnWrapper)
}
case "timeouts":
for nesting := d.Nesting(); d.NextBlock(nesting); {
switch d.Val() {
@@ -312,17 +288,6 @@ func unmarshalCaddyfileServerOptions(d *caddyfile.Dispenser) (any, error) {
}
serverOpts.Trace = true
case "0rtt":
// only supports "off" for now
if !d.NextArg() {
return nil, d.ArgErr()
}
if d.Val() != "off" {
return nil, d.Errf("unsupported 0rtt argument '%s' (only 'off' is supported)", d.Val())
}
boolVal := false
serverOpts.Allow0RTT = &boolVal
default:
return nil, d.Errf("unrecognized servers option '%s'", d.Val())
}
@@ -370,7 +335,6 @@ func applyServerOptions(
// set all the options
server.ListenerWrappersRaw = opts.ListenerWrappersRaw
server.PacketConnWrappersRaw = opts.PacketConnWrappersRaw
server.ReadTimeout = opts.ReadTimeout
server.ReadHeaderTimeout = opts.ReadHeaderTimeout
server.WriteTimeout = opts.WriteTimeout
@@ -387,7 +351,6 @@ func applyServerOptions(
server.TrustedProxiesStrict = opts.TrustedProxiesStrict
server.TrustedProxiesUnix = opts.TrustedProxiesUnix
server.Metrics = opts.Metrics
server.Allow0RTT = opts.Allow0RTT
if opts.ShouldLogCredentials {
if server.Logs == nil {
server.Logs = new(caddyhttp.ServerLogConfig)
caddyconfig/httpcaddyfile/tlsapp.go
+55 -14
View File
@@ -92,8 +92,26 @@ func (st ServerType) buildTLSApp(
tlsApp.Automation.Policies = append(tlsApp.Automation.Policies, catchAllAP)
}
var wildcardHosts []string // collect all hosts that have a wildcard in them, and aren't HTTP
forcedAutomatedNames := make(map[string]struct{}) // explicitly configured to be automated, even if covered by a wildcard
for _, p := range pairings {
var addresses []string
for _, addressWithProtocols := range p.addressesWithProtocols {
addresses = append(addresses, addressWithProtocols.address)
}
if !listenersUseAnyPortOtherThan(addresses, httpPort) {
continue
}
for _, sblock := range p.serverBlocks {
for _, addr := range sblock.parsedKeys {
if strings.HasPrefix(addr.Host, "*.") {
wildcardHosts = append(wildcardHosts, addr.Host[2:])
}
}
}
}
for _, p := range pairings {
// avoid setting up TLS automation policies for a server that is HTTP-only
var addresses []string
@@ -117,6 +135,12 @@ func (st ServerType) buildTLSApp(
return nil, warnings, err
}
// make a plain copy so we can compare whether we made any changes
apCopy, err := newBaseAutomationPolicy(options, warnings, true)
if err != nil {
return nil, warnings, err
}
sblockHosts := sblock.hostsFromKeys(false)
if len(sblockHosts) == 0 && catchAllAP != nil {
ap = catchAllAP
@@ -143,12 +167,6 @@ func (st ServerType) buildTLSApp(
ap.KeyType = keyTypeVals[0].Value.(string)
}
if renewalWindowRatioVals, ok := sblock.pile["tls.renewal_window_ratio"]; ok {
ap.RenewalWindowRatio = renewalWindowRatioVals[0].Value.(float64)
} else if globalRenewalWindowRatio, ok := options["renewal_window_ratio"]; ok {
ap.RenewalWindowRatio = globalRenewalWindowRatio.(float64)
}
// certificate issuers
if issuerVals, ok := sblock.pile["tls.cert_issuer"]; ok {
var issuers []certmagic.Issuer
@@ -235,6 +253,16 @@ func (st ServerType) buildTLSApp(
hostsNotHTTP := sblock.hostsFromKeysNotHTTP(httpPort)
sort.Strings(hostsNotHTTP) // solely for deterministic test results
// if the we prefer wildcards and the AP is unchanged,
// then we can skip this AP because it should be covered
// by an AP with a wildcard
if slices.Contains(autoHTTPS, "prefer_wildcard") {
if hostsCoveredByWildcard(hostsNotHTTP, wildcardHosts) &&
reflect.DeepEqual(ap, apCopy) {
continue
}
}
// associate our new automation policy with this server block's hosts
ap.SubjectsRaw = hostsNotHTTP
@@ -548,8 +576,9 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
if acmeIssuer.Challenges.DNS == nil {
acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
}
if globalACMEDNS != nil && acmeIssuer.Challenges.DNS.ProviderRaw == nil {
// Set a global DNS provider if `acme_dns` is set
// If global `dns` is set, do NOT set provider in issuer, just set empty dns config
if globalDNS == nil && acmeIssuer.Challenges.DNS.ProviderRaw == nil {
// Set a global DNS provider if `acme_dns` is set and `dns` is NOT set
acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(globalACMEDNS, "name", globalACMEDNS.(caddy.Module).CaddyModule().ID.Name(), nil)
}
}
@@ -612,8 +641,7 @@ func newBaseAutomationPolicy(
_, hasLocalCerts := options["local_certs"]
keyType, hasKeyType := options["key_type"]
ocspStapling, hasOCSPStapling := options["ocsp_stapling"]
renewalWindowRatio, hasRenewalWindowRatio := options["renewal_window_ratio"]
hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling || hasRenewalWindowRatio
hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling
globalACMECA := options["acme_ca"]
globalACMECARoot := options["acme_ca_root"]
@@ -660,10 +688,6 @@ func newBaseAutomationPolicy(
ap.OCSPOverrides = ocspConfig.ResponderOverrides
}
if hasRenewalWindowRatio {
ap.RenewalWindowRatio = renewalWindowRatio.(float64)
}
return ap, nil
}
@@ -825,3 +849,20 @@ func automationPolicyHasAllPublicNames(ap *caddytls.AutomationPolicy) bool {
func isTailscaleDomain(name string) bool {
return strings.HasSuffix(strings.ToLower(name), ".ts.net")
}
func hostsCoveredByWildcard(hosts []string, wildcards []string) bool {
if len(hosts) == 0 || len(wildcards) == 0 {
return false
}
for _, host := range hosts {
for _, wildcard := range wildcards {
if strings.HasPrefix(host, "*.") {
continue
}
if certmagic.MatchWildcard(host, "*."+wildcard) {
return true
}
}
}
return false
}
caddyconfig/httploader.go
+1 -1
View File
@@ -136,7 +136,7 @@ func (hl HTTPLoader) LoadConfig(ctx caddy.Context) ([]byte, error) {
}
func attemptHttpCall(client *http.Client, request *http.Request) (*http.Response, error) {
resp, err := client.Do(request) //nolint:gosec // no SSRF; comes from trusted config
resp, err := client.Do(request)
if err != nil {
return nil, fmt.Errorf("problem calling http loader url: %v", err)
} else if resp.StatusCode < 200 || resp.StatusCode > 499 {
caddyconfig/load.go
+1 -1
View File
@@ -106,7 +106,7 @@ func (adminLoad) handleLoad(w http.ResponseWriter, r *http.Request) error {
if err != nil {
caddy.Log().Named("admin.api.load").Error(err.Error())
}
_, _ = w.Write(respBody) //nolint:gosec // false positive: no XSS here
_, _ = w.Write(respBody)
}
body = result
}
caddytest/caddytest.go
+3 -25
View File
@@ -187,7 +187,7 @@ func (tc *Tester) initServer(rawConfig string, configType string) error {
req.Header.Add("Content-Type", "text/"+configType)
}
res, err := client.Do(req) //nolint:gosec // no SSRF because URL is hard-coded to localhost, and port comes from config
res, err := client.Do(req)
if err != nil {
tc.t.Errorf("unable to contact caddy server. %s", err)
return err
@@ -279,7 +279,7 @@ func validateTestPrerequisites(tc *Tester) error {
return err
}
tc.t.Cleanup(func() {
os.Remove(f.Name()) //nolint:gosec // false positive, filename comes from std lib, no path traversal
os.Remove(f.Name())
})
if _, err := fmt.Fprintf(f, initConfig, tc.config.AdminPort); err != nil {
return err
@@ -362,8 +362,6 @@ func CreateTestingTransport() *http.Transport {
// AssertLoadError will load a config and expect an error
func AssertLoadError(t *testing.T, rawConfig string, configType string, expectedError string) {
t.Helper()
tc := NewTester(t)
err := tc.initServer(rawConfig, configType)
@@ -374,8 +372,6 @@ func AssertLoadError(t *testing.T, rawConfig string, configType string, expected
// AssertRedirect makes a request and asserts the redirection happens
func (tc *Tester) AssertRedirect(requestURI string, expectedToLocation string, expectedStatusCode int) *http.Response {
tc.t.Helper()
redirectPolicyFunc := func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
}
@@ -413,8 +409,6 @@ func (tc *Tester) AssertRedirect(requestURI string, expectedToLocation string, e
// CompareAdapt adapts a config and then compares it against an expected result
func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string, expectedResponse string) bool {
t.Helper()
cfgAdapter := caddyconfig.GetAdapter(adapterName)
if cfgAdapter == nil {
t.Logf("unrecognized config adapter '%s'", adapterName)
@@ -474,8 +468,6 @@ func CompareAdapt(t testing.TB, filename, rawConfig string, adapterName string,
// AssertAdapt adapts a config and then tests it against an expected result
func AssertAdapt(t testing.TB, rawConfig string, adapterName string, expectedResponse string) {
t.Helper()
ok := CompareAdapt(t, "Caddyfile", rawConfig, adapterName, expectedResponse)
if !ok {
t.Fail()
@@ -504,9 +496,7 @@ func applyHeaders(t testing.TB, req *http.Request, requestHeaders []string) {
// AssertResponseCode will execute the request and verify the status code, returns a response for additional assertions
func (tc *Tester) AssertResponseCode(req *http.Request, expectedStatusCode int) *http.Response {
tc.t.Helper()
resp, err := tc.Client.Do(req) //nolint:gosec // no SSRFs demonstrated
resp, err := tc.Client.Do(req)
if err != nil {
tc.t.Fatalf("failed to call server %s", err)
}
@@ -520,8 +510,6 @@ func (tc *Tester) AssertResponseCode(req *http.Request, expectedStatusCode int)
// AssertResponse request a URI and assert the status code and the body contains a string
func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expectedBody string) (*http.Response, string) {
tc.t.Helper()
resp := tc.AssertResponseCode(req, expectedStatusCode)
defer resp.Body.Close()
@@ -543,8 +531,6 @@ func (tc *Tester) AssertResponse(req *http.Request, expectedStatusCode int, expe
// AssertGetResponse GET a URI and expect a statusCode and body text
func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
tc.t.Helper()
req, err := http.NewRequest("GET", requestURI, nil)
if err != nil {
tc.t.Fatalf("unable to create request %s", err)
@@ -555,8 +541,6 @@ func (tc *Tester) AssertGetResponse(requestURI string, expectedStatusCode int, e
// AssertDeleteResponse request a URI and expect a statusCode and body text
func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int, expectedBody string) (*http.Response, string) {
tc.t.Helper()
req, err := http.NewRequest("DELETE", requestURI, nil)
if err != nil {
tc.t.Fatalf("unable to create request %s", err)
@@ -567,8 +551,6 @@ func (tc *Tester) AssertDeleteResponse(requestURI string, expectedStatusCode int
// AssertPostResponseBody POST to a URI and assert the response code and body
func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
tc.t.Helper()
req, err := http.NewRequest("POST", requestURI, requestBody)
if err != nil {
tc.t.Errorf("failed to create request %s", err)
@@ -582,8 +564,6 @@ func (tc *Tester) AssertPostResponseBody(requestURI string, requestHeaders []str
// AssertPutResponseBody PUT to a URI and assert the response code and body
func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
tc.t.Helper()
req, err := http.NewRequest("PUT", requestURI, requestBody)
if err != nil {
tc.t.Errorf("failed to create request %s", err)
@@ -597,8 +577,6 @@ func (tc *Tester) AssertPutResponseBody(requestURI string, requestHeaders []stri
// AssertPatchResponseBody PATCH to a URI and assert the response code and body
func (tc *Tester) AssertPatchResponseBody(requestURI string, requestHeaders []string, requestBody *bytes.Buffer, expectedStatusCode int, expectedBody string) (*http.Response, string) {
tc.t.Helper()
req, err := http.NewRequest("PATCH", requestURI, requestBody)
if err != nil {
tc.t.Errorf("failed to create request %s", err)
caddytest/integration/acmeserver_test.go
+2 -2
View File
@@ -127,7 +127,7 @@ func TestACMEServerAllowPolicy(t *testing.T) {
_, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"not-matching.localhost"})
if err == nil {
t.Errorf("obtaining certificate for 'not-matching.localhost' domain")
} else if !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
t.Logf("unexpected error: %v", err)
}
}
@@ -200,7 +200,7 @@ func TestACMEServerDenyPolicy(t *testing.T) {
_, err := client.ObtainCertificateForSANs(ctx, account, certPrivateKey, []string{"deny.localhost"})
if err == nil {
t.Errorf("obtaining certificate for 'deny.localhost' domain")
} else if !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
} else if err != nil && !strings.Contains(err.Error(), "urn:ietf:params:acme:error:rejectedIdentifier") {
t.Logf("unexpected error: %v", err)
}
}
caddytest/integration/caddyfile_adapt/global_server_options_single.caddyfiletest
+1 -3
View File
@@ -21,7 +21,6 @@
keepalive_interval 20s
keepalive_idle 20s
keepalive_count 10
0rtt off
}
}
@@ -91,8 +90,7 @@ foo.com {
"h2",
"h2c",
"h3"
],
"allow_0rtt": false
]
}
}
}
caddytest/integration/caddyfile_adapt/renewal_window_ratio_global.caddyfiletest
-41
View File
@@ -1,41 +0,0 @@
{
renewal_window_ratio 0.1666
}
example.com {
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"example.com"
]
}
],
"terminal": true
}
]
}
}
},
"tls": {
"automation": {
"policies": [
{
"renewal_window_ratio": 0.1666
}
]
}
}
}
}
caddytest/integration/caddyfile_adapt/renewal_window_ratio_tls_directive.caddyfiletest
-63
View File
@@ -1,63 +0,0 @@
{
renewal_window_ratio 0.1666
}
a.example.com {
tls {
renewal_window_ratio 0.25
}
}
b.example.com {
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"a.example.com"
]
}
],
"terminal": true
},
{
"match": [
{
"host": [
"b.example.com"
]
}
],
"terminal": true
}
]
}
}
},
"tls": {
"automation": {
"policies": [
{
"subjects": [
"a.example.com"
],
"renewal_window_ratio": 0.25
},
{
"renewal_window_ratio": 0.1666
}
]
}
}
}
}
caddytest/integration/caddyfile_adapt/tls_acme_dns_override_global_dns.caddyfiletest
-83
View File
@@ -1,83 +0,0 @@
{
dns mock foo
acme_dns mock bar
}
localhost {
tls {
resolvers 8.8.8.8 8.8.4.4
}
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"localhost"
]
}
],
"terminal": true
}
]
}
}
},
"tls": {
"automation": {
"policies": [
{
"subjects": [
"localhost"
],
"issuers": [
{
"challenges": {
"dns": {
"provider": {
"argument": "bar",
"name": "mock"
},
"resolvers": [
"8.8.8.8",
"8.8.4.4"
]
}
},
"module": "acme"
}
]
},
{
"issuers": [
{
"challenges": {
"dns": {
"provider": {
"argument": "bar",
"name": "mock"
}
}
},
"module": "acme"
}
]
}
]
},
"dns": {
"argument": "foo",
"name": "mock"
}
}
}
}
caddytest/integration/listener_test.go
+2 -2
View File
@@ -3,7 +3,7 @@ package integration
import (
"bytes"
"fmt"
"math/rand/v2"
"math/rand"
"net"
"net/http"
"strings"
@@ -54,7 +54,7 @@ func TestHTTPRedirectWrapperWithLargeUpload(t *testing.T) {
const uploadSize = (1024 * 1024) + 1 // 1 MB + 1 byte
// 1 more than an MB
body := make([]byte, uploadSize)
rand.NewChaCha8([32]byte{}).Read(body)
rand.New(rand.NewSource(0)).Read(body)
tester := setupListenerWrapperTest(t, func(writer http.ResponseWriter, request *http.Request) {
buf := new(bytes.Buffer)
caddytest/integration/pki_test.go
+2 -2
View File
@@ -53,7 +53,7 @@ func TestLeafCertLifetimeLessThanIntermediate(t *testing.T) {
}
}
}
`, "json", "should be less than intermediate certificate lifetime")
`, "json", "certificate lifetime (168h0m0s) should be less than intermediate certificate lifetime (168h0m0s)")
}
func TestIntermediateLifetimeLessThanRoot(t *testing.T) {
@@ -103,5 +103,5 @@ func TestIntermediateLifetimeLessThanRoot(t *testing.T) {
}
}
}
`, "json", "intermediate certificate lifetime must be less than actual root certificate lifetime")
`, "json", "intermediate certificate lifetime must be less than root certificate lifetime (86400h0m0s)")
}
caddytest/integration/reverseproxy_test.go
+9 -35
View File
@@ -8,6 +8,7 @@ import (
"runtime"
"strings"
"testing"
"time"
"github.com/caddyserver/caddy/v2/caddytest"
)
@@ -326,41 +327,6 @@ func TestReverseProxyWithPlaceholderTCPDialAddress(t *testing.T) {
}
func TestReverseProxyHealthCheck(t *testing.T) {
// Start lightweight backend servers so they're ready before Caddy's
// active health checker runs; this avoids a startup race where the
// health checker probes backends that haven't yet begun accepting
// connections and marks them unhealthy.
//
// This mirrors how health checks are typically used in practice (to a separate
// backend service) and avoids probing the same Caddy instance while it's still
// provisioning and not ready to accept connections.
// backend server that responds to proxied requests
helloSrv := &http.Server{
Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
_, _ = w.Write([]byte("Hello, World!"))
}),
}
ln0, err := net.Listen("tcp", "127.0.0.1:2020")
if err != nil {
t.Fatalf("failed to listen on 127.0.0.1:2020: %v", err)
}
go helloSrv.Serve(ln0)
t.Cleanup(func() { helloSrv.Close(); ln0.Close() })
// backend server that serves health checks
healthSrv := &http.Server{
Handler: http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
_, _ = w.Write([]byte("ok"))
}),
}
ln1, err := net.Listen("tcp", "127.0.0.1:2021")
if err != nil {
t.Fatalf("failed to listen on 127.0.0.1:2021: %v", err)
}
go healthSrv.Serve(ln1)
t.Cleanup(func() { healthSrv.Close(); ln1.Close() })
tester := caddytest.NewTester(t)
tester.InitServer(`
{
@@ -370,6 +336,12 @@ func TestReverseProxyHealthCheck(t *testing.T) {
https_port 9443
grace_period 1ns
}
http://localhost:2020 {
respond "Hello, World!"
}
http://localhost:2021 {
respond "ok"
}
http://localhost:9080 {
reverse_proxy {
to localhost:2020
@@ -383,6 +355,8 @@ func TestReverseProxyHealthCheck(t *testing.T) {
}
}
`, "caddyfile")
time.Sleep(100 * time.Millisecond) // TODO: for some reason this test seems particularly flaky, getting 503 when it should be 200, unless we wait
tester.AssertGetResponse("http://localhost:9080/", 200, "Hello, World!")
}
caddytest/spec/http/basicauth/spec.hurl
+38
View File
@@ -0,0 +1,38 @@
# Configure Caddy
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
debug
}
localhost {
log
basic_auth {
john $2a$14$x4HlYwA9Zeer4RkMEYbUzug9XxWmncneR.dcMs.UjalR95URnHg5.
}
respond "Hello, World!"
}
```
# requests without `Authorization` header are rejected with 401
GET https://localhost:9443
[Options]
insecure: true
HTTP 401
[Asserts]
header "WWW-Authenticate" == "Basic realm=\"restricted\""
# requests with `Authorization` header are accepted with 200
GET https://localhost:9443
[BasicAuth]
john:password
[Options]
insecure: true
HTTP 200
[Asserts]
`Hello, World!`
caddytest/spec/http/error/spec.hurl
+150
View File
@@ -0,0 +1,150 @@
# Configure Caddy with error directive
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
error /forbidden* "Access denied" 403
respond "OK"
}
```
# error directive triggers 403 for matching paths
GET https://localhost:9443/forbidden/resource
[Options]
insecure: true
HTTP 403
# error directive does not trigger for non-matching paths
GET https://localhost:9443/allowed
[Options]
insecure: true
HTTP 200
[Asserts]
body == "OK"
# Configure Caddy with error and handle_errors
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
error /admin* "Forbidden" 403
handle_errors {
respond "Custom error: {err.status_code} - {err.status_text}"
}
}
```
# error with handle_errors shows custom error page
GET https://localhost:9443/admin/panel
[Options]
insecure: true
HTTP 403
[Asserts]
body == "Custom error: 403 - Forbidden"
# Configure Caddy with conditional error
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
@admin path /admin*
error @admin 404
respond "Public content"
}
```
# error with named matcher triggers on match
GET https://localhost:9443/admin/users
[Options]
insecure: true
HTTP 404
# error with named matcher doesn't trigger on non-match
GET https://localhost:9443/public
[Options]
insecure: true
HTTP 200
[Asserts]
body == "Public content"
# Configure Caddy with error for specific methods
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
@post method POST
error @post "Method not allowed" 405
respond "GET OK"
}
```
# error blocks POST requests
POST https://localhost:9443
[Options]
insecure: true
HTTP 405
# error allows GET requests
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
body == "GET OK"
# Configure Caddy with dynamic error message
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
error /error* "Path {path} not found" 404
handle_errors {
respond "{err.message}"
}
}
```
# error message can use placeholders
GET https://localhost:9443/error/test
[Options]
insecure: true
HTTP 404
[Asserts]
body == "Path /error/test not found"
caddytest/spec/http/file_server/assets/indexed/index.html
+9
View File
@@ -0,0 +1,9 @@
<!DOCTYPE html>
<html>
<head>
<title>Index.html Title</title>
</head>
<body>
Index.html
</body>
</html>
caddytest/spec/http/file_server/assets/indexed/index.txt
+1
View File
@@ -0,0 +1 @@
index.txt
caddytest/spec/http/file_server/assets/unindexed/.gitkeep
View File
caddytest/spec/http/file_server/spec.hurl
+119
View File
@@ -0,0 +1,119 @@
# Configure Caddy with default configuration
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
debug
}
localhost {
root {{indexed_root}}
file_server
}
```
# requests without specific file receive index file per
# the default index list: index.html, index.txt
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
```
<!DOCTYPE html>
<html>
<head>
<title>Index.html Title</title>
</head>
<body>
Index.html
</body>
</html>```
# if index.txt is specifically requested, we expect index.txt
GET https://localhost:9443/index.txt
[Options]
insecure: true
HTTP 200
[Asserts]
body == "index.txt"
# requests for sub-folder followed by .. result in sanitized path
GET https://localhost:9443/non-existent/../index.txt
[Options]
insecure: true
HTTP 200
[Asserts]
body == "index.txt"
# results out of root folder are sanitized,
# and conform to default index list sequence.
GET https://localhost:9443/../
[Options]
insecure: true
HTTP 200
[Asserts]
```
<!DOCTYPE html>
<html>
<head>
<title>Index.html Title</title>
</head>
<body>
Index.html
</body>
</html>```
# Configure Caddy with custsom index "index.txt"
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
debug
}
localhost {
root {{indexed_root}}
file_server {
index index.txt
}
}
```
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
body == "index.txt"
# Configure with a root not containing index files
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
debug
}
localhost {
root {{unindexed_root}}
file_server
}
```
GET https://localhost:9443
[Options]
insecure: true
HTTP 404
caddytest/spec/http/forward_auth/spec.hurl
+132
View File
@@ -0,0 +1,132 @@
# Configure Caddy with forward_auth directive
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
forward_auth localhost:9080 {
uri /auth
}
respond "Protected content"
}
http://localhost:9080 {
handle /auth {
respond 200
}
}
```
# forward_auth allows request when auth endpoint returns 2xx
GET https://localhost:9443
[Options]
delay: 500ms
insecure: true
HTTP 200
[Asserts]
body == "Protected content"
# Configure Caddy with forward_auth rejecting
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
forward_auth localhost:9080 {
uri /auth
}
respond "Protected content"
}
http://localhost:9080 {
handle /auth {
respond 401
}
}
```
# forward_auth blocks request when auth endpoint returns 4xx
GET https://localhost:9443
[Options]
delay: 500ms
insecure: true
HTTP 401
# Configure Caddy with forward_auth copying headers
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
forward_auth localhost:9080 {
uri /auth
copy_headers X-User-ID X-User-Email
}
respond "User: {header.X-User-ID}, Email: {header.X-User-Email}"
}
http://localhost:9080 {
handle /auth {
header X-User-ID "user123"
header X-User-Email "user@example.com"
respond 200
}
}
```
# forward_auth copies specified headers from auth response
GET https://localhost:9443
[Options]
delay: 500ms
insecure: true
HTTP 200
[Asserts]
body == "User: user123, Email: user@example.com"
# Configure Caddy with forward_auth and custom headers
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
forward_auth localhost:9080 {
uri /auth
header_up X-Original-URL {uri}
}
respond "OK"
}
http://localhost:9080 {
handle /auth {
respond "{header.X-Original-URL}"
}
}
```
# forward_auth can send custom headers to auth endpoint
GET https://localhost:9443/test/path
[Options]
delay: 500ms
insecure: true
HTTP 200
[Asserts]
body == "OK"
caddytest/spec/http/headers/spec.hurl
+22
View File
@@ -0,0 +1,22 @@
# Configure Caddy
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
debug
}
localhost {
header "X-Custom-Header" "Custom-Value"
}
```
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
header "X-Custom-Header" == "Custom-Value"
caddytest/spec/http/request_header/spec.hurl
+190
View File
@@ -0,0 +1,190 @@
# Configure Caddy with request_header directive
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
request_header X-Custom-Header "CustomValue"
respond "{header.X-Custom-Header}"
}
```
# request_header adds headers to request
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
body == "CustomValue"
# Configure Caddy with request_header removing headers
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
request_header -User-Agent
respond "UA: {header.User-Agent}"
}
```
# request_header can remove headers
GET https://localhost:9443
User-Agent: TestAgent/1.0
[Options]
insecure: true
HTTP 200
[Asserts]
body == "UA: "
# Configure Caddy with request_header replacing headers
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
request_header Host "example.com"
respond "Host: {host}"
}
```
# request_header can replace Host header
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
body == "Host: example.com"
# Configure Caddy with request_header using placeholders
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
request_header X-Original-Path {path}
respond "Path: {header.X-Original-Path}"
}
```
# request_header can use placeholders
GET https://localhost:9443/test/path
[Options]
insecure: true
HTTP 200
[Asserts]
body == "Path: /test/path"
# Configure Caddy with conditional request_header
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
@api path /api/*
request_header @api X-API "true"
respond "API: {header.X-API}"
}
```
# request_header applies conditionally based on matcher
GET https://localhost:9443/api/test
[Options]
insecure: true
HTTP 200
[Asserts]
body == "API: true"
# request_header doesn't apply when matcher doesn't match
GET https://localhost:9443/other
[Options]
insecure: true
HTTP 200
[Asserts]
body == "API: "
# Configure Caddy with multiple request_header operations
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
request_header X-First "1"
request_header X-Second "2"
request_header X-Third "3"
respond "{header.X-First},{header.X-Second},{header.X-Third}"
}
```
# multiple request_header directives are applied
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
body == "1,2,3"
# Configure Caddy with request_header and reverse_proxy
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
debug
}
localhost {
request_header X-Custom-Header "Value"
reverse_proxy localhost:9450
}
http://localhost:9450 {
respond "{header.X-Custom-Header}"
}
```
# request_header adds header before reverse_proxy
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
body == "Value"
caddytest/spec/http/requestbody/spec.hurl
+36
View File
@@ -0,0 +1,36 @@
# Configure Caddy
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
log
request_body {
max_size 2B
}
reverse_proxy localhost:8000 # to fake body reading
handle_errors 4xx {
respond "OK"
}
}
http://localhost:8000 {
respond "Failed"
}
```
GET https://localhost:9443
[Options]
delay: 1s
insecure: true
```
Hello
```
HTTP 413
`OK`
# TODO: how to test{read,write}_timeout?
caddytest/spec/http/rewrite/spec.hurl
+66
View File
@@ -0,0 +1,66 @@
# Configure Caddy
POST http://localhost:2019/load
User-Agent: hurl/ci
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
rewrite /from /to
respond {uri}
}
```
# simple scenario: rewriting /from to /to produces expected result of seeing /to
GET https://localhost:9443/from
[Options]
insecure: true
HTTP 200
[Asserts]
body == "/to"
# unmatched path is passed through unchanged
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
body == "/"
# having a query parameter does not trip the rewrite and retains the query
GET https://localhost:9443/from?query_param=value
[Options]
insecure: true
HTTP 200
[Asserts]
body == "/to?query_param=value"
# Configure Caddy
POST http://localhost:2019/load
User-Agent: hurl/ci
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
rewrite /from /to?a=b
respond {uri}
}
```
# a rewrite with query parameters affects the parameters
GET https://localhost:9443/from?query_param=value
[Options]
insecure: true
HTTP 200
[Asserts]
body == "/to?a=b"
caddytest/spec/http/route/spec.hurl
+171
View File
@@ -0,0 +1,171 @@
# Configure Caddy with route directive
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
route /api/* {
uri strip_prefix /api
respond "API: {uri}"
}
respond "Not API"
}
```
# route groups handlers and maintains order
GET https://localhost:9443/api/users
[Options]
insecure: true
HTTP 200
[Asserts]
body == "API: /users"
# route doesn't match non-matching paths
GET https://localhost:9443/other
[Options]
insecure: true
HTTP 200
[Asserts]
body == "Not API"
# Configure Caddy with nested routes
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
route /api/* {
uri strip_prefix /api
route /v1/* {
uri strip_prefix /v1
respond "API v1: {uri}"
}
respond "API: {uri}"
}
}
```
# nested routes process sequentially
GET https://localhost:9443/api/v1/users
[Options]
insecure: true
HTTP 200
[Asserts]
body == "API v1: /users"
# outer route processes when inner doesn't match
GET https://localhost:9443/api/users
[Options]
insecure: true
HTTP 200
[Asserts]
body == "API: /users"
# Configure Caddy with route and terminal handlers
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
route {
header X-First "1"
respond "Response"
header X-Second "2"
}
}
```
# route stops at terminal handler (respond)
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
header "X-First" == "1"
header "X-Second" not exists
# Configure Caddy with route preserving handler order
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
route {
vars step1 "done"
vars step2 "done"
vars step3 "done"
respond "{vars.step1},{vars.step2},{vars.step3}"
}
}
```
# route preserves exact handler order
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
body == "done,done,done"
# Configure Caddy with route and matchers
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
route {
@api path /api/*
vars @api type "api"
vars type "other"
respond "{vars.type}"
}
}
```
# route applies matchers in sequence
GET https://localhost:9443/api/test
[Options]
insecure: true
HTTP 200
[Asserts]
body == "other"
# route continues when matcher doesn't match
GET https://localhost:9443/test
[Options]
insecure: true
HTTP 200
[Asserts]
body == "other"
caddytest/spec/http/static_response/spec.hurl
+105
View File
@@ -0,0 +1,105 @@
# Configure Caddy
POST http://localhost:2019/load
User-Agent: hurl/ci
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
log
respond "Hello, World!"
}
```
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
`Hello, World!`
GET https://localhost:9443/foo
[Options]
insecure: true
HTTP 200
[Asserts]
`Hello, World!`
# Configure Caddy
POST http://localhost:2019/load
User-Agent: hurl/ci
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
respond "New text!"
}
```
GET https://localhost:9443
[Options]
insecure: true
HTTP/2 200
[Asserts]
`New text!`
GET https://localhost:9443/foo
[Options]
insecure: true
HTTP/2 200
[Asserts]
`New text!`
GET https://localhost:9443/foo
[Options]
insecure: true
HTTP/2 200
[Asserts]
body != "Hello, World!"
# Configure Caddy
# The body is a placeholder
POST http://localhost:2019/load
User-Agent: hurl/ci
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
log
respond {http.request.body}
}
```
# handler responds with the "application/json" if the response body is valid JSON
POST https://localhost:9443
[Options]
insecure: true
```json
{
"greeting": "Hello, world!"
}
```
HTTP/2 200
[Asserts]
header "Content-Type" == "application/json"
```json
{
"greeting": "Hello, world!"
}
```
caddytest/spec/http/uri/spec.hurl
+191
View File
@@ -0,0 +1,191 @@
# Configure Caddy with uri strip_prefix
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
uri strip_prefix /api
respond {uri}
}
```
# strip_prefix removes the prefix from the URI
GET https://localhost:9443/api/users
[Options]
insecure: true
HTTP 200
[Asserts]
body == "/users"
# URI without prefix is unchanged
GET https://localhost:9443/users
[Options]
insecure: true
HTTP 200
[Asserts]
body == "/users"
# Configure Caddy with uri strip_suffix
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
uri strip_suffix .php
respond {uri}
}
```
# strip_suffix removes the suffix from the URI
GET https://localhost:9443/index.php
[Options]
insecure: true
HTTP 200
[Asserts]
body == "/index"
# URI without suffix is unchanged
GET https://localhost:9443/index.html
[Options]
insecure: true
HTTP 200
[Asserts]
body == "/index.html"
# Configure Caddy with uri replace
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
uri replace old new
respond {uri}
}
```
# replace substitutes all occurrences
GET https://localhost:9443/old/path/old
[Options]
insecure: true
HTTP 200
[Asserts]
body == "/new/path/new"
# Configure Caddy with uri path_regexp
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
uri path_regexp /([0-9]+) /$1/id
respond {uri}
}
```
# path_regexp replaces using regular expressions
GET https://localhost:9443/123
[Options]
insecure: true
HTTP 200
[Asserts]
body == "/123/id"
# Configure Caddy with uri query operations
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
uri query +foo bar
respond {query}
}
```
# query operations add parameters
GET https://localhost:9443/?existing=value
[Options]
insecure: true
HTTP 200
[Asserts]
body == "existing=value&foo=bar"
# Configure Caddy with uri query delete
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
uri query -sensitive
respond {query}
}
```
# query operations delete parameters
GET https://localhost:9443/?keep=this&sensitive=secret
[Options]
insecure: true
HTTP 200
[Asserts]
body == "keep=this"
# Configure Caddy with uri query rename
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
uri query old>new
respond {query}
}
```
# query operations rename parameters
GET https://localhost:9443/?old=value
[Options]
insecure: true
HTTP 200
[Asserts]
body == "new=value"
caddytest/spec/http/vars/spec.hurl
+125
View File
@@ -0,0 +1,125 @@
# Configure Caddy with vars directive
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
vars my_var "custom_value"
vars another_var "another_value"
respond "{vars.my_var} {vars.another_var}"
}
```
# Variables are accessible in placeholders
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
body == "custom_value another_value"
# Configure Caddy with vars using placeholders
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
vars request_path {path}
vars request_method {method}
respond "Path: {vars.request_path}, Method: {vars.request_method}"
}
```
# Variables can be set from request placeholders
GET https://localhost:9443/test/path
[Options]
insecure: true
HTTP 200
[Asserts]
body == "Path: /test/path, Method: GET"
# POST method is captured correctly
POST https://localhost:9443/another
[Options]
insecure: true
HTTP 200
[Asserts]
body == "Path: /another, Method: POST"
# Configure Caddy with vars in route
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
route /api/* {
vars api_version "v1"
respond "API {vars.api_version}"
}
respond "Not API"
}
```
# Variables are scoped to their route
GET https://localhost:9443/api/users
[Options]
insecure: true
HTTP 200
[Asserts]
body == "API v1"
# Outside the route, variables are not set
GET https://localhost:9443/other
[Options]
insecure: true
HTTP 200
[Asserts]
body == "Not API"
# Configure Caddy with vars overwriting
POST http://localhost:2019/load
Content-Type: text/caddyfile
```
{
skip_install_trust
http_port 9080
https_port 9443
local_certs
}
localhost {
# without `route`, middlewares are sorted an unstable sort
route {
vars my_var "2"
vars my_var "1"
}
respond "{vars.my_var}"
}
```
# Later vars directives overwrite earlier ones
GET https://localhost:9443
[Options]
insecure: true
HTTP 200
[Asserts]
body == "1"
caddytest/spec/hurl_vars.properties
+2
View File
@@ -0,0 +1,2 @@
indexed_root=caddytest/spec/http/file_server/assets/indexed
unindexed_root=caddytest/spec/http/file_server/assets/unindexed
cmd/caddy/main.go
-2
View File
@@ -29,8 +29,6 @@
package main
import (
_ "time/tzdata"
caddycmd "github.com/caddyserver/caddy/v2/cmd"
// plug in Caddy modules here
cmd/commandfuncs.go
+14 -58
View File
@@ -74,7 +74,7 @@ func cmdStart(fl Flags) (int, error) {
// ensure it's the process we're expecting - we can be
// sure by giving it some random bytes and having it echo
// them back to us)
cmd := exec.Command(os.Args[0], "run", "--pingback", ln.Addr().String()) //nolint:gosec // no command injection that I can determine...
cmd := exec.Command(os.Args[0], "run", "--pingback", ln.Addr().String())
// we should be able to run caddy in relative paths
if errors.Is(cmd.Err, exec.ErrDot) {
cmd.Err = nil
@@ -411,65 +411,11 @@ func cmdBuildInfo(_ Flags) (int, error) {
return caddy.ExitCodeSuccess, nil
}
// jsonModuleInfo holds metadata about a Caddy module for JSON output.
type jsonModuleInfo struct {
ModuleName string `json:"module_name"`
ModuleType string `json:"module_type"`
Version string `json:"version,omitempty"`
PackageURL string `json:"package_url,omitempty"`
}
func cmdListModules(fl Flags) (int, error) {
packages := fl.Bool("packages")
versions := fl.Bool("versions")
skipStandard := fl.Bool("skip-standard")
jsonOutput := fl.Bool("json")
// Organize modules by whether they come with the standard distribution
standard, nonstandard, unknown, err := getModules()
if err != nil {
// If module info can't be fetched, just print the IDs and exit
for _, m := range caddy.Modules() {
fmt.Println(m)
}
return caddy.ExitCodeSuccess, nil
}
// Logic for JSON output
if jsonOutput {
output := []jsonModuleInfo{}
// addToOutput is a helper to convert internal module info to the JSON-serializable struct
addToOutput := func(list []moduleInfo, moduleType string) {
for _, mi := range list {
item := jsonModuleInfo{
ModuleName: mi.caddyModuleID,
ModuleType: moduleType, // Mapping the type here
}
if mi.goModule != nil {
item.Version = mi.goModule.Version
item.PackageURL = mi.goModule.Path
}
output = append(output, item)
}
}
// Pass the respective type for each category
if !skipStandard {
addToOutput(standard, "standard")
}
addToOutput(nonstandard, "non-standard")
addToOutput(unknown, "unknown")
jsonBytes, err := json.MarshalIndent(output, "", " ")
if err != nil {
return caddy.ExitCodeFailedQuit, err
}
fmt.Println(string(jsonBytes))
return caddy.ExitCodeSuccess, nil
}
// Logic for Text output (Fallback)
printModuleInfo := func(mi moduleInfo) {
fmt.Print(mi.caddyModuleID)
if versions && mi.goModule != nil {
@@ -487,6 +433,16 @@ func cmdListModules(fl Flags) (int, error) {
fmt.Println()
}
// organize modules by whether they come with the standard distribution
standard, nonstandard, unknown, err := getModules()
if err != nil {
// oh well, just print the module IDs and exit
for _, m := range caddy.Modules() {
fmt.Println(m)
}
return caddy.ExitCodeSuccess, nil
}
// Standard modules (always shipped with Caddy)
if !skipStandard {
if len(standard) > 0 {
@@ -505,8 +461,8 @@ func cmdListModules(fl Flags) (int, error) {
for _, mod := range nonstandard {
printModuleInfo(mod)
}
fmt.Printf("\n Non-standard modules: %d\n", len(nonstandard))
}
fmt.Printf("\n Non-standard modules: %d\n", len(nonstandard))
// Unknown modules (couldn't get Caddy module info)
if len(unknown) > 0 {
@@ -516,8 +472,8 @@ func cmdListModules(fl Flags) (int, error) {
for _, mod := range unknown {
printModuleInfo(mod)
}
fmt.Printf("\n Unknown modules: %d\n", len(unknown))
}
fmt.Printf("\n Unknown modules: %d\n", len(unknown))
return caddy.ExitCodeSuccess, nil
}
@@ -820,7 +776,7 @@ func AdminAPIRequest(adminAddr, method, uri string, headers http.Header, body io
},
}
resp, err := client.Do(req) //nolint:gosec // the only SSRF here would be self-sabatoge I think
resp, err := client.Do(req)
if err != nil {
return nil, fmt.Errorf("performing request: %v", err)
}
cmd/commands.go
+1 -2
View File
@@ -229,13 +229,12 @@ documentation: https://go.dev/doc/modules/version-numbers
RegisterCommand(Command{
Name: "list-modules",
Usage: "[--packages] [--versions] [--skip-standard] [--json]",
Usage: "[--packages] [--versions] [--skip-standard]",
Short: "Lists the installed Caddy modules",
CobraFunc: func(cmd *cobra.Command) {
cmd.Flags().BoolP("packages", "", false, "Print package paths")
cmd.Flags().BoolP("versions", "", false, "Print version information")
cmd.Flags().BoolP("skip-standard", "s", false, "Skip printing standard modules")
cmd.Flags().BoolP("json", "", false, "Print modules in JSON format")
cmd.RunE = WrapCommandFuncForCobra(cmdListModules)
},
})
cmd/main.go
+1 -4
View File
@@ -231,10 +231,7 @@ func loadConfigWithLogger(logger *zap.Logger, configFile, adapterName string) ([
// validate that the config is at least valid JSON
err = json.Unmarshal(config, new(any))
if err != nil {
if jsonErr, ok := err.(*json.SyntaxError); ok {
return nil, "", "", fmt.Errorf("config is not valid JSON: %w, at offset %d; did you mean to use a config adapter (the --adapter flag)?", err, jsonErr.Offset)
}
return nil, "", "", fmt.Errorf("config is not valid JSON: %w; did you mean to use a config adapter (the --adapter flag)?", err)
return nil, "", "", fmt.Errorf("config is not valid JSON: %v; did you mean to use a config adapter (the --adapter flag)?", err)
}
}
context.go
+7 -42
View File
@@ -21,14 +21,12 @@ import (
"log"
"log/slog"
"reflect"
"sync"
"github.com/caddyserver/certmagic"
"github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/collectors"
"go.uber.org/zap"
"go.uber.org/zap/exp/zapslog"
"go.uber.org/zap/zapcore"
"github.com/caddyserver/caddy/v2/internal/filesystems"
)
@@ -585,57 +583,24 @@ func (ctx Context) Logger(module ...Module) *zap.Logger {
return ctx.cfg.Logging.Logger(mod)
}
type slogHandlerFactory func(handler slog.Handler, core zapcore.Core, moduleID string) slog.Handler
var (
slogHandlerFactories []slogHandlerFactory
slogHandlerFactoriesMu sync.RWMutex
)
// RegisterSlogHandlerFactory allows modules to register custom log/slog.Handler,
// for instance, to add contextual data to the logs.
func RegisterSlogHandlerFactory(factory slogHandlerFactory) {
slogHandlerFactoriesMu.Lock()
slogHandlerFactories = append(slogHandlerFactories, factory)
slogHandlerFactoriesMu.Unlock()
}
// Slogger returns a slog logger that is intended for use by
// the most recent module associated with the context.
func (ctx Context) Slogger() *slog.Logger {
var (
handler slog.Handler
core zapcore.Core
moduleID string
)
if ctx.cfg == nil {
// often the case in tests; just use a dev logger
l, err := zap.NewDevelopment()
if err != nil {
panic("config missing, unable to create dev logger: " + err.Error())
}
core = l.Core()
handler = zapslog.NewHandler(core)
} else {
mod := ctx.Module()
if mod == nil {
core = Log().Core()
handler = zapslog.NewHandler(core)
} else {
moduleID = string(mod.CaddyModule().ID)
core = ctx.cfg.Logging.Logger(mod).Core()
handler = zapslog.NewHandler(core, zapslog.WithName(moduleID))
}
return slog.New(zapslog.NewHandler(l.Core()))
}
slogHandlerFactoriesMu.RLock()
for _, f := range slogHandlerFactories {
handler = f(handler, core, moduleID)
mod := ctx.Module()
if mod == nil {
return slog.New(zapslog.NewHandler(Log().Core()))
}
slogHandlerFactoriesMu.RUnlock()
return slog.New(handler)
return slog.New(zapslog.NewHandler(ctx.cfg.Logging.Logger(mod).Core(),
zapslog.WithName(string(mod.CaddyModule().ID)),
))
}
// Modules returns the lineage of modules that this context provisioned,
go.mod
+86 -86
View File
@@ -3,115 +3,113 @@ module github.com/caddyserver/caddy/v2
go 1.25
require (
github.com/BurntSushi/toml v1.6.0
github.com/BurntSushi/toml v1.5.0
github.com/DeRuina/timberjack v1.3.9
github.com/KimMachineGun/automemlimit v0.7.5
github.com/Masterminds/sprig/v3 v3.3.0
github.com/alecthomas/chroma/v2 v2.23.1
github.com/alecthomas/chroma/v2 v2.20.0
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
github.com/caddyserver/certmagic v0.25.1
github.com/caddyserver/zerossl v0.1.5
github.com/cloudflare/circl v1.6.3
github.com/caddyserver/certmagic v0.25.0
github.com/caddyserver/zerossl v0.1.3
github.com/cloudflare/circl v1.6.1
github.com/dustin/go-humanize v1.0.1
github.com/go-chi/chi/v5 v5.2.5
github.com/google/cel-go v0.27.0
github.com/go-chi/chi/v5 v5.2.3
github.com/google/cel-go v0.26.1
github.com/google/uuid v1.6.0
github.com/klauspost/compress v1.18.4
github.com/klauspost/compress v1.18.1
github.com/klauspost/cpuid/v2 v2.3.0
github.com/mholt/acmez/v3 v3.1.4
github.com/prometheus/client_golang v1.23.2
github.com/quic-go/quic-go v0.59.0
github.com/smallstep/certificates v0.30.0-rc2.0.20260211214201-20608299c29c
github.com/quic-go/quic-go v0.56.0
github.com/smallstep/certificates v0.28.4
github.com/smallstep/nosql v0.7.0
github.com/smallstep/truststore v0.13.0
github.com/spf13/cobra v1.10.2
github.com/spf13/cobra v1.10.1
github.com/spf13/pflag v1.0.10
github.com/stretchr/testify v1.11.1
github.com/tailscale/tscert v0.0.0-20251216020129-aea342f6d747
github.com/yuin/goldmark v1.7.16
github.com/tailscale/tscert v0.0.0-20240608151842-d3f834017e53
github.com/yuin/goldmark v1.7.13
github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
go.opentelemetry.io/contrib/exporters/autoexport v0.65.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0
go.opentelemetry.io/contrib/propagators/autoprop v0.65.0
go.opentelemetry.io/otel v1.40.0
go.opentelemetry.io/otel/sdk v1.40.0
go.step.sm/crypto v0.76.0
go.opentelemetry.io/contrib/exporters/autoexport v0.63.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0
go.opentelemetry.io/contrib/propagators/autoprop v0.63.0
go.opentelemetry.io/otel v1.38.0
go.opentelemetry.io/otel/sdk v1.38.0
go.uber.org/automaxprocs v1.6.0
go.uber.org/zap v1.27.1
go.uber.org/zap v1.27.0
go.uber.org/zap/exp v0.3.0
golang.org/x/crypto v0.48.0
golang.org/x/crypto v0.43.0
golang.org/x/crypto/x509roots/fallback v0.0.0-20250927194341-2beaa59a3c99
golang.org/x/net v0.50.0
golang.org/x/sync v0.19.0
golang.org/x/term v0.40.0
golang.org/x/net v0.46.0
golang.org/x/sync v0.17.0
golang.org/x/term v0.36.0
golang.org/x/time v0.14.0
gopkg.in/yaml.v3 v3.0.1
)
require (
cel.dev/expr v0.25.1 // indirect
cloud.google.com/go/auth v0.18.1 // indirect
cel.dev/expr v0.24.0 // indirect
cloud.google.com/go/auth v0.17.0 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
cloud.google.com/go/compute/metadata v0.9.0 // indirect
dario.cat/mergo v1.0.2 // indirect
filippo.io/bigmod v0.1.0 // indirect
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
github.com/ccoveille/go-safecast/v2 v2.0.0 // indirect
dario.cat/mergo v1.0.1 // indirect
github.com/Microsoft/go-winio v0.6.0 // indirect
github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
github.com/ccoveille/go-safecast v1.6.1 // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
github.com/coreos/go-oidc/v3 v3.17.0 // indirect
github.com/coreos/go-oidc/v3 v3.14.1 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/fxamacker/cbor/v2 v2.8.0 // indirect
github.com/go-jose/go-jose/v3 v3.0.4 // indirect
github.com/go-jose/go-jose/v4 v4.1.3 // indirect
github.com/go-jose/go-jose/v4 v4.1.2 // indirect
github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745 // indirect
github.com/google/go-tpm v0.9.8 // indirect
github.com/google/go-tpm v0.9.6 // indirect
github.com/google/go-tspi v0.3.0 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
github.com/googleapis/gax-go/v2 v2.17.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
github.com/googleapis/gax-go/v2 v2.15.0 // indirect
github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 // indirect
github.com/jackc/pgx/v5 v5.6.0 // indirect
github.com/jackc/puddle/v2 v2.2.1 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/otlptranslator v1.0.0 // indirect
github.com/quic-go/qpack v0.6.0 // indirect
github.com/smallstep/cli-utils v0.12.2 // indirect
github.com/prometheus/otlptranslator v0.0.2 // indirect
github.com/quic-go/qpack v0.5.1 // indirect
github.com/smallstep/cli-utils v0.12.1 // indirect
github.com/smallstep/go-attestation v0.4.4-0.20241119153605-2306d5b464ca // indirect
github.com/smallstep/linkedca v0.25.0 // indirect
github.com/smallstep/linkedca v0.23.0 // indirect
github.com/smallstep/pkcs7 v0.2.1 // indirect
github.com/smallstep/scep v0.0.0-20250318231241-a25cabb69492 // indirect
github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
github.com/smallstep/scep v0.0.0-20240926084937-8cf1ca453101 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/zeebo/blake3 v0.2.4 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/bridges/prometheus v0.65.0 // indirect
go.opentelemetry.io/contrib/propagators/aws v1.40.0 // indirect
go.opentelemetry.io/contrib/propagators/b3 v1.40.0 // indirect
go.opentelemetry.io/contrib/propagators/jaeger v1.40.0 // indirect
go.opentelemetry.io/contrib/propagators/ot v1.40.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 // indirect
go.opentelemetry.io/otel/exporters/prometheus v0.62.0 // indirect
go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.16.0 // indirect
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0 // indirect
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.40.0 // indirect
go.opentelemetry.io/otel/log v0.16.0 // indirect
go.opentelemetry.io/otel/sdk/log v0.16.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.40.0 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/bridges/prometheus v0.63.0 // indirect
go.opentelemetry.io/contrib/propagators/aws v1.38.0 // indirect
go.opentelemetry.io/contrib/propagators/b3 v1.38.0 // indirect
go.opentelemetry.io/contrib/propagators/jaeger v1.38.0 // indirect
go.opentelemetry.io/contrib/propagators/ot v1.38.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 // indirect
go.opentelemetry.io/otel/exporters/prometheus v0.60.0 // indirect
go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0 // indirect
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 // indirect
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 // indirect
go.opentelemetry.io/otel/log v0.14.0 // indirect
go.opentelemetry.io/otel/sdk/log v0.14.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
go.yaml.in/yaml/v2 v2.4.3 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 // indirect
golang.org/x/oauth2 v0.34.0 // indirect
google.golang.org/api v0.265.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 // indirect
golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 // indirect
golang.org/x/oauth2 v0.32.0 // indirect
google.golang.org/api v0.254.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 // indirect
)
@@ -119,7 +117,7 @@ require (
filippo.io/edwards25519 v1.1.0 // indirect
github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.3.1 // indirect
github.com/Masterminds/semver/v3 v3.3.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash v1.1.0 // indirect
github.com/cespare/xxhash/v2 v2.3.0
@@ -142,37 +140,39 @@ require (
github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
github.com/libdns/libdns v1.1.1
github.com/manifoldco/promptui v0.9.0 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
github.com/miekg/dns v1.1.70 // indirect
github.com/miekg/dns v1.1.68 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-ps v1.0.0 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/pires/go-proxyproto v0.11.0
github.com/pires/go-proxyproto v0.8.1
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_model v0.6.2
github.com/prometheus/common v0.67.5 // indirect
github.com/prometheus/procfs v0.19.2 // indirect
github.com/prometheus/common v0.67.1 // indirect
github.com/prometheus/procfs v0.17.0 // indirect
github.com/rs/xid v1.6.0 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/shopspring/decimal v1.4.0 // indirect
github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
github.com/sirupsen/logrus v1.9.4 // indirect
github.com/slackhq/nebula v1.10.3 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/slackhq/nebula v1.9.7 // indirect
github.com/spf13/cast v1.7.0 // indirect
github.com/stoewer/go-strcase v1.2.0 // indirect
github.com/urfave/cli v1.22.17 // indirect
go.etcd.io/bbolt v1.3.10 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 // indirect
go.opentelemetry.io/otel/metric v1.40.0 // indirect
go.opentelemetry.io/otel/trace v1.40.0
go.opentelemetry.io/proto/otlp v1.9.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 // indirect
go.opentelemetry.io/otel/metric v1.38.0 // indirect
go.opentelemetry.io/otel/trace v1.38.0
go.opentelemetry.io/proto/otlp v1.7.1 // indirect
go.step.sm/crypto v0.74.0
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/mod v0.33.0 // indirect
golang.org/x/sys v0.41.0
golang.org/x/text v0.34.0
golang.org/x/tools v0.42.0 // indirect
google.golang.org/grpc v1.78.0 // indirect
google.golang.org/protobuf v1.36.11 // indirect
golang.org/x/mod v0.29.0 // indirect
golang.org/x/sys v0.37.0
golang.org/x/text v0.30.0 // indirect
golang.org/x/tools v0.38.0 // indirect
google.golang.org/grpc v1.76.0 // indirect
google.golang.org/protobuf v1.36.10 // indirect
howett.net/plist v1.0.0 // indirect
)
go.sum
+227 -218
View File
@@ -1,94 +1,91 @@
cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
cloud.google.com/go/auth v0.18.1 h1:IwTEx92GFUo2pJ6Qea0EU3zYvKnTAeRCODxfA/G5UWs=
cloud.google.com/go/auth v0.18.1/go.mod h1:GfTYoS9G3CWpRA3Va9doKN9mjPGRS+v41jmZAhBzbrA=
cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
cloud.google.com/go v0.120.0 h1:wc6bgG9DHyKqF5/vQvX1CiZrtHnxJjBlKUyF9nP6meA=
cloud.google.com/go v0.120.0/go.mod h1:/beW32s8/pGRuj4IILWQNd4uuebeT4dkOhKmkfit64Q=
cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4=
cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ=
cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
cloud.google.com/go/iam v1.5.3 h1:+vMINPiDF2ognBJ97ABAYYwRgsaqxPbQDlMnbHMjolc=
cloud.google.com/go/iam v1.5.3/go.mod h1:MR3v9oLkZCTlaqljW6Eb2d3HGDGK5/bDv93jhfISFvU=
cloud.google.com/go/kms v1.25.0 h1:gVqvGGUmz0nYCmtoxWmdc1wli2L1apgP8U4fghPGSbQ=
cloud.google.com/go/kms v1.25.0/go.mod h1:XIdHkzfj0bUO3E+LvwPg+oc7s58/Ns8Nd8Sdtljihbk=
cloud.google.com/go/longrunning v0.8.0 h1:LiKK77J3bx5gDLi4SMViHixjD2ohlkwBi+mKA7EhfW8=
cloud.google.com/go/longrunning v0.8.0/go.mod h1:UmErU2Onzi+fKDg2gR7dusz11Pe26aknR4kHmJJqIfk=
dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
filippo.io/bigmod v0.1.0 h1:UNzDk7y9ADKST+axd9skUpBQeW7fG2KrTZyOE4uGQy8=
filippo.io/bigmod v0.1.0/go.mod h1:OjOXDNlClLblvXdwgFFOQFJEocLhhtai8vGLy0JCZlI=
cloud.google.com/go/iam v1.5.2 h1:qgFRAGEmd8z6dJ/qyEchAuL9jpswyODjA2lS+w234g8=
cloud.google.com/go/iam v1.5.2/go.mod h1:SE1vg0N81zQqLzQEwxL2WI6yhetBdbNQuTvIKCSkUHE=
cloud.google.com/go/kms v1.23.2 h1:4IYDQL5hG4L+HzJBhzejUySoUOheh3Lk5YT4PCyyW6k=
cloud.google.com/go/kms v1.23.2/go.mod h1:rZ5kK0I7Kn9W4erhYVoIRPtpizjunlrfU4fUkumUp8g=
cloud.google.com/go/longrunning v0.6.7 h1:IGtfDWHhQCgCjwQjV9iiLnUta9LBCo8R9QmAFsS/PrE=
cloud.google.com/go/longrunning v0.6.7/go.mod h1:EAFV3IZAKmM56TyiE6VAP3VoTzhZzySwI/YI1s/nRsY=
dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 h1:cTp8I5+VIoKjsnZuH8vjyaysT/ses3EvZeaV/1UkF2M=
github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/DeRuina/timberjack v1.3.9 h1:6UXZ1I7ExPGTX/1UNYawR58LlOJUHKBPiYC7WQ91eBo=
github.com/DeRuina/timberjack v1.3.9/go.mod h1:RLoeQrwrCGIEF8gO5nV5b/gMD0QIy7bzQhBUgpp1EqE=
github.com/KimMachineGun/automemlimit v0.7.5 h1:RkbaC0MwhjL1ZuBKunGDjE/ggwAX43DwZrJqVwyveTk=
github.com/KimMachineGun/automemlimit v0.7.5/go.mod h1:QZxpHaGOQoYvFhv/r4u3U0JTC2ZcOwbSr11UZF46UBM=
github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4=
github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
github.com/OneOfOne/xxhash v1.2.2 h1:KMrpdQIwFcEqXDklaen+P1axHaj9BSKzvpUUfnHldSE=
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
github.com/alecthomas/chroma/v2 v2.23.1 h1:nv2AVZdTyClGbVQkIzlDm/rnhk1E9bU9nXwmZ/Vk/iY=
github.com/alecthomas/chroma/v2 v2.23.1/go.mod h1:NqVhfBR0lte5Ouh3DcthuUCTUpDC9cxBOfyMbMQPs3o=
github.com/alecthomas/chroma/v2 v2.20.0 h1:sfIHpxPyR07/Oylvmcai3X/exDlE8+FA820NTz+9sGw=
github.com/alecthomas/chroma/v2 v2.20.0/go.mod h1:e7tViK0xh/Nf4BYHl00ycY6rV7b8iXBksI9E359yNmA=
github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
github.com/alecthomas/repr v0.5.2 h1:SU73FTI9D1P5UNtvseffFSGmdNci/O6RsqzeXJtP0Qs=
github.com/alecthomas/repr v0.5.2/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
github.com/alecthomas/repr v0.5.1 h1:E3G4t2QbHTSNpPKBgMTln5KLkZHLOcU7r37J4pXBuIg=
github.com/alecthomas/repr v0.5.1/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b h1:uUXgbcPDK3KpW29o4iy7GtuappbWT0l5NaMo9H9pJDw=
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
github.com/aws/aws-sdk-go-v2 v1.41.1 h1:ABlyEARCDLN034NhxlRUSZr4l71mh+T5KAeGh6cerhU=
github.com/aws/aws-sdk-go-v2 v1.41.1/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0=
github.com/aws/aws-sdk-go-v2/config v1.32.7 h1:vxUyWGUwmkQ2g19n7JY/9YL8MfAIl7bTesIUykECXmY=
github.com/aws/aws-sdk-go-v2/config v1.32.7/go.mod h1:2/Qm5vKUU/r7Y+zUk/Ptt2MDAEKAfUtKc1+3U1Mo3oY=
github.com/aws/aws-sdk-go-v2/credentials v1.19.7 h1:tHK47VqqtJxOymRrNtUXN5SP/zUTvZKeLx4tH6PGQc8=
github.com/aws/aws-sdk-go-v2/credentials v1.19.7/go.mod h1:qOZk8sPDrxhf+4Wf4oT2urYJrYt3RejHSzgAquYeppw=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 h1:I0GyV8wiYrP8XpA70g1HBcQO1JlQxCMTW9npl5UbDHY=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17/go.mod h1:tyw7BOl5bBe/oqvoIeECFJjMdzXoa/dfVz3QQ5lgHGA=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 h1:xOLELNKGp2vsiteLsvLPwxC+mYmO6OZ8PYgiuPJzF8U=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17/go.mod h1:5M5CI3D12dNOtH3/mk6minaRwI2/37ifCURZISxA/IQ=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 h1:WWLqlh79iO48yLkj1v3ISRNiv+3KdQoZ6JWyfcsyQik=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17/go.mod h1:EhG22vHRrvF8oXSTYStZhJc1aUgKtnJe+aOiFEV90cM=
github.com/aws/aws-sdk-go-v2 v1.39.5 h1:e/SXuia3rkFtapghJROrydtQpfQaaUgd1cUvyO1mp2w=
github.com/aws/aws-sdk-go-v2 v1.39.5/go.mod h1:yWSxrnioGUZ4WVv9TgMrNUeLV3PFESn/v+6T/Su8gnM=
github.com/aws/aws-sdk-go-v2/config v1.31.16 h1:E4Tz+tJiPc7kGnXwIfCyUj6xHJNpENlY11oKpRTgsjc=
github.com/aws/aws-sdk-go-v2/config v1.31.16/go.mod h1:2S9hBElpCyGMifv14WxQ7EfPumgoeCPZUpuPX8VtW34=
github.com/aws/aws-sdk-go-v2/credentials v1.18.20 h1:KFndAnHd9NUuzikHjQ8D5CfFVO+bgELkmcGY8yAw98Q=
github.com/aws/aws-sdk-go-v2/credentials v1.18.20/go.mod h1:9mCi28a+fmBHSQ0UM79omkz6JtN+PEsvLrnG36uoUv0=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.12 h1:VO3FIM2TDbm0kqp6sFNR0PbioXJb/HzCDW6NtIZpIWE=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.12/go.mod h1:6C39gB8kg82tx3r72muZSrNhHia9rjGkX7ORaS2GKNE=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.12 h1:p/9flfXdoAnwJnuW9xHEAFY22R3A6skYkW19JFF9F+8=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.12/go.mod h1:ZTLHakoVCTtW8AaLGSwJ3LXqHD9uQKnOcv1TrpO6u2k=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.12 h1:2lTWFvRcnWFFLzHWmtddu5MTchc5Oj2OOey++99tPZ0=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.12/go.mod h1:hI92pK+ho8HVcWMHKHrK3Uml4pfG7wvL86FzO0LVtQQ=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 h1:RuNSMoozM8oXlgLG/n6WLaFGoea7/CddrCfIiSA+xdY=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17/go.mod h1:F2xxQ9TZz5gDWsclCtPQscGpP0VUOc8RqgFM3vDENmU=
github.com/aws/aws-sdk-go-v2/service/kms v1.49.5 h1:DKibav4XF66XSeaXcrn9GlWGHos6D/vJ4r7jsK7z5CE=
github.com/aws/aws-sdk-go-v2/service/kms v1.49.5/go.mod h1:1SdcmEGUEQE1mrU2sIgeHtcMSxHuybhPvuEPANzIDfI=
github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 h1:VrhDvQib/i0lxvr3zqlUwLwJP4fpmpyD9wYG1vfSu+Y=
github.com/aws/aws-sdk-go-v2/service/signin v1.0.5/go.mod h1:k029+U8SY30/3/ras4G/Fnv/b88N4mAfliNn08Dem4M=
github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 h1:v6EiMvhEYBoHABfbGB4alOYmCIrcgyPPiBE1wZAEbqk=
github.com/aws/aws-sdk-go-v2/service/sso v1.30.9/go.mod h1:yifAsgBxgJWn3ggx70A3urX2AN49Y5sJTD1UQFlfqBw=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 h1:gd84Omyu9JLriJVCbGApcLzVR3XtmC4ZDPcAI6Ftvds=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13/go.mod h1:sTGThjphYE4Ohw8vJiRStAcu3rbjtXRsdNB0TvZ5wwo=
github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/pJ1jOWYlFDJTjRQ=
github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ=
github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk=
github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2 h1:xtuxji5CS0JknaXoACOunXOYOQzgfTvGAc9s2QdCJA4=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.2/go.mod h1:zxwi0DIR0rcRcgdbl7E2MSOvxDyyXGBlScvBkARFaLQ=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.12 h1:MM8imH7NZ0ovIVX7D2RxfMDv7Jt9OiUXkcQ+GqywA7M=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.12/go.mod h1:gf4OGwdNkbEsb7elw2Sy76odfhwNktWII3WgvQgQQ6w=
github.com/aws/aws-sdk-go-v2/service/kms v1.47.0 h1:A97YCVyGz19rRs3+dWf3GpMPflCswgETA9r6/Q0JNSY=
github.com/aws/aws-sdk-go-v2/service/kms v1.47.0/go.mod h1:ZJ1ghBt9gQM8JoNscUua1siIgao8w74o3kvdWUU6N/Q=
github.com/aws/aws-sdk-go-v2/service/sso v1.30.0 h1:xHXvxst78wBpJFgDW07xllOx0IAzbryrSdM4nMVQ4Dw=
github.com/aws/aws-sdk-go-v2/service/sso v1.30.0/go.mod h1:/e8m+AO6HNPPqMyfKRtzZ9+mBF5/x1Wk8QiDva4m07I=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.4 h1:tBw2Qhf0kj4ZwtsVpDiVRU3zKLvjvjgIjHMKirxXg8M=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.4/go.mod h1:Deq4B7sRM6Awq/xyOBlxBdgW8/Z926KYNNaGMW2lrkA=
github.com/aws/aws-sdk-go-v2/service/sts v1.39.0 h1:C+BRMnasSYFcgDw8o9H5hzehKzXyAb9GY5v/8bP9DUY=
github.com/aws/aws-sdk-go-v2/service/sts v1.39.0/go.mod h1:4EjU+4mIx6+JqKQkruye+CaigV7alL3thVPfDd9VlMs=
github.com/aws/smithy-go v1.23.1 h1:sLvcH6dfAFwGkHLZ7dGiYF7aK6mg4CgKA/iDKjLDt9M=
github.com/aws/smithy-go v1.23.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/caddyserver/certmagic v0.25.1 h1:4sIKKbOt5pg6+sL7tEwymE1x2bj6CHr80da1CRRIPbY=
github.com/caddyserver/certmagic v0.25.1/go.mod h1:VhyvndxtVton/Fo/wKhRoC46Rbw1fmjvQ3GjHYSQTEY=
github.com/caddyserver/zerossl v0.1.5 h1:dkvOjBAEEtY6LIGAHei7sw2UgqSD6TrWweXpV7lvEvE=
github.com/caddyserver/zerossl v0.1.5/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
github.com/ccoveille/go-safecast/v2 v2.0.0 h1:+5eyITXAUj3wMjad6cRVJKGnC7vDS55zk0INzJagub0=
github.com/ccoveille/go-safecast/v2 v2.0.0/go.mod h1:JIYA4CAR33blIDuE6fSwCp2sz1oOBahXnvmdBhOAABs=
github.com/caddyserver/certmagic v0.25.0 h1:VMleO/XA48gEWes5l+Fh6tRWo9bHkhwAEhx63i+F5ic=
github.com/caddyserver/certmagic v0.25.0/go.mod h1:m9yB7Mud24OQbPHOiipAoyKPn9pKHhpSJxXR1jydBxA=
github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+YTAyA=
github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
github.com/ccoveille/go-safecast v1.6.1 h1:Nb9WMDR8PqhnKCVs2sCB+OqhohwO5qaXtCviZkIff5Q=
github.com/ccoveille/go-safecast v1.6.1/go.mod h1:QqwNjxQ7DAqY0C721OIO9InMk9zCwcsO7tnRuHytad8=
github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
@@ -104,12 +101,12 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk
github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
@@ -143,14 +140,14 @@ github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHqu
github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
github.com/go-jose/go-jose/v3 v3.0.4 h1:Wp5HA7bLQcKnf6YYao/4kpRpVMp/yf6+pJKV8WFSaNY=
github.com/go-jose/go-jose/v3 v3.0.4/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI=
github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo=
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -166,8 +163,8 @@ github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
github.com/google/cel-go v0.27.0 h1:e7ih85+4qVrBuqQWTW4FKSqZYokVuc3HnhH5keboFTo=
github.com/google/cel-go v0.27.0/go.mod h1:tTJ11FWqnhw5KKpnWpvW9CJC3Y9GK4EIS0WXnBbebzw=
github.com/google/cel-go v0.26.1 h1:iPbVVEdkhTX++hpe3lzSk7D3G3QSYqLGoHOcEio+UXQ=
github.com/google/cel-go v0.26.1/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
github.com/google/certificate-transparency-go v1.0.21/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745 h1:heyoXNxkRT155x4jTAiSv5BVSVkueifPUm+Q8LUXMRo=
github.com/google/certificate-transparency-go v1.1.8-0.20240110162603-74a5dd331745/go.mod h1:zN0wUQgV9LjwLZeFHnrAbQi8hzMVvEWePyk+MhPOk7k=
@@ -175,22 +172,24 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/go-tpm v0.9.8 h1:slArAR9Ft+1ybZu0lBwpSmpwhRXaa85hWtMinMyRAWo=
github.com/google/go-tpm v0.9.8/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
github.com/google/go-tpm-tools v0.4.7 h1:J3ycC8umYxM9A4eF73EofRZu4BxY0jjQnUnkhIBbvws=
github.com/google/go-tpm-tools v0.4.7/go.mod h1:gSyXTZHe3fgbzb6WEGd90QucmsnT1SRdlye82gH8QjQ=
github.com/google/go-tpm v0.9.6 h1:Ku42PT4LmjDu1H5C5ISWLlpI1mj+Zq7sPGKoRw2XROA=
github.com/google/go-tpm v0.9.6/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
github.com/google/go-tpm-tools v0.4.6 h1:hwIwPG7w4z5eQEBq11gYw8YYr9xXLfBQ/0JsKyq5AJM=
github.com/google/go-tpm-tools v0.4.6/go.mod h1:MsVQbJnRhKDfWwf5zgr3cDGpj13P1uLAFF0wMEP/n5w=
github.com/google/go-tspi v0.3.0 h1:ADtq8RKfP+jrTyIWIZDIYcKOMecRqNJFOew2IT0Inus=
github.com/google/go-tspi v0.3.0/go.mod h1:xfMGI3G0PhxCdNVcYr1C4C+EizojDg/TXuX5by8CiHI=
github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/googleapis/enterprise-certificate-proxy v0.3.11 h1:vAe81Msw+8tKUxi2Dqh/NZMz7475yUvmRIkXr4oN2ao=
github.com/googleapis/enterprise-certificate-proxy v0.3.11/go.mod h1:RFV7MUdlb7AgEq2v7FmMCfeSMCllAzWxFgRdusoGks8=
github.com/googleapis/gax-go/v2 v2.17.0 h1:RksgfBpxqff0EZkDWYuz9q/uWsTVz+kf43LsZ1J6SMc=
github.com/googleapis/gax-go/v2 v2.17.0/go.mod h1:mzaqghpQp4JDh3HvADwrat+6M3MOIDp5YKHhb9PAgDY=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7 h1:X+2YciYSxvMQK0UZ7sg45ZVabVZBeBuvMkmuI2V3Fak=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.7/go.mod h1:lW34nIZuQ8UDPdkon5fmfp2l3+ZkQ2me/+oecHYLOII=
github.com/googleapis/enterprise-certificate-proxy v0.3.6 h1:GW/XbdyBFQ8Qe+YAmFU9uHLo7OnF5tL52HFAgMmyrf4=
github.com/googleapis/enterprise-certificate-proxy v0.3.6/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc h1:GN2Lv3MGO7AS6PrRoT6yV5+wkrOpcszoIsO4+4ds248=
github.com/grafana/regexp v0.0.0-20240518133315-a468a5bfb3bc/go.mod h1:+JKpmjMGhpgPL+rXZ5nsZieVzvarn86asRlBg4uNGnk=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2 h1:8Tjv8EJ+pM1xP8mK6egEbD1OgnVTyacbefKhmbLhIhU=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.2/go.mod h1:pkJQ2tZHJ0aFOVEEot6oZmaVEZcRme73eIFmhiVuRWs=
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
@@ -209,8 +208,8 @@ github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk
github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
github.com/klauspost/compress v1.12.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co=
github.com/klauspost/compress v1.18.1/go.mod h1:ZQFFVG+MdnR0P+l6wpXgIL4NTtwiKIdBnrBd8Nrxr+0=
github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -228,16 +227,17 @@ github.com/libdns/libdns v1.1.1/go.mod h1:4Bj9+5CQiNMVGf87wjX4CY3HQJypUHRuLvlsfs
github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYthEiA=
github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
github.com/mholt/acmez/v3 v3.1.4 h1:DyzZe/RnAzT3rpZj/2Ii5xZpiEvvYk3cQEN/RmqxwFQ=
github.com/mholt/acmez/v3 v3.1.4/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ=
github.com/miekg/dns v1.1.70 h1:DZ4u2AV35VJxdD9Fo9fIWm119BsQL5cZU1cQ9s0LkqA=
github.com/miekg/dns v1.1.70/go.mod h1:+EuEPhdHOsfk6Wk5TT2CzssZdqkmFhf8r+aVyDEToIs=
github.com/miekg/dns v1.1.68 h1:jsSRkNozw7G/mnmXULynzMNIsgY2dHC8LO6U6Ij2JEA=
github.com/miekg/dns v1.1.68/go.mod h1:fujopn7TB3Pu3JM69XaawiU0wqjpL9/8xGop5UrTPps=
github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
@@ -253,8 +253,8 @@ github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58/go.mod h1:DXv8WO4yhM
github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
github.com/peterbourgon/diskv/v3 v3.0.1 h1:x06SQA46+PKIUftmEujdwSEpIx8kR+M9eLYsUxeYveU=
github.com/peterbourgon/diskv/v3 v3.0.1/go.mod h1:kJ5Ny7vLdARGU3WUuy6uzO6T0nb/2gWcT1JiBvRmb5o=
github.com/pires/go-proxyproto v0.11.0 h1:gUQpS85X/VJMdUsYyEgyn59uLJvGqPhJV5YvG68wXH4=
github.com/pires/go-proxyproto v0.11.0/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
github.com/pires/go-proxyproto v0.8.1 h1:9KEixbdJfhrbtjpz/ZwCdWDD2Xem0NZ38qMYaASJgp0=
github.com/pires/go-proxyproto v0.8.1/go.mod h1:ZKAAyp3cgy5Y5Mo4n9AlScrkCZwUy0g3Jf+slqQVcuU=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -266,18 +266,18 @@ github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h
github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
github.com/prometheus/otlptranslator v1.0.0 h1:s0LJW/iN9dkIH+EnhiD3BlkkP5QVIUVEoIwkU+A6qos=
github.com/prometheus/otlptranslator v1.0.0/go.mod h1:vRYWnXvI6aWGpsdY/mOT/cbeVRBlPWtBNDb7kGR3uKM=
github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
github.com/quic-go/quic-go v0.59.0 h1:OLJkp1Mlm/aS7dpKgTc6cnpynnD2Xg7C1pwL6vy/SAw=
github.com/quic-go/quic-go v0.59.0/go.mod h1:upnsH4Ju1YkqpLXC305eW3yDZ4NfnNbmQRCMWS58IKU=
github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
github.com/prometheus/common v0.67.1 h1:OTSON1P4DNxzTg4hmKCc37o4ZAZDv0cfXLkOt0oEowI=
github.com/prometheus/common v0.67.1/go.mod h1:RpmT9v35q2Y+lsieQsdOh5sXZ6ajUGC8NjZAmr8vb0Q=
github.com/prometheus/otlptranslator v0.0.2 h1:+1CdeLVrRQ6Psmhnobldo0kTp96Rj80DRXRd5OSnMEQ=
github.com/prometheus/otlptranslator v0.0.2/go.mod h1:P8AwMgdD7XEr6QRUJ2QWLpiAZTgTE2UYgjlu3svompI=
github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
github.com/quic-go/quic-go v0.56.0 h1:q/TW+OLismmXAehgFLczhCDTYB3bFmua4D9lsNBWxvY=
github.com/quic-go/quic-go v0.56.0/go.mod h1:9gx5KsFQtw2oZ6GZTyh+7YEvOxWCL9WZAepnHxgAo6c=
github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
@@ -289,26 +289,28 @@ github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp
github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
github.com/slackhq/nebula v1.10.3 h1:EstYj8ODEcv6T0R9X5BVq1zgWZnyU5gtPzk99QF1PMU=
github.com/slackhq/nebula v1.10.3/go.mod h1:IL5TUQm4x9IFx2kCKPYm1gP47pwd5b8QGnnBH2RHnvs=
github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
github.com/slackhq/nebula v1.9.7 h1:v5u46efIyYHGdfjFnozQbRRhMdaB9Ma1SSTcUcE2lfE=
github.com/slackhq/nebula v1.9.7/go.mod h1:1+4q4wd3dDAjO8rKCttSb9JIVbklQhuJiBp5I0lbIsQ=
github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY=
github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262/go.mod h1:MyOHs9Po2fbM1LHej6sBUT8ozbxmMOFG+E+rx/GSGuc=
github.com/smallstep/certificates v0.30.0-rc2.0.20260211214201-20608299c29c h1:XQpX0IPYUAoJ661YlgfOJmY48ZOhIbglw4E2gw9mcyc=
github.com/smallstep/certificates v0.30.0-rc2.0.20260211214201-20608299c29c/go.mod h1:75NRLmYJq6ZcCb8ApJc+W1eL4oMYwjeufMJDHpv4rx4=
github.com/smallstep/cli-utils v0.12.2 h1:lGzM9PJrH/qawbzMC/s2SvgLdJPKDWKwKzx9doCVO+k=
github.com/smallstep/cli-utils v0.12.2/go.mod h1:uCPqefO29goHLGqFnwk0i8W7XJu18X3WHQFRtOm/00Y=
github.com/smallstep/certificates v0.28.4 h1:JTU6/A5Xes6m+OsR6fw1RACSA362vJc9SOFVG7poBEw=
github.com/smallstep/certificates v0.28.4/go.mod h1:LUqo+7mKZE7FZldlTb0zhU4A0bq4G4+akieFMcTaWvA=
github.com/smallstep/cli-utils v0.12.1 h1:D9QvfbFqiKq3snGZ2xDcXEFrdFJ1mQfPHZMq/leerpE=
github.com/smallstep/cli-utils v0.12.1/go.mod h1:skV2Neg8qjiKPu2fphM89H9bIxNpKiiRTnX9Q6Lc+20=
github.com/smallstep/go-attestation v0.4.4-0.20241119153605-2306d5b464ca h1:VX8L0r8vybH0bPeaIxh4NQzafKQiqvlOn8pmOXbFLO4=
github.com/smallstep/go-attestation v0.4.4-0.20241119153605-2306d5b464ca/go.mod h1:vNAduivU014fubg6ewygkAvQC0IQVXqdc8vaGl/0er4=
github.com/smallstep/linkedca v0.25.0 h1:txT9QHGbCsJq0MhAghBq7qhurGY727tQuqUi+n4BVBo=
github.com/smallstep/linkedca v0.25.0/go.mod h1:Q3jVAauFKNlF86W5/RFtgQeyDKz98GL/KN3KG4mJOvc=
github.com/smallstep/linkedca v0.23.0 h1:5W/7EudlK1HcCIdZM68dJlZ7orqCCCyv6bm2l/0JmLU=
github.com/smallstep/linkedca v0.23.0/go.mod h1:7cyRM9soAYySg9ag65QwytcgGOM+4gOlkJ/YA58A9E8=
github.com/smallstep/nosql v0.7.0 h1:YiWC9ZAHcrLCrayfaF+QJUv16I2bZ7KdLC3RpJcnAnE=
github.com/smallstep/nosql v0.7.0/go.mod h1:H5VnKMCbeq9QA6SRY5iqPylfxLfYcLwvUff3onQ8+HU=
github.com/smallstep/pkcs7 v0.0.0-20240911091500-b1cae6277023/go.mod h1:CM5KrX7rxWgwDdMj9yef/pJB2OPgy/56z4IEx2UIbpc=
github.com/smallstep/pkcs7 v0.2.1 h1:6Kfzr/QizdIuB6LSv8y1LJdZ3aPSfTNhTLqAx9CTLfA=
github.com/smallstep/pkcs7 v0.2.1/go.mod h1:RcXHsMfL+BzH8tRhmrF1NkkpebKpq3JEM66cOFxanf0=
github.com/smallstep/scep v0.0.0-20250318231241-a25cabb69492 h1:k23+s51sgYix4Zgbvpmy+1ZgXLjr4ZTkBTqXmpnImwA=
github.com/smallstep/scep v0.0.0-20250318231241-a25cabb69492/go.mod h1:QQhwLqCS13nhv8L5ov7NgusowENUtXdEzdytjmJHdZQ=
github.com/smallstep/scep v0.0.0-20240926084937-8cf1ca453101 h1:LyZqn24/ZiVg8v9Hq07K6mx6RqPtpDeK+De5vf4QEY4=
github.com/smallstep/scep v0.0.0-20240926084937-8cf1ca453101/go.mod h1:EuKQjYGQwhUa1mgD21zxIgOgUYLsqikJmvxNscxpS/Y=
github.com/smallstep/truststore v0.13.0 h1:90if9htAOblavbMeWlqNLnO9bsjjgVv2hQeQJCi/py4=
github.com/smallstep/truststore v0.13.0/go.mod h1:3tmMp2aLKZ/OA/jnFUB0cYPcho402UG2knuJoPh4j7A=
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
@@ -319,14 +321,16 @@ github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkU
github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
github.com/stoewer/go-strcase v1.2.0 h1:Z2iHWqGXH00XYgqDmNgQbIBxf3wrNq0F3feEy0ainaU=
github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -334,6 +338,7 @@ github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/
github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
@@ -341,10 +346,8 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
github.com/tailscale/tscert v0.0.0-20251216020129-aea342f6d747 h1:RnBbFMmodYzhC6adOjTbtUQXyzV8dcvKYbolzs6Qch0=
github.com/tailscale/tscert v0.0.0-20251216020129-aea342f6d747/go.mod h1:ejPAJui3kVK4u5TgMtqtXlWf5HnKh9fLy5kvpaeuas0=
github.com/tailscale/tscert v0.0.0-20240608151842-d3f834017e53 h1:uxMgm0C+EjytfAqyfBG55ZONKQ7mvd7x4YYCWsf8QHQ=
github.com/tailscale/tscert v0.0.0-20240608151842-d3f834017e53/go.mod h1:kNGUQ3VESx3VZwRwA9MSCUegIl6+saPL8Noq82ozCaU=
github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
github.com/urfave/cli v1.22.17 h1:SYzXoiPfQjHBbkYxbew5prZHS1TOLT3ierW8SYLqtVQ=
github.com/urfave/cli v1.22.17/go.mod h1:b0ht0aqgH/6pBYzzxURyrM4xXNgsoT/n2ZzwQiEhNVo=
@@ -353,8 +356,8 @@ github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcY
github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
github.com/yuin/goldmark v1.4.15/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
github.com/yuin/goldmark v1.7.16 h1:n+CJdUxaFMiDUNnWC3dMWCIQJSkxH4uz3ZwQBkAlVNE=
github.com/yuin/goldmark v1.7.16/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
github.com/yuin/goldmark v1.7.13 h1:GPddIs617DnBLFFVJFgpo1aBfe/4xcvMc3SB5t/D0pA=
github.com/yuin/goldmark v1.7.13/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc h1:+IAOyRda+RLrxa1WC7umKOZRsGq4QrFFMYApOeHzQwQ=
github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc/go.mod h1:ovIvrum6DQJA4QsJSovrkC4saKHQVs7TvcaeO8AIl5I=
github.com/zeebo/assert v1.1.0 h1:hU1L1vLTHsnO8x8c9KAR5GmM5QscxHg5RNU5z5qbUWY=
@@ -365,68 +368,68 @@ github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
go.etcd.io/bbolt v1.3.10 h1:+BqfJTcCzTItrop8mq/lbzL8wSGtj94UO/3U31shqG0=
go.etcd.io/bbolt v1.3.10/go.mod h1:bK3UQLPJZly7IlNmV7uVHJDxfe5aK9Ll93e/74Y9oEQ=
go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
go.opentelemetry.io/contrib/bridges/prometheus v0.65.0 h1:I/7S/yWobR3QHFLqHsJ8QOndoiFsj1VgHpQiq43KlUI=
go.opentelemetry.io/contrib/bridges/prometheus v0.65.0/go.mod h1:jPF6gn3y1E+nozCAEQj3c6NZ8KY+tvAgSVfvoOJUFac=
go.opentelemetry.io/contrib/exporters/autoexport v0.65.0 h1:2gApdml7SznX9szEKFjKjM4qGcGSvAybYLBY319XG3g=
go.opentelemetry.io/contrib/exporters/autoexport v0.65.0/go.mod h1:0QqAGlbHXhmPYACG3n5hNzO5DnEqqtg4VcK5pr22RI0=
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
go.opentelemetry.io/contrib/bridges/prometheus v0.63.0 h1:/Rij/t18Y7rUayNg7Id6rPrEnHgorxYabm2E6wUdPP4=
go.opentelemetry.io/contrib/bridges/prometheus v0.63.0/go.mod h1:AdyDPn6pkbkt2w01n3BubRVk7xAsCRq1Yg1mpfyA/0E=
go.opentelemetry.io/contrib/exporters/autoexport v0.63.0 h1:NLnZybb9KkfMXPwZhd5diBYJoVxiO9Qa06dacEA7ySY=
go.opentelemetry.io/contrib/exporters/autoexport v0.63.0/go.mod h1:OvRg7gm5WRSCtxzGSsrFHbDLToYlStHNZQ+iPNIyD6g=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0 h1:7iP2uCb7sGddAr30RRS6xjKy7AZ2JtTOPA3oolgVSw8=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.65.0/go.mod h1:c7hN3ddxs/z6q9xwvfLPk+UHlWRQyaeR1LdgfL/66l0=
go.opentelemetry.io/contrib/propagators/autoprop v0.65.0 h1:kTaCycF9Xkm8VBBvH0rJ4wFeRjtIV55Erk3uuVsIs5s=
go.opentelemetry.io/contrib/propagators/autoprop v0.65.0/go.mod h1:rooPzAbXfxMX9fsPJjmOBg2SN4RhFEV8D7cfGK+N3tE=
go.opentelemetry.io/contrib/propagators/aws v1.40.0 h1:4VIrh75jW4RTimUNx1DSk+6H9/nDr1FvmKoOVDh3K04=
go.opentelemetry.io/contrib/propagators/aws v1.40.0/go.mod h1:B0dCov9KNQGlut3T8wZZjDnLXEXdBroM7bFsHh/gRos=
go.opentelemetry.io/contrib/propagators/b3 v1.40.0 h1:xariChe8OOVF3rNlfzGFgQc61npQmXhzZj/i82mxMfg=
go.opentelemetry.io/contrib/propagators/b3 v1.40.0/go.mod h1:72WvbdxbOfXaELEQfonFfOL6osvcVjI7uJEE8C2nkrs=
go.opentelemetry.io/contrib/propagators/jaeger v1.40.0 h1:aXl9uobjJs5vquMLt9ZkI/3zIuz8XQ3TqOKSWx0/xdU=
go.opentelemetry.io/contrib/propagators/jaeger v1.40.0/go.mod h1:ioMePqe6k6c/ovXSkmkMr1mbN5qRBGJxNTVop7/2XO0=
go.opentelemetry.io/contrib/propagators/ot v1.40.0 h1:Lon8J5SPmWaL1Ko2TIlCNHJ42/J1b5XbJlgJaE/9m7I=
go.opentelemetry.io/contrib/propagators/ot v1.40.0/go.mod h1:dKWtJTlp1Yj+8Cneye5idO46eRPIbi23qVuJYKjNnvY=
go.opentelemetry.io/otel v1.40.0 h1:oA5YeOcpRTXq6NN7frwmwFR0Cn3RhTVZvXsP4duvCms=
go.opentelemetry.io/otel v1.40.0/go.mod h1:IMb+uXZUKkMXdPddhwAHm6UfOwJyh4ct1ybIlV14J0g=
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0 h1:ZVg+kCXxd9LtAaQNKBxAvJ5NpMf7LpvEr4MIZqb0TMQ=
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.16.0/go.mod h1:hh0tMeZ75CCXrHd9OXRYxTlCAdxcXioWHFIpYw2rZu8=
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0 h1:djrxvDxAe44mJUrKataUbOhCKhR3F8QCyWucO16hTQs=
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.16.0/go.mod h1:dt3nxpQEiSoKvfTVxp3TUg5fHPLhKtbcnN3Z1I1ePD0=
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0 h1:NOyNnS19BF2SUDApbOKbDtWZ0IK7b8FJ2uAGdIWOGb0=
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.40.0/go.mod h1:VL6EgVikRLcJa9ftukrHu/ZkkhFBSo1lzvdBC9CF1ss=
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0 h1:9y5sHvAxWzft1WQ4BwqcvA+IFVUJ1Ya75mSAUnFEVwE=
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.40.0/go.mod h1:eQqT90eR3X5Dbs1g9YSM30RavwLF725Ris5/XSXWvqE=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0 h1:QKdN8ly8zEMrByybbQgv8cWBcdAarwmIPZ6FThrWXJs=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.40.0/go.mod h1:bTdK1nhqF76qiPoCCdyFIV+N/sRHYXYCTQc+3VCi3MI=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0 h1:DvJDOPmSWQHWywQS6lKL+pb8s3gBLOZUtw4N+mavW1I=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.40.0/go.mod h1:EtekO9DEJb4/jRyN4v4Qjc2yA7AtfCBuz2FynRUWTXs=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0 h1:wVZXIWjQSeSmMoxF74LzAnpVQOAFDo3pPji9Y4SOFKc=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.40.0/go.mod h1:khvBS2IggMFNwZK/6lEeHg/W57h/IX6J4URh57fuI40=
go.opentelemetry.io/otel/exporters/prometheus v0.62.0 h1:krvC4JMfIOVdEuNPTtQ0ZjCiXrybhv+uOHMfHRmnvVo=
go.opentelemetry.io/otel/exporters/prometheus v0.62.0/go.mod h1:fgOE6FM/swEnsVQCqCnbOfRV4tOnWPg7bVeo4izBuhQ=
go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.16.0 h1:ivlbaajBWJqhcCPniDqDJmRwj4lc6sRT+dCAVKNmxlQ=
go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.16.0/go.mod h1:u/G56dEKDDwXNCVLsbSrllB2o8pbtFLUC4HpR66r2dc=
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0 h1:ZrPRak/kS4xI3AVXy8F7pipuDXmDsrO8Lg+yQjBLjw0=
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.40.0/go.mod h1:3y6kQCWztq6hyW8Z9YxQDDm0Je9AJoFar2G0yDcmhRk=
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.40.0 h1:MzfofMZN8ulNqobCmCAVbqVL5syHw+eB2qPRkCMA/fQ=
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.40.0/go.mod h1:E73G9UFtKRXrxhBsHtG00TB5WxX57lpsQzogDkqBTz8=
go.opentelemetry.io/otel/log v0.16.0 h1:DeuBPqCi6pQwtCK0pO4fvMB5eBq6sNxEnuTs88pjsN4=
go.opentelemetry.io/otel/log v0.16.0/go.mod h1:rWsmqNVTLIA8UnwYVOItjyEZDbKIkMxdQunsIhpUMes=
go.opentelemetry.io/otel/metric v1.40.0 h1:rcZe317KPftE2rstWIBitCdVp89A2HqjkxR3c11+p9g=
go.opentelemetry.io/otel/metric v1.40.0/go.mod h1:ib/crwQH7N3r5kfiBZQbwrTge743UDc7DTFVZrrXnqc=
go.opentelemetry.io/otel/sdk v1.40.0 h1:KHW/jUzgo6wsPh9At46+h4upjtccTmuZCFAc9OJ71f8=
go.opentelemetry.io/otel/sdk v1.40.0/go.mod h1:Ph7EFdYvxq72Y8Li9q8KebuYUr2KoeyHx0DRMKrYBUE=
go.opentelemetry.io/otel/sdk/log v0.16.0 h1:e/b4bdlQwC5fnGtG3dlXUrNOnP7c8YLVSpSfEBIkTnI=
go.opentelemetry.io/otel/sdk/log v0.16.0/go.mod h1:JKfP3T6ycy7QEuv3Hj8oKDy7KItrEkus8XJE6EoSzw4=
go.opentelemetry.io/otel/sdk/log/logtest v0.16.0 h1:/XVkpZ41rVRTP4DfMgYv1nEtNmf65XPPyAdqV90TMy4=
go.opentelemetry.io/otel/sdk/log/logtest v0.16.0/go.mod h1:iOOPgQr5MY9oac/F5W86mXdeyWZGleIx3uXO98X2R6Y=
go.opentelemetry.io/otel/sdk/metric v1.40.0 h1:mtmdVqgQkeRxHgRv4qhyJduP3fYJRMX4AtAlbuWdCYw=
go.opentelemetry.io/otel/sdk/metric v1.40.0/go.mod h1:4Z2bGMf0KSK3uRjlczMOeMhKU2rhUqdWNoKcYrtcBPg=
go.opentelemetry.io/otel/trace v1.40.0 h1:WA4etStDttCSYuhwvEa8OP8I5EWu24lkOzp+ZYblVjw=
go.opentelemetry.io/otel/trace v1.40.0/go.mod h1:zeAhriXecNGP/s2SEG3+Y8X9ujcJOTqQ5RgdEJcawiA=
go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A=
go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4=
go.step.sm/crypto v0.76.0 h1:K23BSaeoiY7Y5dvvijTeYC9EduDBetNwQYMBwMhi1aA=
go.step.sm/crypto v0.76.0/go.mod h1:PXYJdKkK8s+GHLwLguFaLxHNAFsFL3tL1vSBrYfey5k=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 h1:RbKq8BG0FI8OiXhBfcRtqqHcZcka+gU3cskNuf05R18=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0/go.mod h1:h06DGIukJOevXaj/xrNjhi/2098RZzcLTbc0jDAUbsg=
go.opentelemetry.io/contrib/propagators/autoprop v0.63.0 h1:S3+4UwR3Y1tUKklruMwOacAFInNvtuOexz4ZTmJNAyw=
go.opentelemetry.io/contrib/propagators/autoprop v0.63.0/go.mod h1:qpIuOggbbw2T9nKRaO1je/oTRKd4zslAcJonN8LYbTg=
go.opentelemetry.io/contrib/propagators/aws v1.38.0 h1:eRZ7asSbLc5dH7+TBzL6hFKb1dabz0IV51uUUwYRZts=
go.opentelemetry.io/contrib/propagators/aws v1.38.0/go.mod h1:wXqc9NTGcXapBExHBDVLEZlByu6quiQL8w7Tjgv8TCg=
go.opentelemetry.io/contrib/propagators/b3 v1.38.0 h1:uHsCCOSKl0kLrV2dLkFK+8Ywk9iKa/fptkytc6aFFEo=
go.opentelemetry.io/contrib/propagators/b3 v1.38.0/go.mod h1:wMRSZJZcY8ya9mApLLhwIMjqmApy2o/Ml+62lhvxyHU=
go.opentelemetry.io/contrib/propagators/jaeger v1.38.0 h1:nXGeLvT1QtCAhkASkP/ksjkTKZALIaQBIW+JSIw1KIc=
go.opentelemetry.io/contrib/propagators/jaeger v1.38.0/go.mod h1:oMvOXk78ZR3KEuPMBgp/ThAMDy9ku/eyUVztr+3G6Wo=
go.opentelemetry.io/contrib/propagators/ot v1.38.0 h1:k4gSyyohaDXI8F9BDXYC3uO2vr5sRNeQFMsN9Zn0EoI=
go.opentelemetry.io/contrib/propagators/ot v1.38.0/go.mod h1:2hDsuiHRO39SRUMhYGqmj64z/IuMRoxE4bBSFR82Lo8=
go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0 h1:OMqPldHt79PqWKOMYIAQs3CxAi7RLgPxwfFSwr4ZxtM=
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.14.0/go.mod h1:1biG4qiqTxKiUCtoWDPpL3fB3KxVwCiGw81j3nKMuHE=
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0 h1:QQqYw3lkrzwVsoEX0w//EhH/TCnpRdEenKBOOEIMjWc=
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.14.0/go.mod h1:gSVQcr17jk2ig4jqJ2DX30IdWH251JcNAecvrqTxH1s=
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 h1:vl9obrcoWVKp/lwl8tRE33853I8Xru9HFbw/skNeLs8=
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0/go.mod h1:GAXRxmLJcVM3u22IjTg74zWBrRCKq8BnOqUVLodpcpw=
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 h1:Oe2z/BCg5q7k4iXC3cqJxKYg0ieRiOqF0cecFYdPTwk=
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0/go.mod h1:ZQM5lAJpOsKnYagGg/zV2krVqTtaVdYdDkhMoX6Oalg=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 h1:GqRJVj7UmLjCVyVJ3ZFLdPRmhDUp2zFmQe3RHIOsw24=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0/go.mod h1:ri3aaHSmCTVYu2AWv44YMauwAQc0aqI9gHKIcSbI1pU=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 h1:lwI4Dc5leUqENgGuQImwLo4WnuXFPetmPpkLi2IrX54=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0/go.mod h1:Kz/oCE7z5wuyhPxsXDuaPteSWqjSBD5YaSdbxZYGbGk=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 h1:aTL7F04bJHUlztTsNGJ2l+6he8c+y/b//eR0jjjemT4=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0/go.mod h1:kldtb7jDTeol0l3ewcmd8SDvx3EmIE7lyvqbasU3QC4=
go.opentelemetry.io/otel/exporters/prometheus v0.60.0 h1:cGtQxGvZbnrWdC2GyjZi0PDKVSLWP/Jocix3QWfXtbo=
go.opentelemetry.io/otel/exporters/prometheus v0.60.0/go.mod h1:hkd1EekxNo69PTV4OWFGZcKQiIqg0RfuWExcPKFvepk=
go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0 h1:B/g+qde6Mkzxbry5ZZag0l7QrQBCtVm7lVjaLgmpje8=
go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.14.0/go.mod h1:mOJK8eMmgW6ocDJn6Bn11CcZ05gi3P8GylBXEkZtbgA=
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0 h1:wm/Q0GAAykXv83wzcKzGGqAnnfLFyFe7RslekZuv+VI=
go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.38.0/go.mod h1:ra3Pa40+oKjvYh+ZD3EdxFZZB0xdMfuileHAm4nNN7w=
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0 h1:kJxSDN4SgWWTjG/hPp3O7LCGLcHXFlvS2/FFOrwL+SE=
go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0/go.mod h1:mgIOzS7iZeKJdeB8/NYHrJ48fdGc71Llo5bJ1J4DWUE=
go.opentelemetry.io/otel/log v0.14.0 h1:2rzJ+pOAZ8qmZ3DDHg73NEKzSZkhkGIua9gXtxNGgrM=
go.opentelemetry.io/otel/log v0.14.0/go.mod h1:5jRG92fEAgx0SU/vFPxmJvhIuDU9E1SUnEQrMlJpOno=
go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
go.opentelemetry.io/otel/sdk/log v0.14.0 h1:JU/U3O7N6fsAXj0+CXz21Czg532dW2V4gG1HE/e8Zrg=
go.opentelemetry.io/otel/sdk/log v0.14.0/go.mod h1:imQvII+0ZylXfKU7/wtOND8Hn4OpT3YUoIgqJVksUkM=
go.opentelemetry.io/otel/sdk/log/logtest v0.14.0 h1:Ijbtz+JKXl8T2MngiwqBlPaHqc4YCaP/i13Qrow6gAM=
go.opentelemetry.io/otel/sdk/log/logtest v0.14.0/go.mod h1:dCU8aEL6q+L9cYTqcVOk8rM9Tp8WdnHOPLiBgp0SGOA=
go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
go.step.sm/crypto v0.74.0 h1:/APBEv45yYR4qQFg47HA8w1nesIGcxh44pGyQNw6JRA=
go.step.sm/crypto v0.74.0/go.mod h1:UoXqCAJjjRgzPte0Llaqen7O9P7XjPmgjgTHQGkKCDk=
go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -435,34 +438,33 @@ go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc=
go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
go.uber.org/zap/exp v0.3.0 h1:6JYzdifzYkGmTdRR59oYH+Ng7k49H9qVpWwNSsGJj3U=
go.uber.org/zap/exp v0.3.0/go.mod h1:5I384qq7XGxYyByIhHm6jg5CHkGY0nsTfbDLgDDlgJQ=
go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
golang.org/x/crypto/x509roots/fallback v0.0.0-20250927194341-2beaa59a3c99 h1:CH0o4/bZX6KIUCjjgjmtNtfM/kXSkTYlzTOB9vZF45g=
golang.org/x/crypto/x509roots/fallback v0.0.0-20250927194341-2beaa59a3c99/go.mod h1:MEIPiCnxvQEjA4astfaKItNwEVZA5Ki+3+nyGbJ5N18=
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 h1:SbTAbRFnd5kjQXbczszQ0hdk3ctwYf3qBNH9jIsGclE=
golang.org/x/exp v0.0.0-20250813145105-42675adae3e6/go.mod h1:4QTo5u+SEIbbKW1RacMZq1YEfOBqeXa19JeshGi+zc4=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -471,37 +473,42 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
golang.org/x/oauth2 v0.32.0 h1:jsCblLleRMDrxMN29H3z/k1KliIvpLgCkE6R8FXXNgY=
golang.org/x/oauth2 v0.32.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190626221950-04f50cda93cb/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -510,9 +517,10 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -521,9 +529,10 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -532,25 +541,25 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
google.golang.org/api v0.265.0 h1:FZvfUdI8nfmuNrE34aOWFPmLC+qRBEiNm3JdivTvAAU=
google.golang.org/api v0.265.0/go.mod h1:uAvfEl3SLUj/7n6k+lJutcswVojHPp2Sp08jWCu8hLY=
google.golang.org/genproto v0.0.0-20260128011058-8636f8732409 h1:VQZ/yAbAtjkHgH80teYd2em3xtIkkHd7ZhqfH2N9CsM=
google.golang.org/genproto v0.0.0-20260128011058-8636f8732409/go.mod h1:rxKD3IEILWEu3P44seeNOAwZN4SaoKaQ/2eTg4mM6EM=
google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409 h1:merA0rdPeUV3YIIfHHcH4qBkiQAc1nfCKSI7lB4cV2M=
google.golang.org/genproto/googleapis/api v0.0.0-20260128011058-8636f8732409/go.mod h1:fl8J1IvUjCilwZzQowmw2b7HQB2eAuYBabMXzWurF+I=
google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409 h1:H86B94AW+VfJWDqFeEbBPhEtHzJwJfTbgE2lZa54ZAQ=
google.golang.org/genproto/googleapis/rpc v0.0.0-20260128011058-8636f8732409/go.mod h1:j9x/tPzZkyxcgEFkiKEEGxfvyumM01BEtsW8xzOahRQ=
google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc=
google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U=
google.golang.org/api v0.254.0 h1:jl3XrGj7lRjnlUvZAbAdhINTLbsg5dbjmR90+pTQvt4=
google.golang.org/api v0.254.0/go.mod h1:5BkSURm3D9kAqjGvBNgf0EcbX6Rnrf6UArKkwBzAyqQ=
google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 h1:BIRfGDEjiHRrk0QKZe3Xv2ieMhtgRGeLcZQ0mIVn4EY=
google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5/go.mod h1:j3QtIyytwqGr1JUDtYXwtMXWPKsEa5LtzIFN1Wn5WvE=
google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 h1:M1rk8KBnUsBDg1oPGHNCxG4vc1f49epmTO7xscSajMk=
google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
google.golang.org/grpc v1.76.0 h1:UnVkv1+uMLYXoIz6o7chp59WfQUYA2ex/BXQ9rHZu7A=
google.golang.org/grpc v1.76.0/go.mod h1:Ju12QI8M6iQJtbcsV+awF5a4hfJMLi4X0JLo94ULZ6c=
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1 h1:F29+wU6Ee6qgu9TddPgooOdaqsxTMunOoj8KA5yuS5A=
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.5.1/go.mod h1:5KF+wpkbTSbGcR9zteSqZV6fqFOWBl4Yde8En8MryZA=
google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
listeners.go
+8 -32
View File
@@ -511,7 +511,7 @@ func JoinNetworkAddress(network, host, port string) string {
//
// NOTE: This API is EXPERIMENTAL and may be changed or removed.
// NOTE: user should close the returned listener twice, once to stop accepting new connections, the second time to free up the packet conn.
func (na NetworkAddress) ListenQUIC(ctx context.Context, portOffset uint, config net.ListenConfig, tlsConf *tls.Config, pcWrappers []PacketConnWrapper, allow0rttconf *bool) (http3.QUICListener, error) {
func (na NetworkAddress) ListenQUIC(ctx context.Context, portOffset uint, config net.ListenConfig, tlsConf *tls.Config) (http3.QUICListener, error) {
lnKey := listenerKey("quic"+na.Network, na.JoinHostPort(portOffset))
sharedEarlyListener, _, err := listenerPool.LoadOrNew(lnKey, func() (Destructor, error) {
@@ -523,19 +523,12 @@ func (na NetworkAddress) ListenQUIC(ctx context.Context, portOffset uint, config
ln := lnAny.(net.PacketConn)
h3ln := ln
if len(pcWrappers) == 0 {
for {
// retrieve the underlying socket, so quic-go can optimize.
if unwrapper, ok := h3ln.(interface{ Unwrap() net.PacketConn }); ok {
h3ln = unwrapper.Unwrap()
} else {
break
}
}
} else {
// wrap packet conn before QUIC
for _, pcWrapper := range pcWrappers {
h3ln = pcWrapper.WrapPacketConn(h3ln)
for {
// retrieve the underlying socket, so quic-go can optimize.
if unwrapper, ok := h3ln.(interface{ Unwrap() net.PacketConn }); ok {
h3ln = unwrapper.Unwrap()
} else {
break
}
}
@@ -550,14 +543,10 @@ func (na NetworkAddress) ListenQUIC(ctx context.Context, portOffset uint, config
Conn: h3ln,
VerifySourceAddress: func(addr net.Addr) bool { return !limiter.Allow() },
}
allow0rtt := true
if allow0rttconf != nil {
allow0rtt = *allow0rttconf
}
earlyLn, err := tr.ListenEarly(
http3.ConfigureTLSConfig(quicTlsConfig),
&quic.Config{
Allow0RTT: allow0rtt,
Allow0RTT: true,
Tracer: h3qlog.DefaultConnectionTracer,
},
)
@@ -786,19 +775,6 @@ type ListenerWrapper interface {
WrapListener(net.Listener) net.Listener
}
// PacketConnWrapper is a type that wraps a packet conn
// so it can modify the input packet conn methods.
// Modules that implement this interface are found
// in the caddy.packetconns namespace. Usually, to
// wrap a packet conn, you will define your own struct
// type that embeds the input packet conn, then
// implement your own methods that you want to wrap,
// calling the underlying packet conn methods where
// appropriate.
type PacketConnWrapper interface {
WrapPacketConn(net.PacketConn) net.PacketConn
}
// listenerPool stores and allows reuse of active listeners.
var listenerPool = NewUsagePool()
modules.go
+1 -5
View File
@@ -342,11 +342,7 @@ func ParseStructTag(tag string) (map[string]string, error) {
func StrictUnmarshalJSON(data []byte, v any) error {
dec := json.NewDecoder(bytes.NewReader(data))
dec.DisallowUnknownFields()
err := dec.Decode(v)
if jsonErr, ok := err.(*json.SyntaxError); ok {
return fmt.Errorf("%w, at offset %d", jsonErr, jsonErr.Offset)
}
return err
return dec.Decode(v)
}
var JSONRawMessageType = reflect.TypeFor[json.RawMessage]()
modules/caddyhttp/app.go
-16
View File
@@ -51,7 +51,6 @@ func init() {
// Placeholder | Description
// ------------|---------------
// `{http.request.body}` | The request body (⚠️ inefficient; use only for debugging)
// `{http.request.body_base64}` | The request body, base64-encoded (⚠️ for debugging)
// `{http.request.cookie.*}` | HTTP request cookie
// `{http.request.duration}` | Time up to now spent handling the request (after decoding headers from client)
// `{http.request.duration_ms}` | Same as 'duration', but in milliseconds.
@@ -83,7 +82,6 @@ func init() {
// `{http.request.tls.proto}` | The negotiated next protocol
// `{http.request.tls.proto_mutual}` | The negotiated next protocol was advertised by the server
// `{http.request.tls.server_name}` | The server name requested by the client, if any
// `{http.request.tls.ech}` | Whether ECH was offered by the client and accepted by the server
// `{http.request.tls.client.fingerprint}` | The SHA256 checksum of the client certificate
// `{http.request.tls.client.public_key}` | The public key of the client certificate.
// `{http.request.tls.client.public_key_sha256}` | The SHA256 checksum of the client's public key.
@@ -348,20 +346,6 @@ func (app *App) Provision(ctx caddy.Context) error {
srv.listenerWrappers = append([]caddy.ListenerWrapper{new(tlsPlaceholderWrapper)}, srv.listenerWrappers...)
}
}
// set up each packet conn modifier
if srv.PacketConnWrappersRaw != nil {
vals, err := ctx.LoadModule(srv, "PacketConnWrappersRaw")
if err != nil {
return fmt.Errorf("loading packet conn wrapper modules: %v", err)
}
// if any wrappers were configured, they come before the QUIC handshake;
// unlike TLS above, there is no QUIC placeholder
for _, val := range vals.([]any) {
srv.packetConnWrappers = append(srv.packetConnWrappers, val.(caddy.PacketConnWrapper))
}
}
// pre-compile the primary handler chain, and be sure to wrap it in our
// route handler so that important security checks are done, etc.
primaryRoute := emptyHandler
modules/caddyhttp/autohttps.go
+3 -23
View File
@@ -90,16 +90,7 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
// the log configuration for an HTTPS enabled server
var logCfg *ServerLogConfig
// Sort server names to ensure deterministic iteration.
// This prevents race conditions where the order of server processing
// could affect which server gets assigned the HTTP->HTTPS redirect listener.
srvNames := make([]string, 0, len(app.Servers))
for name := range app.Servers {
srvNames = append(srvNames, name)
}
slices.Sort(srvNames)
for _, srvName := range srvNames {
srv := app.Servers[srvName]
for srvName, srv := range app.Servers {
// as a prerequisite, provision route matchers; this is
// required for all routes on all servers, and must be
// done before we attempt to do phase 1 of auto HTTPS,
@@ -407,26 +398,15 @@ uniqueDomainsLoop:
return append(routes, app.makeRedirRoute(uint(app.httpsPort()), MatcherSet{MatchProtocol("http")}))
}
// Sort redirect addresses to ensure deterministic process
redirServerAddrsSorted := make([]string, 0, len(redirServers))
for addr := range redirServers {
redirServerAddrsSorted = append(redirServerAddrsSorted, addr)
}
slices.Sort(redirServerAddrsSorted)
redirServersLoop:
for _, redirServerAddr := range redirServerAddrsSorted {
routes := redirServers[redirServerAddr]
for redirServerAddr, routes := range redirServers {
// for each redirect listener, see if there's already a
// server configured to listen on that exact address; if so,
// insert the redirect route to the end of its route list
// after any other routes with host matchers; otherwise,
// we'll create a new server for all the listener addresses
// that are unused and serve the remaining redirects from it
// Use the sorted srvNames to consistently find the target server
for _, srvName := range srvNames {
srv := app.Servers[srvName]
for _, srv := range app.Servers {
// only look at servers which listen on an address which
// we want to add redirects to
if !srv.hasListenerAddress(redirServerAddr) {
modules/caddyhttp/caddyauth/basicauth.go
+3 -3
View File
@@ -19,7 +19,7 @@ import (
"encoding/hex"
"encoding/json"
"fmt"
weakrand "math/rand/v2"
weakrand "math/rand"
"net/http"
"strings"
"sync"
@@ -244,7 +244,7 @@ func (c *Cache) makeRoom() {
// strategy; generating random numbers is cheap and
// ensures a much better distribution.
//nolint:gosec
rnd := weakrand.IntN(len(c.cache))
rnd := weakrand.Intn(len(c.cache))
i := 0
for key := range c.cache {
if i == rnd {
@@ -287,7 +287,7 @@ type Account struct {
// The user's hashed password, in Modular Crypt Format (with `$` prefix)
// or base64-encoded.
Password string `json:"password"` //nolint:gosec // false positive, this is a hashed password
Password string `json:"password"`
password []byte
}
modules/caddyhttp/celmatcher.go
+4 -36
View File
@@ -412,12 +412,10 @@ func CELMatcherImpl(macroName, funcName string, matcherDataTypes []*cel.Type, fa
return nil, fmt.Errorf("unsupported matcher data type: %s, %s", matcherDataTypes[0], matcherDataTypes[1])
}
case 3:
// nolint:gosec // false positive, impossible to be out of bounds; see: https://github.com/securego/gosec/issues/1525
if matcherDataTypes[0] == cel.StringType && matcherDataTypes[1] == cel.StringType && matcherDataTypes[2] == cel.StringType {
macro = parser.NewGlobalMacro(macroName, 3, celMatcherStringListMacroExpander(funcName))
matcherDataTypes = []*cel.Type{cel.ListType(cel.StringType)}
} else {
// nolint:gosec // false positive, impossible to be out of bounds; see: https://github.com/securego/gosec/issues/1525
return nil, fmt.Errorf("unsupported matcher data type: %s, %s, %s", matcherDataTypes[0], matcherDataTypes[1], matcherDataTypes[2])
}
}
@@ -667,29 +665,12 @@ func celMatcherJSONMacroExpander(funcName string) parser.MacroExpander {
// map literals containing heterogeneous values, in this case string and list
// of string.
func CELValueToMapStrList(data ref.Val) (map[string][]string, error) {
// Prefer map[string]any, but newer cel-go versions may return map[any]any
mapStrType := reflect.TypeFor[map[string]any]()
mapStrRaw, err := data.ConvertToNative(mapStrType)
var mapStrIface map[string]any
if err != nil {
// Try map[any]any and convert keys to strings
mapAnyType := reflect.TypeFor[map[any]any]()
mapAnyRaw, err2 := data.ConvertToNative(mapAnyType)
if err2 != nil {
return nil, err
}
mapAnyIface := mapAnyRaw.(map[any]any)
mapStrIface = make(map[string]any, len(mapAnyIface))
for k, v := range mapAnyIface {
ks, ok := k.(string)
if !ok {
return nil, fmt.Errorf("unsupported map key type in header match: %T", k)
}
mapStrIface[ks] = v
}
} else {
mapStrIface = mapStrRaw.(map[string]any)
return nil, err
}
mapStrIface := mapStrRaw.(map[string]any)
mapStrListStr := make(map[string][]string, len(mapStrIface))
for k, v := range mapStrIface {
switch val := v.(type) {
@@ -704,26 +685,13 @@ func CELValueToMapStrList(data ref.Val) (map[string][]string, error) {
for i, elem := range val {
strVal, ok := elem.(types.String)
if !ok {
return nil, fmt.Errorf("unsupported value type in matcher input: %T", val)
return nil, fmt.Errorf("unsupported value type in header match: %T", val)
}
convVals[i] = string(strVal)
}
mapStrListStr[k] = convVals
case []any:
convVals := make([]string, len(val))
for i, elem := range val {
switch e := elem.(type) {
case string:
convVals[i] = e
case types.String:
convVals[i] = string(e)
default:
return nil, fmt.Errorf("unsupported element type in matcher input list: %T", elem)
}
}
mapStrListStr[k] = convVals
default:
return nil, fmt.Errorf("unsupported value type in matcher input: %T", val)
return nil, fmt.Errorf("unsupported value type in header match: %T", val)
}
}
return mapStrListStr, nil
modules/caddyhttp/encode/encode.go
+2 -10
View File
@@ -168,8 +168,8 @@ func (enc *Encode) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyh
// caches without knowing about our changes...
if etag := r.Header.Get("If-None-Match"); etag != "" && !strings.HasPrefix(etag, "W/") {
ourSuffix := "-" + encName + `"`
if before, ok := strings.CutSuffix(etag, ourSuffix); ok {
etag = before + `"`
if strings.HasSuffix(etag, ourSuffix) {
etag = strings.TrimSuffix(etag, ourSuffix) + `"`
r.Header.Set("If-None-Match", etag)
}
}
@@ -307,14 +307,6 @@ func (rw *responseWriter) FlushError() error {
return http.NewResponseController(rw.ResponseWriter).Flush()
}
// Flush calls FlushError() and simply discards any error. It is only implemented for backwards
// compatibility with legacy code that does not use FlushError; we know at least one sponsor
// needs this. It should not be relied upon as a stable part of the exported API, as it may be
// removed in the future.
func (rw *responseWriter) Flush() {
_ = rw.FlushError()
}
// Write writes to the response. If the response qualifies,
// it is encoded using the encoder, which is initialized
// if not done so already.
modules/caddyhttp/errors.go
+2 -2
View File
@@ -17,7 +17,7 @@ package caddyhttp
import (
"errors"
"fmt"
weakrand "math/rand/v2"
weakrand "math/rand"
"path"
"runtime"
"strings"
@@ -98,7 +98,7 @@ func randString(n int, sameCase bool) string {
b := make([]byte, n)
for i := range b {
//nolint:gosec
b[i] = dict[weakrand.IntN(len(dict))]
b[i] = dict[weakrand.Int63()%int64(len(dict))]
}
return string(b)
}
modules/caddyhttp/fileserver/browse.go
-1
View File
@@ -169,7 +169,6 @@ func (fsrv *FileServer) serveBrowse(fileSystem fs.FS, root, dirPath string, w ht
// Actual files
for _, item := range listing.Items {
//nolint:gosec // not sure how this could be XSS unless you lose control of the file system (like aren't sanitizing) and client ignores Content-Type of text/plain
if _, err := fmt.Fprintf(writer, "%s\t%s\t%s\n",
item.Name, item.HumanSize(), item.HumanModTime("January 2, 2006 at 15:04:05"),
); err != nil {
modules/caddyhttp/fileserver/matcher.go
+1 -1
View File
@@ -404,7 +404,7 @@ func (m MatchFile) selectFile(r *http.Request) (bool, error) {
}
// for each glob result, combine all the forms of the path
candidates := make([]matchCandidate, 0, len(globResults))
var candidates []matchCandidate
for _, result := range globResults {
candidates = append(candidates, matchCandidate{
fullpath: result,
modules/caddyhttp/fileserver/staticfiles.go
+2 -2
View File
@@ -20,7 +20,7 @@ import (
"fmt"
"io"
"io/fs"
weakrand "math/rand/v2"
weakrand "math/rand"
"mime"
"net/http"
"os"
@@ -601,7 +601,7 @@ func (fsrv *FileServer) openFile(fileSystem fs.FS, filename string, w http.Respo
// maybe the server is under load and ran out of file descriptors?
// have client wait arbitrary seconds to help prevent a stampede
//nolint:gosec
backoff := weakrand.IntN(maxBackoff-minBackoff) + minBackoff
backoff := weakrand.Intn(maxBackoff-minBackoff) + minBackoff
w.Header().Set("Retry-After", strconv.Itoa(backoff))
if c := fsrv.logger.Check(zapcore.DebugLevel, "retry after backoff"); c != nil {
c.Write(zap.String("filename", filename), zap.Int("backoff", backoff), zap.Error(err))
modules/caddyhttp/headers/caddyfile.go
+3 -1
View File
@@ -168,6 +168,8 @@ func parseReqHdrCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue,
}
h.Next() // consume the directive name again (matcher parsing resets)
configValues := []httpcaddyfile.ConfigValue{}
if !h.NextArg() {
return nil, h.ArgErr()
}
@@ -202,7 +204,7 @@ func parseReqHdrCaddyfile(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue,
return nil, h.Err(err.Error())
}
configValues := h.NewRoute(matcherSet, hdr)
configValues = append(configValues, h.NewRoute(matcherSet, hdr)...)
if h.NextArg() {
return nil, h.ArgErr()
modules/caddyhttp/headers/headers.go
+1 -4
View File
@@ -217,10 +217,7 @@ type RespHeaderOps struct {
}
// ApplyTo applies ops to hdr using repl.
func (ops *HeaderOps) ApplyTo(hdr http.Header, repl *caddy.Replacer) {
if ops == nil {
return
}
func (ops HeaderOps) ApplyTo(hdr http.Header, repl *caddy.Replacer) {
// before manipulating headers in other ways, check if there
// is configuration to delete all headers, and do that first
// because if a header is to be added, we don't want to delete
modules/caddyhttp/logging.go
+1 -78
View File
@@ -15,28 +15,18 @@
package caddyhttp
import (
"context"
"encoding/json"
"errors"
"log/slog"
"net"
"net/http"
"strings"
"sync"
"go.uber.org/zap"
"go.uber.org/zap/exp/zapslog"
"go.uber.org/zap/zapcore"
"github.com/caddyserver/caddy/v2"
)
func init() {
caddy.RegisterSlogHandlerFactory(func(handler slog.Handler, core zapcore.Core, moduleID string) slog.Handler {
return &extraFieldsSlogHandler{defaultHandler: handler, core: core, moduleID: moduleID}
})
}
// ServerLogConfig describes a server's logging configuration. If
// enabled without customization, all requests to this server are
// logged to the default logger; logger destinations may be
@@ -233,21 +223,17 @@ func errLogValues(err error) (status int, msg string, fields func() []zapcore.Fi
// ExtraLogFields is a list of extra fields to log with every request.
type ExtraLogFields struct {
fields []zapcore.Field
handlers sync.Map
fields []zapcore.Field
}
// Add adds a field to the list of extra fields to log.
func (e *ExtraLogFields) Add(field zap.Field) {
e.handlers.Clear()
e.fields = append(e.fields, field)
}
// Set sets a field in the list of extra fields to log.
// If the field already exists, it is replaced.
func (e *ExtraLogFields) Set(field zap.Field) {
e.handlers.Clear()
for i := range e.fields {
if e.fields[i].Key == field.Key {
e.fields[i] = field
@@ -257,29 +243,6 @@ func (e *ExtraLogFields) Set(field zap.Field) {
e.fields = append(e.fields, field)
}
func (e *ExtraLogFields) getSloggerHandler(handler *extraFieldsSlogHandler) (h slog.Handler) {
if existing, ok := e.handlers.Load(handler); ok {
return existing.(slog.Handler)
}
if handler.moduleID == "" {
h = zapslog.NewHandler(handler.core.With(e.fields))
} else {
h = zapslog.NewHandler(handler.core.With(e.fields), zapslog.WithName(handler.moduleID))
}
if handler.group != "" {
h = h.WithGroup(handler.group)
}
if handler.attrs != nil {
h = h.WithAttrs(handler.attrs)
}
e.handlers.Store(handler, h)
return h
}
const (
// Variable name used to indicate that this request
// should be omitted from the access logs
@@ -291,43 +254,3 @@ const (
// Variable name used to indicate the logger to be used
AccessLoggerNameVarKey string = "access_logger_names"
)
type extraFieldsSlogHandler struct {
defaultHandler slog.Handler
core zapcore.Core
moduleID string
group string
attrs []slog.Attr
}
func (e *extraFieldsSlogHandler) Enabled(ctx context.Context, level slog.Level) bool {
return e.defaultHandler.Enabled(ctx, level)
}
func (e *extraFieldsSlogHandler) Handle(ctx context.Context, record slog.Record) error {
if elf, ok := ctx.Value(ExtraLogFieldsCtxKey).(*ExtraLogFields); ok {
return elf.getSloggerHandler(e).Handle(ctx, record)
}
return e.defaultHandler.Handle(ctx, record)
}
func (e *extraFieldsSlogHandler) WithAttrs(attrs []slog.Attr) slog.Handler {
return &extraFieldsSlogHandler{
e.defaultHandler.WithAttrs(attrs),
e.core,
e.moduleID,
e.group,
append(e.attrs, attrs...),
}
}
func (e *extraFieldsSlogHandler) WithGroup(name string) slog.Handler {
return &extraFieldsSlogHandler{
e.defaultHandler.WithGroup(name),
e.core,
e.moduleID,
name,
e.attrs,
}
}
modules/caddyhttp/logging/caddyfile.go
+1 -7
View File
@@ -15,8 +15,6 @@
package logging
import (
"strings"
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
"github.com/caddyserver/caddy/v2/caddyconfig/httpcaddyfile"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
@@ -28,7 +26,7 @@ func init() {
// parseCaddyfile sets up the log_append handler from Caddyfile tokens. Syntax:
//
// log_append [<matcher>] [<]<key> <value>
// log_append [<matcher>] <key> <value>
func parseCaddyfile(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, error) {
handler := new(LogAppend)
err := handler.UnmarshalCaddyfile(h.Dispenser)
@@ -45,10 +43,6 @@ func (h *LogAppend) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
if !d.NextArg() {
return d.ArgErr()
}
if strings.HasPrefix(h.Key, "<") && len(h.Key) > 1 {
h.Early = true
h.Key = h.Key[1:]
}
h.Value = d.Val()
return nil
}
modules/caddyhttp/logging/logappend.go → modules/caddyhttp/logging/logadd.go
+5 -84
View File
@@ -15,8 +15,6 @@
package logging
import (
"bytes"
"encoding/base64"
"net/http"
"strings"
@@ -44,12 +42,6 @@ type LogAppend struct {
// map, the value of that key will be used. Otherwise
// the value will be used as-is as a constant string.
Value string `json:"value,omitempty"`
// Early, if true, adds the log field before calling
// the next handler in the chain. By default, the log
// field is added on the way back up the middleware chain,
// after all subsequent handlers have completed.
Early bool `json:"early,omitempty"`
}
// CaddyModule returns the Caddy module information.
@@ -61,63 +53,13 @@ func (LogAppend) CaddyModule() caddy.ModuleInfo {
}
func (h LogAppend) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
// Determine if we need to add the log field early.
// We do if the Early flag is set, or for convenience,
// if the value is a special placeholder for the request body.
needsEarly := h.Early || h.Value == placeholderRequestBody || h.Value == placeholderRequestBodyBase64
// Check if we need to buffer the response for special placeholders
needsResponseBody := h.Value == placeholderResponseBody || h.Value == placeholderResponseBodyBase64
if needsEarly && !needsResponseBody {
// Add the log field before calling the next handler
// (but not if we need the response body, which isn't available yet)
h.addLogField(r, nil)
}
var rec caddyhttp.ResponseRecorder
var buf *bytes.Buffer
if needsResponseBody {
// Wrap the response writer with a recorder to capture the response body
buf = new(bytes.Buffer)
rec = caddyhttp.NewResponseRecorder(w, buf, func(status int, header http.Header) bool {
// Always buffer the response when we need to log the body
return true
})
w = rec
}
// Run the next handler in the chain.
// Run the next handler in the chain first.
// If an error occurs, we still want to add
// any extra log fields that we can, so we
// hold onto the error and return it later.
handlerErr := next.ServeHTTP(w, r)
if needsResponseBody {
// Write the buffered response to the client
if rec.Buffered() {
h.addLogField(r, buf)
err := rec.WriteResponse()
if err != nil {
return err
}
}
return handlerErr
}
if !h.Early {
// Add the log field after the handler completes
h.addLogField(r, buf)
}
return handlerErr
}
// addLogField adds the log field to the request's extra log fields.
// If buf is not nil, it contains the buffered response body for special
// response body placeholders.
func (h LogAppend) addLogField(r *http.Request, buf *bytes.Buffer) {
// On the way back up the chain, add the extra log field
ctx := r.Context()
vars := ctx.Value(caddyhttp.VarsCtxKey).(map[string]any)
@@ -125,21 +67,7 @@ func (h LogAppend) addLogField(r *http.Request, buf *bytes.Buffer) {
extra := ctx.Value(caddyhttp.ExtraLogFieldsCtxKey).(*caddyhttp.ExtraLogFields)
var varValue any
// Handle special case placeholders for response body
if h.Value == placeholderResponseBody {
if buf != nil {
varValue = buf.String()
} else {
varValue = ""
}
} else if h.Value == placeholderResponseBodyBase64 {
if buf != nil {
varValue = base64.StdEncoding.EncodeToString(buf.Bytes())
} else {
varValue = ""
}
} else if strings.HasPrefix(h.Value, "{") &&
if strings.HasPrefix(h.Value, "{") &&
strings.HasSuffix(h.Value, "}") &&
strings.Count(h.Value, "{") == 1 {
// the value looks like a placeholder, so get its value
@@ -156,16 +84,9 @@ func (h LogAppend) addLogField(r *http.Request, buf *bytes.Buffer) {
// We use zap.Any because it will reflect
// to the correct type for us.
extra.Add(zap.Any(h.Key, varValue))
}
const (
// Special placeholder values that are handled by log_append
// rather than by the replacer.
placeholderRequestBody = "{http.request.body}"
placeholderRequestBodyBase64 = "{http.request.body_base64}"
placeholderResponseBody = "{http.response.body}"
placeholderResponseBodyBase64 = "{http.response.body_base64}"
)
return handlerErr
}
// Interface guards
var (
modules/caddyhttp/marshalers.go
-1
View File
@@ -110,7 +110,6 @@ func (t LoggableTLSConnState) MarshalLogObject(enc zapcore.ObjectEncoder) error
enc.AddUint16("cipher_suite", t.CipherSuite)
enc.AddString("proto", t.NegotiatedProtocol)
enc.AddString("server_name", t.ServerName)
enc.AddBool("ech", t.ECHAccepted)
if len(t.PeerCertificates) > 0 {
enc.AddString("client_common_name", t.PeerCertificates[0].Subject.CommonName)
enc.AddString("client_serial", t.PeerCertificates[0].SerialNumber.String())
modules/caddyhttp/matchers.go
+6 -4
View File
@@ -262,11 +262,13 @@ func (m MatchHost) Provision(_ caddy.Context) error {
if err != nil {
return fmt.Errorf("converting hostname '%s' to ASCII: %v", host, err)
}
if asciiHost != host {
m[i] = asciiHost
}
normalizedHost := strings.ToLower(asciiHost)
if firstI, ok := seen[normalizedHost]; ok {
return fmt.Errorf("host at index %d is repeated at index %d: %s", firstI, i, host)
}
m[i] = normalizedHost // normalize for all comparisons while matching
seen[normalizedHost] = i
}
@@ -317,7 +319,7 @@ func (m MatchHost) MatchWithError(r *http.Request) (bool, error) {
}
return m[i] >= reqHost
})
if pos < len(m) && strings.EqualFold(m[pos], reqHost) {
if pos < len(m) && m[pos] == reqHost {
return true, nil
}
}
@@ -630,8 +632,8 @@ func (MatchPath) matchPatternWithEscapeSequence(escapedPath, matchPath string) b
// we can now treat rawpath globs (%*) as regular globs (*)
matchPath = strings.ReplaceAll(matchPath, "%*", "*")
// ignore error here because we can't handle it anyway
matches, _ := path.Match(matchPath, strings.ToLower(sb.String()))
// ignore error here because we can't handle it anyway=
matches, _ := path.Match(matchPath, sb.String())
return matches
}
modules/caddyhttp/matchers_test.go
-5
View File
@@ -412,11 +412,6 @@ func TestPathMatcher(t *testing.T) {
input: "/foo%2fbar/baz",
expect: true,
},
{
match: MatchPath{"/admin%2fpanel"},
input: "/ADMIN%2fpanel",
expect: true,
},
} {
err := tc.match.Provision(caddy.Context{})
if err == nil && tc.provisionErr {
modules/caddyhttp/metrics.go
+3 -3
View File
@@ -25,7 +25,7 @@ import (
// "http": {
// "metrics": {
// "per_host": true,
// "observe_catchall_hosts": false
// "allow_catch_all_hosts": false
// },
// "servers": {
// "srv0": {
@@ -65,7 +65,7 @@ type Metrics struct {
//
// Set to true to allow all hosts to get individual metrics (NOT RECOMMENDED
// for production environments exposed to the internet).
ObserveCatchallHosts bool `json:"observe_catchall_hosts,omitempty"`
AllowCatchAllHosts bool `json:"allow_catch_all_hosts,omitempty"`
init sync.Once
httpMetrics *httpMetrics
@@ -200,7 +200,7 @@ func (m *Metrics) shouldAllowHostMetrics(host string, isHTTPS bool) bool {
}
// For catch-all requests (not in allowed hosts)
allowCatchAll := m.ObserveCatchallHosts || (isHTTPS && m.hasHTTPSServer)
allowCatchAll := m.AllowCatchAllHosts || (isHTTPS && m.hasHTTPSServer)
return allowCatchAll
}
modules/caddyhttp/metrics_test.go
+16 -16
View File
@@ -207,11 +207,11 @@ func TestMetricsInstrumentedHandler(t *testing.T) {
func TestMetricsInstrumentedHandlerPerHost(t *testing.T) {
ctx, _ := caddy.NewContext(caddy.Context{Context: context.Background()})
metrics := &Metrics{
PerHost: true,
ObserveCatchallHosts: true, // Allow all hosts for testing
init: sync.Once{},
httpMetrics: &httpMetrics{},
allowedHosts: make(map[string]struct{}),
PerHost: true,
AllowCatchAllHosts: true, // Allow all hosts for testing
init: sync.Once{},
httpMetrics: &httpMetrics{},
allowedHosts: make(map[string]struct{}),
}
handlerErr := errors.New("oh noes")
response := []byte("hello world!")
@@ -387,11 +387,11 @@ func TestMetricsCardinalityProtection(t *testing.T) {
// Test 1: Without AllowCatchAllHosts, arbitrary hosts should be mapped to "_other"
metrics := &Metrics{
PerHost: true,
ObserveCatchallHosts: false, // Default - should map unknown hosts to "_other"
init: sync.Once{},
httpMetrics: &httpMetrics{},
allowedHosts: make(map[string]struct{}),
PerHost: true,
AllowCatchAllHosts: false, // Default - should map unknown hosts to "_other"
init: sync.Once{},
httpMetrics: &httpMetrics{},
allowedHosts: make(map[string]struct{}),
}
// Add one allowed host
@@ -444,12 +444,12 @@ func TestMetricsHTTPSCatchAll(t *testing.T) {
// Test that HTTPS requests allow catch-all even when AllowCatchAllHosts is false
metrics := &Metrics{
PerHost: true,
ObserveCatchallHosts: false,
hasHTTPSServer: true, // Simulate having HTTPS servers
init: sync.Once{},
httpMetrics: &httpMetrics{},
allowedHosts: make(map[string]struct{}), // Empty - no explicitly allowed hosts
PerHost: true,
AllowCatchAllHosts: false,
hasHTTPSServer: true, // Simulate having HTTPS servers
init: sync.Once{},
httpMetrics: &httpMetrics{},
allowedHosts: make(map[string]struct{}), // Empty - no explicitly allowed hosts
}
mh := middlewareHandlerFunc(func(w http.ResponseWriter, r *http.Request, h Handler) error {
modules/caddyhttp/push/caddyfile.go
-1
View File
@@ -64,7 +64,6 @@ func parseCaddyfile(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, error)
var err error
// include current token, which we treat as an argument here
// nolint:prealloc
args := []string{h.Val()}
args = append(args, h.RemainingArgs()...)
modules/caddyhttp/replacer.go
-17
View File
@@ -229,21 +229,6 @@ func addHTTPVarsToReplacer(repl *caddy.Replacer, req *http.Request, w http.Respo
req.Body = io.NopCloser(buf) // replace real body with buffered data
return buf.String(), true
case "http.request.body_base64":
if req.Body == nil {
return "", true
}
// normally net/http will close the body for us, but since we
// are replacing it with a fake one, we have to ensure we close
// the real body ourselves when we're done
defer req.Body.Close()
// read the request body into a buffer (can't pool because we
// don't know its lifetime and would have to make a copy anyway)
buf := new(bytes.Buffer)
_, _ = io.Copy(buf, req.Body) // can't handle error, so just ignore it
req.Body = io.NopCloser(buf) // replace real body with buffered data
return base64.StdEncoding.EncodeToString(buf.Bytes()), true
// original request, before any internal changes
case "http.request.orig_method":
or, _ := req.Context().Value(OriginalRequestCtxKey).(http.Request)
@@ -526,8 +511,6 @@ func getReqTLSReplacement(req *http.Request, key string) (any, bool) {
return true, true
case "server_name":
return req.TLS.ServerName, true
case "ech":
return req.TLS.ECHAccepted, true
}
return nil, false
}
modules/caddyhttp/reverseproxy/caddyfile.go
+2 -6
View File
@@ -888,11 +888,8 @@ func (h *Handler) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
if commonScheme == "http" && te.TLSEnabled() {
return d.Errf("upstream address scheme is HTTP but transport is configured for HTTP+TLS (HTTPS)")
}
if h2ct, ok := transport.(H2CTransport); ok && commonScheme == "h2c" {
err := h2ct.EnableH2C()
if err != nil {
return err
}
if te, ok := transport.(*HTTPTransport); ok && commonScheme == "h2c" {
te.Versions = []string{"h2c", "2"}
}
} else if commonScheme == "https" {
return d.Errf("upstreams are configured for HTTPS but transport module does not support TLS: %T", transport)
@@ -1528,7 +1525,6 @@ func (u *SRVUpstreams) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
return d.Errf("bad delay value '%s': %v", d.Val(), err)
}
u.FallbackDelay = caddy.Duration(dur)
case "grace_period":
if !d.NextArg() {
return d.ArgErr()
modules/caddyhttp/reverseproxy/fastcgi/client_test.go
+2 -2
View File
@@ -27,7 +27,7 @@ import (
"fmt"
"io"
"log"
"math/rand/v2"
"math/rand"
"net"
"net/http"
"net/http/fcgi"
@@ -197,7 +197,7 @@ func generateRandFile(size int) (p string, m string) {
h := md5.New()
for i := 0; i < size/16; i++ {
buf := make([]byte, 16)
binary.PutVarint(buf, rand.Int64())
binary.PutVarint(buf, rand.Int63())
if _, err := fo.Write(buf); err != nil {
log.Printf("[ERROR] failed to write buffer: %v\n", err)
}
modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go
+6 -103
View File
@@ -16,7 +16,6 @@ package fastcgi
import (
"crypto/tls"
"errors"
"fmt"
"net"
"net/http"
@@ -24,12 +23,9 @@ import (
"strconv"
"strings"
"time"
"unicode/utf8"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
"golang.org/x/text/language"
"golang.org/x/text/search"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
@@ -37,11 +33,7 @@ import (
"github.com/caddyserver/caddy/v2/modules/caddytls"
)
var (
ErrInvalidSplitPath = errors.New("split path contains non-ASCII characters")
noopLogger = zap.NewNop()
)
var noopLogger = zap.NewNop()
func init() {
caddy.RegisterModule(Transport{})
@@ -58,9 +50,6 @@ type Transport struct {
// actual resource (CGI script) name, and the second piece will be set to
// PATH_INFO for the CGI script to use.
//
// Split paths can only contain ASCII characters.
// Comparison is case-insensitive.
//
// Future enhancements should be careful to avoid CVE-2019-11043,
// which can be mitigated with use of a try_files-like behavior
// that 404s if the fastcgi path info is not found.
@@ -120,45 +109,9 @@ func (t *Transport) Provision(ctx caddy.Context) error {
t.DialTimeout = caddy.Duration(3 * time.Second)
}
var b strings.Builder
for i, split := range t.SplitPath {
b.Grow(len(split))
for j := 0; j < len(split); j++ {
c := split[j]
if c >= utf8.RuneSelf {
return ErrInvalidSplitPath
}
if 'A' <= c && c <= 'Z' {
b.WriteByte(c + 'a' - 'A')
} else {
b.WriteByte(c)
}
}
t.SplitPath[i] = b.String()
b.Reset()
}
return nil
}
// DefaultBufferSizes enables request buffering for fastcgi if not configured.
// This is because most fastcgi servers are php-fpm that require the content length to be set to read the body, golang
// std has fastcgi implementation that doesn't need this value to process the body, but we can safely assume that's
// not used.
// http3 requests have a negative content length for GET and HEAD requests, if that header is not sent.
// see: https://github.com/caddyserver/caddy/issues/6678#issuecomment-2472224182
// Though it appears even if CONTENT_LENGTH is invalid, php-fpm can handle just fine if the body is empty (no Stdin records sent).
// php-fpm will hang if there is any data in the body though, https://github.com/caddyserver/caddy/issues/5420#issuecomment-2415943516
// TODO: better default buffering for fastcgi requests without content length, in theory a value of 1 should be enough, make it bigger anyway
func (t Transport) DefaultBufferSizes() (int64, int64) {
return 4096, 0
}
// RoundTrip implements http.RoundTripper.
func (t Transport) RoundTrip(r *http.Request) (*http.Response, error) {
server := r.Context().Value(caddyhttp.ServerCtxKey).(*caddyhttp.Server)
@@ -418,15 +371,8 @@ func (t Transport) buildEnv(r *http.Request) (envVars, error) {
return env, nil
}
var splitSearchNonASCII = search.New(language.Und, search.IgnoreCase)
// splitPos returns the index where path should
// be split based on t.SplitPath.
//
// example: if splitPath is [".php"]
// "/path/to/script.php/some/path": ("/path/to/script.php", "/some/path")
//
// Adapted from FrankenPHP's code (copyright 2026 Kévin Dunglas, MIT license)
func (t Transport) splitPos(path string) int {
// TODO: from v1...
// if httpserver.CaseSensitivePath {
@@ -436,54 +382,12 @@ func (t Transport) splitPos(path string) int {
return 0
}
pathLen := len(path)
// We are sure that split strings are all ASCII-only and lower-case because of validation and normalization in Provision().
lowerPath := strings.ToLower(path)
for _, split := range t.SplitPath {
splitLen := len(split)
for i := 0; i < pathLen; i++ {
if path[i] >= utf8.RuneSelf {
if _, end := splitSearchNonASCII.IndexString(path, split); end > -1 {
return end
}
break
}
if i+splitLen > pathLen {
continue
}
match := true
for j := 0; j < splitLen; j++ {
c := path[i+j]
if c >= utf8.RuneSelf {
if _, end := splitSearchNonASCII.IndexString(path, split); end > -1 {
return end
}
break
}
if 'A' <= c && c <= 'Z' {
c += 'a' - 'A'
}
if c != split[j] {
match = false
break
}
}
if match {
return i + splitLen
}
if idx := strings.Index(lowerPath, strings.ToLower(split)); idx > -1 {
return idx + len(split)
}
}
return -1
}
@@ -523,7 +427,6 @@ var headerNameReplacer = strings.NewReplacer(" ", "_", "-", "_")
var (
_ zapcore.ObjectMarshaler = (*loggableEnv)(nil)
_ caddy.Provisioner = (*Transport)(nil)
_ http.RoundTripper = (*Transport)(nil)
_ reverseproxy.BufferedTransport = (*Transport)(nil)
_ caddy.Provisioner = (*Transport)(nil)
_ http.RoundTripper = (*Transport)(nil)
)
modules/caddyhttp/reverseproxy/fastcgi/fastcgi_test.go
-246
View File
@@ -1,246 +0,0 @@
package fastcgi
import (
"strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/caddyserver/caddy/v2"
)
func TestProvisionSplitPath(t *testing.T) {
tests := []struct {
name string
splitPath []string
wantErr error
wantSplitPath []string
}{
{
name: "valid lowercase split path",
splitPath: []string{".php"},
wantErr: nil,
wantSplitPath: []string{".php"},
},
{
name: "valid uppercase split path normalized",
splitPath: []string{".PHP"},
wantErr: nil,
wantSplitPath: []string{".php"},
},
{
name: "valid mixed case split path normalized",
splitPath: []string{".PhP", ".PHTML"},
wantErr: nil,
wantSplitPath: []string{".php", ".phtml"},
},
{
name: "empty split path",
splitPath: []string{},
wantErr: nil,
wantSplitPath: []string{},
},
{
name: "non-ASCII character in split path rejected",
splitPath: []string{".php", ".Ⱥphp"},
wantErr: ErrInvalidSplitPath,
},
{
name: "unicode character in split path rejected",
splitPath: []string{".phpⱥ"},
wantErr: ErrInvalidSplitPath,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
tr := Transport{SplitPath: tt.splitPath}
err := tr.Provision(caddy.Context{})
if tt.wantErr != nil {
require.ErrorIs(t, err, tt.wantErr)
return
}
require.NoError(t, err)
assert.Equal(t, tt.wantSplitPath, tr.SplitPath)
})
}
}
func TestSplitPos(t *testing.T) {
tests := []struct {
name string
path string
splitPath []string
wantPos int
}{
{
name: "simple php extension",
path: "/path/to/script.php",
splitPath: []string{".php"},
wantPos: 19,
},
{
name: "php extension with path info",
path: "/path/to/script.php/some/path",
splitPath: []string{".php"},
wantPos: 19,
},
{
name: "case insensitive match",
path: "/path/to/script.PHP",
splitPath: []string{".php"},
wantPos: 19,
},
{
name: "mixed case match",
path: "/path/to/script.PhP/info",
splitPath: []string{".php"},
wantPos: 19,
},
{
name: "no match",
path: "/path/to/script.txt",
splitPath: []string{".php"},
wantPos: -1,
},
{
name: "empty split path",
path: "/path/to/script.php",
splitPath: []string{},
wantPos: 0,
},
{
name: "multiple split paths first match",
path: "/path/to/script.php",
splitPath: []string{".php", ".phtml"},
wantPos: 19,
},
{
name: "multiple split paths second match",
path: "/path/to/script.phtml",
splitPath: []string{".php", ".phtml"},
wantPos: 21,
},
// Unicode case-folding tests (security fix for GHSA-g966-83w7-6w38)
// U+023A (Ⱥ) lowercases to U+2C65 (ⱥ), which has different UTF-8 byte length
// Ⱥ: 2 bytes (C8 BA), ⱥ: 3 bytes (E2 B1 A5)
{
name: "unicode path with case-folding length expansion",
path: "/ȺȺȺȺshell.php",
splitPath: []string{".php"},
wantPos: 18, // correct position in original string
},
{
name: "unicode path with extension after expansion chars",
path: "/ȺȺȺȺshell.php/path/info",
splitPath: []string{".php"},
wantPos: 18,
},
{
name: "unicode in filename with multiple php occurrences",
path: "/ȺȺȺȺshell.php.txt.php",
splitPath: []string{".php"},
wantPos: 18, // should match first .php, not be confused by byte offset shift
},
{
name: "unicode case insensitive extension",
path: "/ȺȺȺȺshell.PHP",
splitPath: []string{".php"},
wantPos: 18,
},
{
name: "unicode in middle of path",
path: "/path/Ⱥtest/script.php",
splitPath: []string{".php"},
wantPos: 23, // Ⱥ is 2 bytes, so path is 23 bytes total, .php ends at byte 23
},
{
name: "unicode only in directory not filename",
path: "/Ⱥ/script.php",
splitPath: []string{".php"},
wantPos: 14,
},
// Additional Unicode characters that expand when lowercased
// U+0130 (İ - Turkish capital I with dot) lowercases to U+0069 + U+0307
{
name: "turkish capital I with dot",
path: "/İtest.php",
splitPath: []string{".php"},
wantPos: 11,
},
// Ensure standard ASCII still works correctly
{
name: "ascii only path with case variation",
path: "/PATH/TO/SCRIPT.PHP/INFO",
splitPath: []string{".php"},
wantPos: 19,
},
{
name: "path at root",
path: "/index.php",
splitPath: []string{".php"},
wantPos: 10,
},
{
name: "extension in middle of filename",
path: "/test.php.bak",
splitPath: []string{".php"},
wantPos: 9,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
gotPos := Transport{SplitPath: tt.splitPath}.splitPos(tt.path)
assert.Equal(t, tt.wantPos, gotPos, "splitPos(%q, %v)", tt.path, tt.splitPath)
// Verify that the split produces valid substrings
if gotPos > 0 && gotPos <= len(tt.path) {
scriptName := tt.path[:gotPos]
pathInfo := tt.path[gotPos:]
// The script name should end with one of the split extensions (case-insensitive)
hasValidEnding := false
for _, split := range tt.splitPath {
if strings.HasSuffix(strings.ToLower(scriptName), split) {
hasValidEnding = true
break
}
}
assert.True(t, hasValidEnding, "script name %q should end with one of %v", scriptName, tt.splitPath)
// Original path should be reconstructable
assert.Equal(t, tt.path, scriptName+pathInfo, "path should be reconstructable from split parts")
}
})
}
}
// TestSplitPosUnicodeSecurityRegression specifically tests the vulnerability
// described in GHSA-g966-83w7-6w38 where Unicode case-folding caused
// incorrect SCRIPT_NAME/PATH_INFO splitting
func TestSplitPosUnicodeSecurityRegression(t *testing.T) {
// U+023A: Ⱥ (UTF-8: C8 BA). Lowercase is ⱥ (UTF-8: E2 B1 A5), longer in bytes.
path := "/ȺȺȺȺshell.php.txt.php"
split := []string{".php"}
pos := Transport{SplitPath: split}.splitPos(path)
// The vulnerable code would return 22 (computed on lowercased string)
// The correct code should return 18 (position in original string)
expectedPos := strings.Index(path, ".php") + len(".php")
assert.Equal(t, expectedPos, pos, "split position should match first .php in original string")
assert.Equal(t, 18, pos, "split position should be 18, not 22")
if pos > 0 && pos <= len(path) {
scriptName := path[:pos]
pathInfo := path[pos:]
assert.Equal(t, "/ȺȺȺȺshell.php", scriptName, "script name should be the path up to first .php")
assert.Equal(t, ".txt.php", pathInfo, "path info should be the remainder after first .php")
}
}
modules/caddyhttp/reverseproxy/headers_test.go
-127
View File
@@ -1,127 +0,0 @@
package reverseproxy
import (
"context"
"net/http/httptest"
"testing"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
)
func TestAddForwardedHeadersNonIP(t *testing.T) {
h := Handler{}
// Simulate a request with a non-IP remote address (e.g. SCION, abstract socket, or hostname)
req := httptest.NewRequest("GET", "/", nil)
req.RemoteAddr = "my-weird-network:12345"
// Mock the context variables required by Caddy.
// We need to inject the variable map manually since we aren't running the full server.
vars := map[string]interface{}{
caddyhttp.TrustedProxyVarKey: false,
}
ctx := context.WithValue(req.Context(), caddyhttp.VarsCtxKey, vars)
req = req.WithContext(ctx)
// Execute the unexported function
err := h.addForwardedHeaders(req)
// Expectation: No error should be returned for non-IP addresses.
// The function should simply skip the trusted proxy check.
if err != nil {
t.Errorf("expected no error for non-IP address, got: %v", err)
}
}
func TestAddForwardedHeaders_UnixSocketTrusted(t *testing.T) {
h := Handler{}
req := httptest.NewRequest("GET", "http://example.com/", nil)
req.RemoteAddr = "@"
req.Header.Set("X-Forwarded-For", "1.2.3.4, 10.0.0.1")
req.Header.Set("X-Forwarded-Proto", "https")
req.Header.Set("X-Forwarded-Host", "original.example.com")
vars := map[string]interface{}{
caddyhttp.TrustedProxyVarKey: true,
caddyhttp.ClientIPVarKey: "1.2.3.4",
}
ctx := context.WithValue(req.Context(), caddyhttp.VarsCtxKey, vars)
req = req.WithContext(ctx)
err := h.addForwardedHeaders(req)
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
if got := req.Header.Get("X-Forwarded-For"); got != "1.2.3.4, 10.0.0.1" {
t.Errorf("X-Forwarded-For = %q, want %q", got, "1.2.3.4, 10.0.0.1")
}
if got := req.Header.Get("X-Forwarded-Proto"); got != "https" {
t.Errorf("X-Forwarded-Proto = %q, want %q", got, "https")
}
if got := req.Header.Get("X-Forwarded-Host"); got != "original.example.com" {
t.Errorf("X-Forwarded-Host = %q, want %q", got, "original.example.com")
}
}
func TestAddForwardedHeaders_UnixSocketUntrusted(t *testing.T) {
h := Handler{}
req := httptest.NewRequest("GET", "http://example.com/", nil)
req.RemoteAddr = "@"
req.Header.Set("X-Forwarded-For", "1.2.3.4")
req.Header.Set("X-Forwarded-Proto", "https")
req.Header.Set("X-Forwarded-Host", "spoofed.example.com")
vars := map[string]interface{}{
caddyhttp.TrustedProxyVarKey: false,
caddyhttp.ClientIPVarKey: "",
}
ctx := context.WithValue(req.Context(), caddyhttp.VarsCtxKey, vars)
req = req.WithContext(ctx)
err := h.addForwardedHeaders(req)
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
if got := req.Header.Get("X-Forwarded-For"); got != "" {
t.Errorf("X-Forwarded-For should be deleted, got %q", got)
}
if got := req.Header.Get("X-Forwarded-Proto"); got != "" {
t.Errorf("X-Forwarded-Proto should be deleted, got %q", got)
}
if got := req.Header.Get("X-Forwarded-Host"); got != "" {
t.Errorf("X-Forwarded-Host should be deleted, got %q", got)
}
}
func TestAddForwardedHeaders_UnixSocketTrustedNoExistingHeaders(t *testing.T) {
h := Handler{}
req := httptest.NewRequest("GET", "http://example.com/", nil)
req.RemoteAddr = "@"
vars := map[string]interface{}{
caddyhttp.TrustedProxyVarKey: true,
caddyhttp.ClientIPVarKey: "5.6.7.8",
}
ctx := context.WithValue(req.Context(), caddyhttp.VarsCtxKey, vars)
req = req.WithContext(ctx)
err := h.addForwardedHeaders(req)
if err != nil {
t.Fatalf("expected no error, got: %v", err)
}
if got := req.Header.Get("X-Forwarded-For"); got != "" {
t.Errorf("X-Forwarded-For should be empty when no prior XFF exists, got %q", got)
}
if got := req.Header.Get("X-Forwarded-Proto"); got != "http" {
t.Errorf("X-Forwarded-Proto = %q, want %q", got, "http")
}
if got := req.Header.Get("X-Forwarded-Host"); got != "example.com" {
t.Errorf("X-Forwarded-Host = %q, want %q", got, "example.com")
}
}
modules/caddyhttp/reverseproxy/healthchecks.go
+10 -4
View File
@@ -23,6 +23,7 @@ import (
"net/url"
"regexp"
"runtime/debug"
"slices"
"strconv"
"strings"
"time"
@@ -404,9 +405,14 @@ func (h *Handler) doActiveHealthCheck(dialInfo DialInfo, hostAddr string, networ
u.Host = net.JoinHostPort(host, port)
}
// override health check schemes if applicable
if hcsot, ok := h.Transport.(HealthCheckSchemeOverriderTransport); ok {
hcsot.OverrideHealthCheckScheme(u, port)
// this is kind of a hacky way to know if we should use HTTPS, but whatever
if tt, ok := h.Transport.(TLSTransport); ok && tt.TLSEnabled() {
u.Scheme = "https"
// if the port is in the except list, flip back to HTTP
if ht, ok := h.Transport.(*HTTPTransport); ok && slices.Contains(ht.TLS.ExceptPorts, port) {
u.Scheme = "http"
}
}
// if we have a provisioned uri, use that, otherwise use
@@ -500,7 +506,7 @@ func (h *Handler) doActiveHealthCheck(dialInfo DialInfo, hostAddr string, networ
}
// do the request, being careful to tame the response body
resp, err := h.HealthChecks.Active.httpClient.Do(req) //nolint:gosec // no SSRF
resp, err := h.HealthChecks.Active.httpClient.Do(req)
if err != nil {
if c := h.HealthChecks.Active.logger.Check(zapcore.InfoLevel, "HTTP request failed"); c != nil {
c.Write(
modules/caddyhttp/reverseproxy/httptransport.go
+6 -52
View File
@@ -21,7 +21,7 @@ import (
"encoding/base64"
"encoding/json"
"fmt"
weakrand "math/rand/v2"
weakrand "math/rand"
"net"
"net/http"
"net/url"
@@ -40,7 +40,6 @@ import (
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
"github.com/caddyserver/caddy/v2/modules/caddyhttp/headers"
"github.com/caddyserver/caddy/v2/modules/caddytls"
"github.com/caddyserver/caddy/v2/modules/internal/network"
)
@@ -266,7 +265,7 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
PreferGo: true,
Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
//nolint:gosec
addr := h.Resolver.netAddrs[weakrand.IntN(len(h.Resolver.netAddrs))]
addr := h.Resolver.netAddrs[weakrand.Intn(len(h.Resolver.netAddrs))]
return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
},
}
@@ -515,28 +514,6 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
return rt, nil
}
// RequestHeaderOps implements TransportHeaderOpsProvider. It returns header
// operations for requests when the transport's configuration indicates they
// should be applied. In particular, when TLS is enabled for this transport,
// return an operation to set the Host header to the upstream host:port
// placeholder so HTTPS upstreams get the proper Host by default.
//
// Note: this is a provision-time hook; the Handler will call this during
// its Provision and cache the resulting HeaderOps. The HeaderOps are
// applied per-request (so placeholders are expanded at request time).
func (h *HTTPTransport) RequestHeaderOps() *headers.HeaderOps {
// If TLS is not configured for this transport, don't inject Host
// defaults. TLS being non-nil indicates HTTPS to the upstream.
if h.TLS == nil {
return nil
}
return &headers.HeaderOps{
Set: http.Header{
"Host": []string{"{http.reverse_proxy.upstream.hostport}"},
},
}
}
// RoundTrip implements http.RoundTripper.
func (h *HTTPTransport) RoundTrip(req *http.Request) (*http.Response, error) {
h.SetScheme(req)
@@ -587,26 +564,6 @@ func (h *HTTPTransport) EnableTLS(base *TLSConfig) error {
return nil
}
// EnableH2C enables H2C (HTTP/2 over Cleartext) on the transport.
func (h *HTTPTransport) EnableH2C() error {
h.Versions = []string{"h2c", "2"}
return nil
}
// OverrideHealthCheckScheme overrides the scheme of the given URL
// used for health checks.
func (h HTTPTransport) OverrideHealthCheckScheme(base *url.URL, port string) {
// if tls is enabled and the port isn't in the except list, use HTTPs
if h.TLSEnabled() && !slices.Contains(h.TLS.ExceptPorts, port) {
base.Scheme = "https"
}
}
// ProxyProtocolEnabled returns true if proxy protocol is enabled.
func (h HTTPTransport) ProxyProtocolEnabled() bool {
return h.ProxyProtocol != ""
}
// Cleanup implements caddy.CleanerUpper and closes any idle connections.
func (h HTTPTransport) Cleanup() error {
if h.Transport == nil {
@@ -863,11 +820,8 @@ func decodeBase64DERCert(certStr string) (*x509.Certificate, error) {
// Interface guards
var (
_ caddy.Provisioner = (*HTTPTransport)(nil)
_ http.RoundTripper = (*HTTPTransport)(nil)
_ caddy.CleanerUpper = (*HTTPTransport)(nil)
_ TLSTransport = (*HTTPTransport)(nil)
_ H2CTransport = (*HTTPTransport)(nil)
_ HealthCheckSchemeOverriderTransport = (*HTTPTransport)(nil)
_ ProxyProtocolTransport = (*HTTPTransport)(nil)
_ caddy.Provisioner = (*HTTPTransport)(nil)
_ http.RoundTripper = (*HTTPTransport)(nil)
_ caddy.CleanerUpper = (*HTTPTransport)(nil)
_ TLSTransport = (*HTTPTransport)(nil)
)
modules/caddyhttp/reverseproxy/httptransport_test.go
-21
View File
@@ -94,24 +94,3 @@ func TestHTTPTransportUnmarshalCaddyFileWithCaPools(t *testing.T) {
})
}
}
func TestHTTPTransport_RequestHeaderOps_TLS(t *testing.T) {
var ht HTTPTransport
// When TLS is nil, expect no header ops
if ops := ht.RequestHeaderOps(); ops != nil {
t.Fatalf("expected nil HeaderOps when TLS is nil, got: %#v", ops)
}
// When TLS is configured, expect a HeaderOps that sets Host
ht.TLS = &TLSConfig{}
ops := ht.RequestHeaderOps()
if ops == nil {
t.Fatal("expected non-nil HeaderOps when TLS is set")
}
if ops.Set == nil {
t.Fatalf("expected ops.Set to be non-nil, got nil")
}
if got := ops.Set.Get("Host"); got != "{http.reverse_proxy.upstream.hostport}" {
t.Fatalf("unexpected Host value; want placeholder, got: %s", got)
}
}
modules/caddyhttp/reverseproxy/reverseproxy.go
+52 -160
View File
@@ -192,13 +192,6 @@ type Handler struct {
CB CircuitBreaker `json:"-"`
DynamicUpstreams UpstreamSource `json:"-"`
// transportHeaderOps is a set of header operations provided
// by the transport at provision time, if the transport
// implements TransportHeaderOpsProvider. These ops are
// applied before any user-configured header ops so the
// user can override transport defaults.
transportHeaderOps *headers.HeaderOps
// Holds the parsed CIDR ranges from TrustedProxies
trustedProxies []netip.Prefix
@@ -250,16 +243,18 @@ func (h *Handler) Provision(ctx caddy.Context) error {
return fmt.Errorf("loading transport: %v", err)
}
h.Transport = mod.(http.RoundTripper)
// enable request buffering for fastcgi if not configured
// This is because most fastcgi servers are php-fpm that require the content length to be set to read the body, golang
// std has fastcgi implementation that doesn't need this value to process the body, but we can safely assume that's
// not used.
// http3 requests have a negative content length for GET and HEAD requests, if that header is not sent.
// see: https://github.com/caddyserver/caddy/issues/6678#issuecomment-2472224182
// Though it appears even if CONTENT_LENGTH is invalid, php-fpm can handle just fine if the body is empty (no Stdin records sent).
// php-fpm will hang if there is any data in the body though, https://github.com/caddyserver/caddy/issues/5420#issuecomment-2415943516
// set default buffer sizes if applicable
if bt, ok := h.Transport.(BufferedTransport); ok {
reqBuffers, respBuffers := bt.DefaultBufferSizes()
if h.RequestBuffers == 0 {
h.RequestBuffers = reqBuffers
}
if h.ResponseBuffers == 0 {
h.ResponseBuffers = respBuffers
}
// TODO: better default buffering for fastcgi requests without content length, in theory a value of 1 should be enough, make it bigger anyway
if module, ok := h.Transport.(caddy.Module); ok && module.CaddyModule().ID.Name() == "fastcgi" && h.RequestBuffers == 0 {
h.RequestBuffers = 4096
}
}
if h.LoadBalancing != nil && h.LoadBalancing.SelectionPolicyRaw != nil {
@@ -329,18 +324,6 @@ func (h *Handler) Provision(ctx caddy.Context) error {
h.Transport = t
}
// If the transport can provide header ops, cache them now so we don't
// have to compute them per-request. Provision the HeaderOps if present
// so any runtime artifacts (like precompiled regex) are prepared.
if tph, ok := h.Transport.(RequestHeaderOpsTransport); ok {
h.transportHeaderOps = tph.RequestHeaderOps()
if h.transportHeaderOps != nil {
if err := h.transportHeaderOps.Provision(ctx); err != nil {
return fmt.Errorf("provisioning transport header ops: %v", err)
}
}
}
// set up load balancing
if h.LoadBalancing == nil {
h.LoadBalancing = new(LoadBalancing)
@@ -456,20 +439,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyht
reqHost := clonedReq.Host
reqHeader := clonedReq.Header
// If the cloned request body was fully buffered, keep a reference to its
// buffer so we can reuse it across retries and return it to the pool
// once were done.
var bufferedReqBody *bytes.Buffer
if reqBodyBuf, ok := clonedReq.Body.(bodyReadCloser); ok && reqBodyBuf.body == nil && reqBodyBuf.buf != nil {
bufferedReqBody = reqBodyBuf.buf
reqBodyBuf.buf = nil
defer func() {
bufferedReqBody.Reset()
bufPool.Put(bufferedReqBody)
}()
}
start := time.Now()
defer func() {
// total proxying duration, including time spent on LB and retries
@@ -488,8 +457,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyht
// and reusable, so if a backend partially or fully reads the body but then
// produces an error, the request can be repeated to the next backend with
// the full body (retries should only happen for idempotent requests) (see #6259)
if bufferedReqBody != nil {
clonedReq.Body = io.NopCloser(bytes.NewReader(bufferedReqBody.Bytes()))
if reqBodyBuf, ok := r.Body.(bodyReadCloser); ok && reqBodyBuf.body == nil {
r.Body = io.NopCloser(bytes.NewReader(reqBodyBuf.buf.Bytes()))
}
var done bool
@@ -594,26 +563,14 @@ func (h *Handler) proxyLoopIteration(r *http.Request, origReq *http.Request, w h
repl.Set("http.reverse_proxy.upstream.fails", upstream.Host.Fails())
// mutate request headers according to this upstream;
// because we're in a retry loop, we have to copy headers
// (and the r.Host value) from the original so that each
// retry is identical to the first. If either transport or
// user ops exist, apply them in order (transport first,
// then user, so user's config wins).
var userOps *headers.HeaderOps
if h.Headers != nil {
userOps = h.Headers.Request
}
transportOps := h.transportHeaderOps
if transportOps != nil || userOps != nil {
// because we're in a retry loop, we have to copy
// headers (and the r.Host value) from the original
// so that each retry is identical to the first
if h.Headers != nil && h.Headers.Request != nil {
r.Header = make(http.Header)
copyHeader(r.Header, reqHeader)
r.Host = reqHost
if transportOps != nil {
transportOps.ApplyToRequest(r)
}
if userOps != nil {
userOps.ApplyToRequest(r)
}
h.Headers.Request.ApplyToRequest(r)
}
// proxy the request to that upstream
@@ -801,71 +758,48 @@ func (h Handler) prepareRequest(req *http.Request, repl *caddy.Replacer) (*http.
// the headers at all, then they will be added with the values
// that we can glean from the request.
func (h Handler) addForwardedHeaders(req *http.Request) error {
// Parse the remote IP, ignore the error as non-fatal,
// but the remote IP is required to continue, so we
// just return early. This should probably never happen
// though, unless some other module manipulated the request's
// remote address and used an invalid value.
clientIP, _, err := net.SplitHostPort(req.RemoteAddr)
if err != nil {
// Remove the `X-Forwarded-*` headers to avoid upstreams
// potentially trusting a header that came from the client
req.Header.Del("X-Forwarded-For")
req.Header.Del("X-Forwarded-Proto")
req.Header.Del("X-Forwarded-Host")
return nil
}
// Client IP may contain a zone if IPv6, so we need
// to pull that out before parsing the IP
clientIP, _, _ = strings.Cut(clientIP, "%")
ipAddr, err := netip.ParseAddr(clientIP)
if err != nil {
return fmt.Errorf("invalid IP address: '%s': %v", clientIP, err)
}
// Check if the client is a trusted proxy
trusted := caddyhttp.GetVar(req.Context(), caddyhttp.TrustedProxyVarKey).(bool)
var clientIP string
if req.RemoteAddr == "@" {
// For Unix socket connections, RemoteAddr is "@" which cannot
// be parsed as host:port. If untrusted, strip forwarded headers
// for security. If trusted, there is no peer IP to append to
// X-Forwarded-For, so clientIP stays empty.
if !trusted {
req.Header.Del("X-Forwarded-For")
req.Header.Del("X-Forwarded-Proto")
req.Header.Del("X-Forwarded-Host")
return nil
}
} else {
// Parse the remote IP, ignore the error as non-fatal,
// but the remote IP is required to continue, so we
// just return early. This should probably never happen
// though, unless some other module manipulated the request's
// remote address and used an invalid value.
var err error
clientIP, _, err = net.SplitHostPort(req.RemoteAddr)
if err != nil {
// Remove the `X-Forwarded-*` headers to avoid upstreams
// potentially trusting a header that came from the client
req.Header.Del("X-Forwarded-For")
req.Header.Del("X-Forwarded-Proto")
req.Header.Del("X-Forwarded-Host")
return nil
}
// Client IP may contain a zone if IPv6, so we need
// to pull that out before parsing the IP
clientIP, _, _ = strings.Cut(clientIP, "%")
ipAddr, err := netip.ParseAddr(clientIP)
// If ParseAddr fails (e.g. non-IP network like SCION), we cannot check
// if it is a trusted proxy by IP range. In this case, we ignore the
// error and treat the connection as untrusted (or retain existing status).
if err == nil {
for _, ipRange := range h.trustedProxies {
if ipRange.Contains(ipAddr) {
trusted = true
break
}
}
for _, ipRange := range h.trustedProxies {
if ipRange.Contains(ipAddr) {
trusted = true
break
}
}
// If we aren't the first proxy, and the proxy is trusted,
// retain prior X-Forwarded-For information as a comma+space
// separated list and fold multiple headers into one.
clientXFF := clientIP
prior, ok, omit := allHeaderValues(req.Header, "X-Forwarded-For")
if trusted && ok && prior != "" {
clientXFF = prior + ", " + clientXFF
}
if !omit {
if trusted && ok && prior != "" {
if clientIP != "" {
req.Header.Set("X-Forwarded-For", prior+", "+clientIP)
} else {
req.Header.Set("X-Forwarded-For", prior)
}
} else if clientIP != "" {
req.Header.Set("X-Forwarded-For", clientIP)
}
req.Header.Set("X-Forwarded-For", clientXFF)
}
// Set X-Forwarded-Proto; many backend apps expect this,
@@ -1276,7 +1210,7 @@ func (h *Handler) directRequest(req *http.Request, di DialInfo) {
}
// add client address to the host to let transport differentiate requests from different clients
if ppt, ok := h.Transport.(ProxyProtocolTransport); ok && ppt.ProxyProtocolEnabled() {
if ht, ok := h.Transport.(*HTTPTransport); ok && ht.ProxyProtocol != "" {
if proxyProtocolInfo, ok := caddyhttp.GetVar(req.Context(), proxyProtocolInfoVarKey).(ProxyProtocolInfo); ok {
reqHost = proxyProtocolInfo.AddrPort.String() + "->" + reqHost
}
@@ -1567,43 +1501,6 @@ type TLSTransport interface {
EnableTLS(base *TLSConfig) error
}
// H2CTransport is implemented by transports
// that are capable of using h2c.
type H2CTransport interface {
EnableH2C() error
}
// ProxyProtocolTransport is implemented by transports
// that are capable of using proxy protocol.
type ProxyProtocolTransport interface {
ProxyProtocolEnabled() bool
}
// HealthCheckSchemeOverriderTransport is implemented by transports
// that can override the scheme used for health checks.
type HealthCheckSchemeOverriderTransport interface {
OverrideHealthCheckScheme(base *url.URL, port string)
}
// BufferedTransport is implemented by transports
// that needs to buffer requests and/or responses.
type BufferedTransport interface {
// DefaultBufferSizes returns the default buffer sizes
// for requests and responses, respectively if buffering isn't enabled.
DefaultBufferSizes() (int64, int64)
}
// RequestHeaderOpsTransport may be implemented by a transport to provide
// header operations to apply to requests immediately before the RoundTrip.
// For example, overriding the default Host when TLS is enabled.
type RequestHeaderOpsTransport interface {
// RequestHeaderOps allows a transport to provide header operations
// to apply to the request. The transport is asked at provision time
// to return a HeaderOps (or nil) that will be applied before
// user-configured header ops.
RequestHeaderOps() *headers.HeaderOps
}
// roundtripSucceededError is an error type that is returned if the
// roundtrip succeeded, but an error occurred after-the-fact.
type roundtripSucceededError struct{ error }
@@ -1617,12 +1514,7 @@ type bodyReadCloser struct {
}
func (brc bodyReadCloser) Close() error {
// Inside this package this will be set to nil for fully-buffered
// requests due to the possibility of retrial.
if brc.buf != nil {
bufPool.Put(brc.buf)
}
// For fully-buffered bodies, body is nil, so Close is a no-op.
bufPool.Put(brc.buf)
if brc.body != nil {
return brc.body.Close()
}
modules/caddyhttp/reverseproxy/selectionpolicies.go
+6 -6
View File
@@ -20,7 +20,7 @@ import (
"encoding/hex"
"encoding/json"
"fmt"
weakrand "math/rand/v2"
weakrand "math/rand"
"net"
"net/http"
"strconv"
@@ -225,7 +225,7 @@ func (r RandomChoiceSelection) Select(pool UpstreamPool, _ *http.Request, _ http
if !upstream.Available() {
continue
}
j := weakrand.IntN(i + 1) //nolint:gosec
j := weakrand.Intn(i + 1) //nolint:gosec
if j < k {
choices[j] = upstream
}
@@ -274,7 +274,7 @@ func (LeastConnSelection) Select(pool UpstreamPool, _ *http.Request, _ http.Resp
// sample: https://en.wikipedia.org/wiki/Reservoir_sampling
if numReqs == leastReqs {
count++
if count == 1 || weakrand.IntN(count) == 0 { //nolint:gosec
if count == 1 || (weakrand.Int()%count) == 0 { //nolint:gosec
bestHost = host
}
}
@@ -617,7 +617,7 @@ type CookieHashSelection struct {
// The HTTP cookie name whose value is to be hashed and used for upstream selection.
Name string `json:"name,omitempty"`
// Secret to hash (Hmac256) chosen upstream in cookie
Secret string `json:"secret,omitempty"` //nolint:gosec // yes it's exported because it needs to encode to JSON
Secret string `json:"secret,omitempty"`
// The cookie's Max-Age before it expires. Default is no expiry.
MaxAge caddy.Duration `json:"max_age,omitempty"`
@@ -788,7 +788,7 @@ func selectRandomHost(pool []*Upstream) *Upstream {
// upstream will always be chosen if there is at
// least one available
count++
if weakrand.IntN(count) == 0 { //nolint:gosec
if (weakrand.Int() % count) == 0 { //nolint:gosec
randomHost = upstream
}
}
@@ -827,7 +827,7 @@ func leastRequests(upstreams []*Upstream) *Upstream {
if len(best) == 1 {
return best[0]
}
return best[weakrand.IntN(len(best))] //nolint:gosec
return best[weakrand.Intn(len(best))] //nolint:gosec
}
// hostByHashing returns an available host from pool based on a hashable string s.
modules/caddyhttp/reverseproxy/streaming.go
+3 -6
View File
@@ -24,7 +24,7 @@ import (
"errors"
"fmt"
"io"
weakrand "math/rand/v2"
weakrand "math/rand"
"mime"
"net/http"
"sync"
@@ -214,10 +214,7 @@ func (h *Handler) handleUpgradeResponse(logger *zap.Logger, wg *sync.WaitGroup,
timeoutc = timer.C
}
// when a stream timeout is encountered, no error will be read from errc
// a buffer size of 2 will allow both the read and write goroutines to send the error and exit
// see: https://github.com/caddyserver/caddy/issues/7418
errc := make(chan error, 2)
errc := make(chan error, 1)
wg.Add(2)
go spc.copyToBackend(errc)
go spc.copyFromBackend(errc)
@@ -529,7 +526,7 @@ func maskBytes(key [4]byte, pos int, b []byte) int {
// Create aligned word size key.
var k [wordSize]byte
for i := range k {
k[i] = key[(pos+i)&3] // nolint:gosec // false positive, impossible to be out of bounds; see: https://github.com/securego/gosec/issues/1525
k[i] = key[(pos+i)&3]
}
kw := *(*uintptr)(unsafe.Pointer(&k))
modules/caddyhttp/reverseproxy/upstreams.go
+3 -11
View File
@@ -4,7 +4,7 @@ import (
"context"
"encoding/json"
"fmt"
weakrand "math/rand/v2"
weakrand "math/rand"
"net"
"net/http"
"strconv"
@@ -70,11 +70,6 @@ type SRVUpstreams struct {
// A negative value disables this.
FallbackDelay caddy.Duration `json:"dial_fallback_delay,omitempty"`
// Specific network to dial when connecting to the upstream(s)
// provided by SRV records upstream. See Go's net package for
// accepted values. For example, to restrict to IPv4, use "tcp4".
DialNetwork string `json:"dial_network,omitempty"`
resolver *net.Resolver
logger *zap.Logger
@@ -107,7 +102,7 @@ func (su *SRVUpstreams) Provision(ctx caddy.Context) error {
PreferGo: true,
Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
//nolint:gosec
addr := su.Resolver.netAddrs[weakrand.IntN(len(su.Resolver.netAddrs))]
addr := su.Resolver.netAddrs[weakrand.Intn(len(su.Resolver.netAddrs))]
return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
},
}
@@ -182,9 +177,6 @@ func (su SRVUpstreams) GetUpstreams(r *http.Request) ([]*Upstream, error) {
)
}
addr := net.JoinHostPort(rec.Target, strconv.Itoa(int(rec.Port)))
if su.DialNetwork != "" {
addr = su.DialNetwork + "/" + addr
}
upstreams[i] = Upstream{Dial: addr}
}
@@ -330,7 +322,7 @@ func (au *AUpstreams) Provision(ctx caddy.Context) error {
PreferGo: true,
Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
//nolint:gosec
addr := au.Resolver.netAddrs[weakrand.IntN(len(au.Resolver.netAddrs))]
addr := au.Resolver.netAddrs[weakrand.Intn(len(au.Resolver.netAddrs))]
return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
},
}
modules/caddyhttp/rewrite/caddyfile.go
-1
View File
@@ -173,7 +173,6 @@ func parseCaddyfileURI(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, err
if hasArgs {
return nil, h.Err("Cannot specify uri query rewrites in both argument and block")
}
// nolint:prealloc
queryArgs := []string{h.Val()}
queryArgs = append(queryArgs, h.RemainingArgs()...)
err := applyQueryOps(h, rewr.Query, queryArgs)
modules/caddyhttp/routes.go
+7 -12
View File
@@ -18,7 +18,6 @@ import (
"encoding/json"
"fmt"
"net/http"
"strings"
"github.com/caddyserver/caddy/v2"
)
@@ -111,16 +110,14 @@ func (r Route) Empty() bool {
}
func (r Route) String() string {
var handlersRaw strings.Builder
handlersRaw.WriteByte('[')
handlersRaw := "["
for _, hr := range r.HandlersRaw {
handlersRaw.WriteByte(' ')
handlersRaw.WriteString(string(hr))
handlersRaw += " " + string(hr)
}
handlersRaw.WriteByte(']')
handlersRaw += "]"
return fmt.Sprintf(`{Group:"%s" MatcherSetsRaw:%s HandlersRaw:%s Terminal:%t}`,
r.Group, r.MatcherSetsRaw, handlersRaw.String(), r.Terminal)
r.Group, r.MatcherSetsRaw, handlersRaw, r.Terminal)
}
// Provision sets up both the matchers and handlers in the route.
@@ -443,15 +440,13 @@ func (ms *MatcherSets) FromInterface(matcherSets any) error {
// TODO: Is this used?
func (ms MatcherSets) String() string {
var result strings.Builder
result.WriteByte('[')
result := "["
for _, matcherSet := range ms {
for _, matcher := range matcherSet {
fmt.Fprintf(&result, " %#v", matcher)
result += fmt.Sprintf(" %#v", matcher)
}
}
result.WriteByte(']')
return result.String()
return result + " ]"
}
var routeGroupCtxKey = caddy.CtxKey("route_group")
modules/caddyhttp/server.go
+63 -103
View File
@@ -18,7 +18,6 @@ import (
"context"
"crypto/tls"
"encoding/json"
"errors"
"fmt"
"io"
"net"
@@ -56,10 +55,6 @@ type Server struct {
// of the base listener. They are applied in the given order.
ListenerWrappersRaw []json.RawMessage `json:"listener_wrappers,omitempty" caddy:"namespace=caddy.listeners inline_key=wrapper"`
// A list of packet conn wrapper modules, which can modify the behavior
// of the base packet conn. They are applied in the given order.
PacketConnWrappersRaw []json.RawMessage `json:"packet_conn_wrappers,omitempty" caddy:"namespace=caddy.packetconns inline_key=wrapper"`
// How long to allow a read from a client's upload. Setting this
// to a short, non-zero value can mitigate slowloris attacks, but
// may also affect legitimately slow clients.
@@ -253,16 +248,6 @@ type Server struct {
// A nil value or element indicates that Protocols will be used instead.
ListenProtocols [][]string `json:"listen_protocols,omitempty"`
// If set, overrides whether QUIC listeners allow 0-RTT (early data).
// If nil, the default behavior is used (currently allowed).
//
// One reason to disable 0-RTT is if a remote IP matcher is used,
// which introduces a dependency on the remote address being verified
// if routing happens before the TLS handshake completes. An HTTP 425
// response is written in that case, but some clients misbehave and
// don't perform a retry, so disabling 0-RTT can smooth it out.
Allow0RTT *bool `json:"allow_0rtt,omitempty"`
// If set, metrics observations will be enabled.
// This setting is EXPERIMENTAL and subject to change.
// DEPRECATED: Use the app-level `metrics` field.
@@ -273,8 +258,7 @@ type Server struct {
primaryHandlerChain Handler
errorHandlerChain Handler
listenerWrappers []caddy.ListenerWrapper
packetConnWrappers []caddy.PacketConnWrapper
listeners []net.Listener
listeners []net.Listener // stdlib http.Server will close these
quicListeners []http3.QUICListener // http3 now leave the quic.Listener management to us
tlsApp *caddytls.TLS
@@ -308,8 +292,6 @@ var (
// ServeHTTP is the entry point for all HTTP requests.
func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
start := time.Now()
// If there are listener wrappers that process tls connections but don't return a *tls.Conn, this field will be nil.
if r.TLS == nil {
if tlsConnStateFunc, ok := r.Context().Value(tlsConnectionStateFuncCtxKey).(func() *tls.ConnectionState); ok {
@@ -317,17 +299,6 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
}
}
// enable full-duplex for HTTP/1, ensuring the entire
// request body gets consumed before writing the response
if s.EnableFullDuplex && r.ProtoMajor == 1 {
if err := http.NewResponseController(w).EnableFullDuplex(); err != nil { //nolint:bodyclose
if c := s.logger.Check(zapcore.WarnLevel, "failed to enable full duplex"); c != nil {
c.Write(zap.Error(err))
}
}
}
// set the Server header
h := w.Header()
h["Server"] = serverHeader
@@ -340,14 +311,39 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
}
}
// prepare internals of the request for the handler pipeline
// reject very long methods; probably a mistake or an attack
if len(r.Method) > 32 {
if s.shouldLogRequest(r) {
if c := s.accessLogger.Check(zapcore.DebugLevel, "rejecting request with long method"); c != nil {
c.Write(
zap.String("method_trunc", r.Method[:32]),
zap.String("remote_addr", r.RemoteAddr),
)
}
}
w.WriteHeader(http.StatusMethodNotAllowed)
return
}
repl := caddy.NewReplacer()
r = PrepareRequest(r, repl, w, s)
// clone the request for logging purposes before it enters any handler chain;
// this is necessary to capture the original request in case it gets modified
// during handling (cloning the request and using .WithLazy is considerably
// faster than using .With, which will JSON-encode the request immediately)
// enable full-duplex for HTTP/1, ensuring the entire
// request body gets consumed before writing the response
if s.EnableFullDuplex && r.ProtoMajor == 1 {
if err := http.NewResponseController(w).EnableFullDuplex(); err != nil { //nolint:bodyclose
if c := s.logger.Check(zapcore.WarnLevel, "failed to enable full duplex"); c != nil {
c.Write(zap.Error(err))
}
}
}
// clone the request for logging purposes before
// it enters any handler chain; this is necessary
// to capture the original request in case it gets
// modified during handling
// cloning the request and using .WithLazy is considerably faster
// than using .With, which will JSON encode the request immediately
shouldLogCredentials := s.Logs != nil && s.Logs.ShouldLogCredentials
loggableReq := zap.Object("request", LoggableHTTPRequest{
Request: r.Clone(r.Context()),
@@ -375,33 +371,36 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
}
// capture the original version of the request
accLog := s.accessLogger.WithLazy(loggableReq)
accLog := s.accessLogger.With(loggableReq)
defer s.logRequest(accLog, r, wrec, &duration, repl, bodyReader, shouldLogCredentials)
}
// guarantee ACME HTTP challenges; handle them separately from any user-defined handlers
start := time.Now()
// guarantee ACME HTTP challenges; handle them
// separately from any user-defined handlers
if s.tlsApp.HandleHTTPChallenge(w, r) {
duration = time.Since(start)
return
}
err := s.serveHTTP(w, r)
// execute the primary handler chain
err := s.primaryHandlerChain.ServeHTTP(w, r)
duration = time.Since(start)
// if no errors, we're done!
if err == nil {
return
}
// restore original request before invoking error handler chain (issue #3717)
// NOTE: this does not restore original headers if modified (for efficiency)
origReq, ok := r.Context().Value(OriginalRequestCtxKey).(http.Request)
if ok {
r.Method = origReq.Method
r.RemoteAddr = origReq.RemoteAddr
r.RequestURI = origReq.RequestURI
cloneURL(origReq.URL, r.URL)
}
// TODO: this does not restore original headers, if modified (for efficiency)
origReq := r.Context().Value(OriginalRequestCtxKey).(http.Request)
r.Method = origReq.Method
r.RemoteAddr = origReq.RemoteAddr
r.RequestURI = origReq.RequestURI
cloneURL(origReq.URL, r.URL)
// prepare the error log
errLog = errLog.With(zap.Duration("duration", duration))
@@ -420,7 +419,8 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
if s.Errors != nil && len(s.Errors.Routes) > 0 {
// execute user-defined error handling route
if err2 := s.errorHandlerChain.ServeHTTP(w, r); err2 == nil {
// user's error route handled the error response successfully, so now just log the error
// user's error route handled the error response
// successfully, so now just log the error
for _, logger := range errLoggers {
if c := logger.Check(zapcore.DebugLevel, errMsg); c != nil {
if fields == nil {
@@ -468,35 +468,6 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
}
}
func (s *Server) serveHTTP(w http.ResponseWriter, r *http.Request) error {
// reject very long methods; probably a mistake or an attack
if len(r.Method) > 32 {
if s.shouldLogRequest(r) {
if c := s.accessLogger.Check(zapcore.DebugLevel, "rejecting request with long method"); c != nil {
c.Write(
zap.String("method_trunc", r.Method[:32]),
zap.String("remote_addr", r.RemoteAddr),
)
}
}
return HandlerError{StatusCode: http.StatusMethodNotAllowed}
}
// RFC 9112 section 3.2: "A server MUST respond with a 400 (Bad Request) status
// code to any HTTP/1.1 request message that lacks a Host header field and to any
// request message that contains more than one Host header field line or a Host
// header field with an invalid field value."
if r.Host == "" {
return HandlerError{
Err: errors.New("rfc9112 forbids empty Host"),
StatusCode: http.StatusBadRequest,
}
}
// execute the primary handler chain
return s.primaryHandlerChain.ServeHTTP(w, r)
}
// wrapPrimaryRoute wraps stack (a compiled middleware handler chain)
// in s.enforcementHandler which performs crucial security checks, etc.
func (s *Server) wrapPrimaryRoute(stack Handler) Handler {
@@ -580,21 +551,15 @@ func (s *Server) hasListenerAddress(fullAddr string) bool {
// The second issue seems very similar to a discussion here:
// https://github.com/nodejs/node/issues/9390
//
// However, binding to *different specific* interfaces
// (e.g. 127.0.0.2:80 and 127.0.0.3:80) IS allowed on Linux.
// The conflict only happens when mixing specific IPs with
// wildcards (0.0.0.0 or ::).
// Hosts match exactly (e.g. 127.0.0.2 == 127.0.0.2) -> Conflict.
hostMatch := thisAddrs.Host == laddrs.Host
// On Linux, specific IP vs Wildcard fails to bind.
// So if we are on Linux AND either host is empty (wildcard), we treat
// it as a match (conflict). But if both are specific and different
// (127.0.0.2 vs 127.0.0.3), this remains false (no conflict).
linuxWildcardConflict := runtime.GOOS == "linux" && (thisAddrs.Host == "" || laddrs.Host == "")
if (hostMatch || linuxWildcardConflict) &&
// This is very easy to reproduce by creating an HTTP server
// that listens to both addresses or just one with a host
// interface; or for a more confusing reproduction, try
// listening on "127.0.0.1:80" and ":443" and you'll see
// the error, if you take away the GOOS condition below.
//
// So, an address is equivalent if the port is in the port
// range, and if not on Linux, the host is the same... sigh.
if (runtime.GOOS == "linux" || thisAddrs.Host == laddrs.Host) &&
(laddrs.StartPort <= thisAddrs.EndPort) &&
(laddrs.StartPort >= thisAddrs.StartPort) {
return true
@@ -660,7 +625,7 @@ func (s *Server) serveHTTP3(addr caddy.NetworkAddress, tlsCfg *tls.Config) error
return fmt.Errorf("starting HTTP/3 QUIC listener: %v", err)
}
addr.Network = h3net
h3ln, err := addr.ListenQUIC(s.ctx, 0, net.ListenConfig{}, tlsCfg, s.packetConnWrappers, s.Allow0RTT)
h3ln, err := addr.ListenQUIC(s.ctx, 0, net.ListenConfig{}, tlsCfg)
if err != nil {
return fmt.Errorf("starting HTTP/3 QUIC listener: %v", err)
}
@@ -798,11 +763,9 @@ func (s *Server) shouldLogRequest(r *http.Request) bool {
hostWithoutPort = r.Host
}
for loggerName := range s.Logs.LoggerNames {
if certmagic.MatchWildcard(hostWithoutPort, loggerName) {
// this host is mapped to a particular logger name
return true
}
if _, ok := s.Logs.LoggerNames[hostWithoutPort]; ok {
// this host is mapped to a particular logger name
return true
}
for _, dh := range s.Logs.SkipHosts {
// logging for this particular host is disabled
@@ -830,10 +793,8 @@ func (s *Server) logRequest(
accLog *zap.Logger, r *http.Request, wrec ResponseRecorder, duration *time.Duration,
repl *caddy.Replacer, bodyReader *lengthReader, shouldLogCredentials bool,
) {
ctx := r.Context()
// this request may be flagged as omitted from the logs
if skip, ok := GetVar(ctx, LogSkipVar).(bool); ok && skip {
if skip, ok := GetVar(r.Context(), LogSkipVar).(bool); ok && skip {
return
}
@@ -851,7 +812,7 @@ func (s *Server) logRequest(
}
message := "handled request"
if nop, ok := GetVar(ctx, "unhandled").(bool); ok && nop {
if nop, ok := GetVar(r.Context(), "unhandled").(bool); ok && nop {
message = "NOP"
}
@@ -875,7 +836,7 @@ func (s *Server) logRequest(
reqBodyLength = bodyReader.Length
}
extra := ctx.Value(ExtraLogFieldsCtxKey).(*ExtraLogFields)
extra := r.Context().Value(ExtraLogFieldsCtxKey).(*ExtraLogFields)
fieldCount := 6
fields = make([]zapcore.Field, 0, fieldCount+len(extra.fields))
@@ -1040,7 +1001,6 @@ func isTrustedClientIP(ipAddr netip.Addr, trusted []netip.Prefix) bool {
// then the first value from those headers is used.
func trustedRealClientIP(r *http.Request, headers []string, clientIP string) string {
// Read all the values of the configured client IP headers, in order
// nolint:prealloc
var values []string
for _, field := range headers {
values = append(values, r.Header.Values(field)...)
modules/caddyhttp/staticresp.go
+2 -11
View File
@@ -246,7 +246,7 @@ func (s StaticResponse) ServeHTTP(w http.ResponseWriter, r *http.Request, next H
// write response body
if statusCode != http.StatusEarlyHints && body != "" {
fmt.Fprint(w, body) //nolint:gosec // no XSS unless you sabatoge your own config
fmt.Fprint(w, body)
}
// continue handling after Early Hints as they are not the final response
@@ -257,16 +257,7 @@ func (s StaticResponse) ServeHTTP(w http.ResponseWriter, r *http.Request, next H
return nil
}
func buildHTTPServer(
i int,
port uint,
addr string,
statusCode int,
hdr http.Header,
body string,
accessLog bool,
) (*Server, error) {
// nolint:prealloc
func buildHTTPServer(i int, port uint, addr string, statusCode int, hdr http.Header, body string, accessLog bool) (*Server, error) {
var handlers []json.RawMessage
// response body supports a basic template; evaluate it
modules/caddyhttp/templates/templates.go
+4 -22
View File
@@ -306,13 +306,6 @@ func init() {
// find the documentation on time layouts [in Go's docs](https://pkg.go.dev/time#pkg-constants).
// The default time layout is `RFC1123Z`, i.e. `Mon, 02 Jan 2006 15:04:05 -0700`.
//
// ```
// {{humanize "size" "2048000"}}
// {{placeholder "http.response.header.Content-Length" | humanize "size"}}
// {{humanize "time" "Fri, 05 May 2022 15:04:05 +0200"}}
// {{humanize "time:2006-Jan-02" "2022-May-05"}}
// ```
//
// ##### `pathEscape`
//
// Passes a string through `url.PathEscape`, replacing characters that have
@@ -325,22 +318,11 @@ func init() {
// {{pathEscape "50%_valid_filename?.jpg"}}
// ```
//
// ##### `maybe`
//
// Invokes a custom template function only if it is registered (plugged-in)
// in the `http.handlers.templates.functions.*` namespace.
//
// The first argument is the function name, and any subsequent arguments
// are forwarded to that function. If the named function is not available,
// the invocation is ignored and a log message is emitted.
//
// This is useful for templates that optionally use components which may
// not be present in every build or environment.
//
// NOTE: This function is EXPERIMENTAL and subject to change or removal.
//
// ```
// {{ maybe "myOptionalFunc" "arg1" 2 }}
// {{humanize "size" "2048000"}}
// {{placeholder "http.response.header.Content-Length" | humanize "size"}}
// {{humanize "time" "Fri, 05 May 2022 15:04:05 +0200"}}
// {{humanize "time:2006-Jan-02" "2022-May-05"}}
// ```
type Templates struct {
// The root path from which to load files. Required if template functions
modules/caddyhttp/tracing/module.go
+6 -31
View File
@@ -27,9 +27,6 @@ type Tracing struct {
// https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/trace/api.md#span
SpanName string `json:"span"`
// SpanAttributes are custom key-value pairs to be added to spans
SpanAttributes map[string]string `json:"span_attributes,omitempty"`
// otel implements opentelemetry related logic.
otel openTelemetryWrapper
@@ -49,7 +46,7 @@ func (ot *Tracing) Provision(ctx caddy.Context) error {
ot.logger = ctx.Logger()
var err error
ot.otel, err = newOpenTelemetryWrapper(ctx, ot.SpanName, ot.SpanAttributes)
ot.otel, err = newOpenTelemetryWrapper(ctx, ot.SpanName)
return err
}
@@ -72,10 +69,6 @@ func (ot *Tracing) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyh
//
// tracing {
// [span <span_name>]
// [span_attributes {
// attr1 value1
// attr2 value2
// }]
// }
func (ot *Tracing) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
setParameter := func(d *caddyfile.Dispenser, val *string) error {
@@ -101,30 +94,12 @@ func (ot *Tracing) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
}
for d.NextBlock(0) {
switch d.Val() {
case "span_attributes":
if ot.SpanAttributes == nil {
ot.SpanAttributes = make(map[string]string)
}
for d.NextBlock(1) {
key := d.Val()
if !d.NextArg() {
return d.ArgErr()
}
value := d.Val()
if d.NextArg() {
return d.ArgErr()
}
ot.SpanAttributes[key] = value
}
default:
if dst, ok := paramsMap[d.Val()]; ok {
if err := setParameter(d, dst); err != nil {
return err
}
} else {
return d.ArgErr()
if dst, ok := paramsMap[d.Val()]; ok {
if err := setParameter(d, dst); err != nil {
return err
}
} else {
return d.ArgErr()
}
}
return nil
modules/caddyhttp/tracing/module_test.go
+4 -220
View File
@@ -2,16 +2,12 @@ package tracing
import (
"context"
"encoding/json"
"errors"
"net/http"
"net/http/httptest"
"strings"
"testing"
"go.opentelemetry.io/otel/sdk/trace"
"go.opentelemetry.io/otel/sdk/trace/tracetest"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
@@ -19,26 +15,17 @@ import (
func TestTracing_UnmarshalCaddyfile(t *testing.T) {
tests := []struct {
name string
spanName string
spanAttributes map[string]string
d *caddyfile.Dispenser
wantErr bool
name string
spanName string
d *caddyfile.Dispenser
wantErr bool
}{
{
name: "Full config",
spanName: "my-span",
spanAttributes: map[string]string{
"attr1": "value1",
"attr2": "value2",
},
d: caddyfile.NewTestDispenser(`
tracing {
span my-span
span_attributes {
attr1 value1
attr2 value2
}
}`),
wantErr: false,
},
@@ -55,21 +42,6 @@ tracing {
name: "Empty config",
d: caddyfile.NewTestDispenser(`
tracing {
}`),
wantErr: false,
},
{
name: "Only span attributes",
spanAttributes: map[string]string{
"service.name": "my-service",
"service.version": "1.0.0",
},
d: caddyfile.NewTestDispenser(`
tracing {
span_attributes {
service.name my-service
service.version 1.0.0
}
}`),
wantErr: false,
},
@@ -84,20 +56,6 @@ tracing {
if ot.SpanName != tt.spanName {
t.Errorf("UnmarshalCaddyfile() SpanName = %v, want SpanName %v", ot.SpanName, tt.spanName)
}
if len(tt.spanAttributes) > 0 {
if ot.SpanAttributes == nil {
t.Errorf("UnmarshalCaddyfile() SpanAttributes is nil, expected %v", tt.spanAttributes)
} else {
for key, expectedValue := range tt.spanAttributes {
if actualValue, exists := ot.SpanAttributes[key]; !exists {
t.Errorf("UnmarshalCaddyfile() SpanAttributes missing key %v", key)
} else if actualValue != expectedValue {
t.Errorf("UnmarshalCaddyfile() SpanAttributes[%v] = %v, want %v", key, actualValue, expectedValue)
}
}
}
}
})
}
}
@@ -121,26 +79,6 @@ func TestTracing_UnmarshalCaddyfile_Error(t *testing.T) {
d: caddyfile.NewTestDispenser(`
tracing {
span
}`),
wantErr: true,
},
{
name: "Span attributes missing value",
d: caddyfile.NewTestDispenser(`
tracing {
span_attributes {
key
}
}`),
wantErr: true,
},
{
name: "Span attributes too many arguments",
d: caddyfile.NewTestDispenser(`
tracing {
span_attributes {
key value extra
}
}`),
wantErr: true,
},
@@ -243,160 +181,6 @@ func TestTracing_ServeHTTP_Next_Error(t *testing.T) {
}
}
func TestTracing_JSON_Configuration(t *testing.T) {
// Test that our struct correctly marshals to and from JSON
original := &Tracing{
SpanName: "test-span",
SpanAttributes: map[string]string{
"service.name": "test-service",
"service.version": "1.0.0",
"env": "test",
},
}
jsonData, err := json.Marshal(original)
if err != nil {
t.Fatalf("Failed to marshal to JSON: %v", err)
}
var unmarshaled Tracing
if err := json.Unmarshal(jsonData, &unmarshaled); err != nil {
t.Fatalf("Failed to unmarshal from JSON: %v", err)
}
if unmarshaled.SpanName != original.SpanName {
t.Errorf("Expected SpanName %s, got %s", original.SpanName, unmarshaled.SpanName)
}
if len(unmarshaled.SpanAttributes) != len(original.SpanAttributes) {
t.Errorf("Expected %d span attributes, got %d", len(original.SpanAttributes), len(unmarshaled.SpanAttributes))
}
for key, expectedValue := range original.SpanAttributes {
if actualValue, exists := unmarshaled.SpanAttributes[key]; !exists {
t.Errorf("Expected span attribute %s to exist", key)
} else if actualValue != expectedValue {
t.Errorf("Expected span attribute %s = %s, got %s", key, expectedValue, actualValue)
}
}
t.Logf("JSON representation: %s", string(jsonData))
}
func TestTracing_OpenTelemetry_Span_Attributes(t *testing.T) {
// Create an in-memory span recorder to capture actual span data
spanRecorder := tracetest.NewSpanRecorder()
provider := trace.NewTracerProvider(
trace.WithSpanProcessor(spanRecorder),
)
// Create our tracing module with span attributes that include placeholders
ot := &Tracing{
SpanName: "test-span",
SpanAttributes: map[string]string{
"static": "test-service",
"request-placeholder": "{http.request.method}",
"response-placeholder": "{http.response.header.X-Some-Header}",
"mixed": "prefix-{http.request.method}-{http.response.header.X-Some-Header}",
},
}
// Create a specific request to test against
req, _ := http.NewRequest("POST", "https://api.example.com/v1/users?id=123", nil)
req.Host = "api.example.com"
w := httptest.NewRecorder()
// Set up the replacer
repl := caddy.NewReplacer()
ctx := context.WithValue(req.Context(), caddy.ReplacerCtxKey, repl)
ctx = context.WithValue(ctx, caddyhttp.VarsCtxKey, make(map[string]any))
req = req.WithContext(ctx)
// Set up request placeholders
repl.Set("http.request.method", req.Method)
repl.Set("http.request.uri", req.URL.RequestURI())
// Handler to generate the response
var handler caddyhttp.HandlerFunc = func(writer http.ResponseWriter, request *http.Request) error {
writer.Header().Set("X-Some-Header", "some-value")
writer.WriteHeader(200)
// Make response headers available to replacer
repl.Set("http.response.header.X-Some-Header", writer.Header().Get("X-Some-Header"))
return nil
}
// Set up Caddy context
caddyCtx, cancel := caddy.NewContext(caddy.Context{Context: context.Background()})
defer cancel()
// Override the global tracer provider with our test provider
// This is a bit hacky but necessary to capture the actual spans
originalProvider := globalTracerProvider
globalTracerProvider = &tracerProvider{
tracerProvider: provider,
tracerProvidersCounter: 1, // Simulate one user
}
defer func() {
globalTracerProvider = originalProvider
}()
// Provision the tracing module
if err := ot.Provision(caddyCtx); err != nil {
t.Errorf("Provision error: %v", err)
t.FailNow()
}
// Execute the request
if err := ot.ServeHTTP(w, req, handler); err != nil {
t.Errorf("ServeHTTP error: %v", err)
}
// Get the recorded spans
spans := spanRecorder.Ended()
if len(spans) == 0 {
t.Fatal("Expected at least one span to be recorded")
}
// Find our span (should be the one with our test span name)
var testSpan trace.ReadOnlySpan
for _, span := range spans {
if span.Name() == "test-span" {
testSpan = span
break
}
}
if testSpan == nil {
t.Fatal("Could not find test span in recorded spans")
}
// Verify that the span attributes were set correctly with placeholder replacement
expectedAttributes := map[string]string{
"static": "test-service",
"request-placeholder": "POST",
"response-placeholder": "some-value",
"mixed": "prefix-POST-some-value",
}
actualAttributes := make(map[string]string)
for _, attr := range testSpan.Attributes() {
actualAttributes[string(attr.Key)] = attr.Value.AsString()
}
for key, expectedValue := range expectedAttributes {
if actualValue, exists := actualAttributes[key]; !exists {
t.Errorf("Expected span attribute %s to be set", key)
} else if actualValue != expectedValue {
t.Errorf("Expected span attribute %s = %s, got %s", key, expectedValue, actualValue)
}
}
t.Logf("Recorded span attributes: %+v", actualAttributes)
}
func createRequestWithContext(method string, url string) *http.Request {
r, _ := http.NewRequest(method, url, nil)
repl := caddy.NewReplacer()
modules/caddyhttp/tracing/tracer.go
+2 -20
View File
@@ -8,7 +8,6 @@ import (
"go.opentelemetry.io/contrib/exporters/autoexport"
"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
"go.opentelemetry.io/contrib/propagators/autoprop"
"go.opentelemetry.io/otel/attribute"
"go.opentelemetry.io/otel/propagation"
"go.opentelemetry.io/otel/sdk/resource"
sdktrace "go.opentelemetry.io/otel/sdk/trace"
@@ -38,23 +37,20 @@ type openTelemetryWrapper struct {
handler http.Handler
spanName string
spanAttributes map[string]string
spanName string
}
// newOpenTelemetryWrapper is responsible for the openTelemetryWrapper initialization using provided configuration.
func newOpenTelemetryWrapper(
ctx context.Context,
spanName string,
spanAttributes map[string]string,
) (openTelemetryWrapper, error) {
if spanName == "" {
spanName = defaultSpanName
}
ot := openTelemetryWrapper{
spanName: spanName,
spanAttributes: spanAttributes,
spanName: spanName,
}
version, _ := caddy.Version()
@@ -103,22 +99,8 @@ func (ot *openTelemetryWrapper) serveHTTP(w http.ResponseWriter, r *http.Request
extra.Add(zap.String("spanID", spanID))
}
}
next := ctx.Value(nextCallCtxKey).(*nextCall)
next.err = next.next.ServeHTTP(w, r)
// Add custom span attributes to the current span
span := trace.SpanFromContext(ctx)
if span.IsRecording() && len(ot.spanAttributes) > 0 {
replacer := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
attributes := make([]attribute.KeyValue, 0, len(ot.spanAttributes))
for key, value := range ot.spanAttributes {
// Allow placeholder replacement in attribute values
replacedValue := replacer.ReplaceAll(value, "")
attributes = append(attributes, attribute.String(key, replacedValue))
}
span.SetAttributes(attributes...)
}
}
// ServeHTTP propagates call to the by wrapped by `otelhttp` next handler.
modules/caddyhttp/tracing/tracer_test.go
-1
View File
@@ -16,7 +16,6 @@ func TestOpenTelemetryWrapper_newOpenTelemetryWrapper(t *testing.T) {
if otw, err = newOpenTelemetryWrapper(ctx,
"",
nil,
); err != nil {
t.Errorf("newOpenTelemetryWrapper() error = %v", err)
t.FailNow()

Some files were not shown because too many files have changed in this diff Show More