mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-26 08:12:43 -04:00 
			
		
		
		
	
		
			Some checks failed
		
		
	
	Tests / test (./cmd/caddy/caddy, ~1.24.1, ubuntu-latest, 0, 1.24, linux) (push) Failing after 2m9s
				
			Tests / test (s390x on IBM Z) (push) Has been skipped
				
			Tests / goreleaser-check (push) Has been skipped
				
			Cross-Build / build (~1.24.1, 1.24, aix) (push) Successful in 1m23s
				
			Cross-Build / build (~1.24.1, 1.24, darwin) (push) Successful in 1m28s
				
			Cross-Build / build (~1.24.1, 1.24, dragonfly) (push) Successful in 1m22s
				
			Cross-Build / build (~1.24.1, 1.24, freebsd) (push) Successful in 1m15s
				
			Cross-Build / build (~1.24.1, 1.24, illumos) (push) Successful in 1m19s
				
			Cross-Build / build (~1.24.1, 1.24, linux) (push) Successful in 1m17s
				
			Cross-Build / build (~1.24.1, 1.24, netbsd) (push) Successful in 1m15s
				
			Cross-Build / build (~1.24.1, 1.24, openbsd) (push) Successful in 1m17s
				
			Cross-Build / build (~1.24.1, 1.24, solaris) (push) Successful in 1m17s
				
			Cross-Build / build (~1.24.1, 1.24, windows) (push) Successful in 1m20s
				
			Lint / lint (ubuntu-latest, linux) (push) Successful in 2m15s
				
			Lint / govulncheck (push) Successful in 1m34s
				
			Lint / dependency-review (push) Failing after 50s
				
			OpenSSF Scorecard supply-chain security / Scorecard analysis (push) Failing after 1m37s
				
			Tests / test (./cmd/caddy/caddy, ~1.24.1, macos-14, 0, 1.24, mac) (push) Has been cancelled
				
			Tests / test (./cmd/caddy/caddy.exe, ~1.24.1, windows-latest, True, 1.24, windows) (push) Has been cancelled
				
			Lint / lint (macos-14, mac) (push) Has been cancelled
				
			Lint / lint (windows-latest, windows) (push) Has been cancelled
				
			* httpcaddyfile: Validates TLS DNS challenge options Adds validation to the TLS Caddyfile adapter to ensure that when DNS challenge options (such as propagation_delay or dns_ttl) are specified, a DNS provider is also configured. Adds new integration tests to verify this validation logic, and implements a new mechanism for adapt tests to assert a config adapt error. * Add some more AI-generated tests asserting config errors * Parallel doesn't work here, we use global variables * Windows fix
		
			
				
	
	
		
			1206 lines
		
	
	
		
			34 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
			
		
		
	
	
			1206 lines
		
	
	
		
			34 KiB
		
	
	
	
		
			Go
		
	
	
	
	
	
| // Copyright 2015 Matthew Holt and The Caddy Authors
 | |
| //
 | |
| // Licensed under the Apache License, Version 2.0 (the "License");
 | |
| // you may not use this file except in compliance with the License.
 | |
| // You may obtain a copy of the License at
 | |
| //
 | |
| //     http://www.apache.org/licenses/LICENSE-2.0
 | |
| //
 | |
| // Unless required by applicable law or agreed to in writing, software
 | |
| // distributed under the License is distributed on an "AS IS" BASIS,
 | |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| // See the License for the specific language governing permissions and
 | |
| // limitations under the License.
 | |
| 
 | |
| package httpcaddyfile
 | |
| 
 | |
| import (
 | |
| 	"encoding/json"
 | |
| 	"fmt"
 | |
| 	"html"
 | |
| 	"net/http"
 | |
| 	"reflect"
 | |
| 	"strconv"
 | |
| 	"strings"
 | |
| 	"time"
 | |
| 
 | |
| 	"github.com/caddyserver/certmagic"
 | |
| 	"github.com/mholt/acmez/v3/acme"
 | |
| 	"go.uber.org/zap/zapcore"
 | |
| 
 | |
| 	"github.com/caddyserver/caddy/v2"
 | |
| 	"github.com/caddyserver/caddy/v2/caddyconfig"
 | |
| 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 | |
| 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 | |
| 	"github.com/caddyserver/caddy/v2/modules/caddytls"
 | |
| )
 | |
| 
 | |
| func init() {
 | |
| 	RegisterDirective("bind", parseBind)
 | |
| 	RegisterDirective("tls", parseTLS)
 | |
| 	RegisterHandlerDirective("fs", parseFilesystem)
 | |
| 	RegisterDirective("root", parseRoot)
 | |
| 	RegisterHandlerDirective("vars", parseVars)
 | |
| 	RegisterHandlerDirective("redir", parseRedir)
 | |
| 	RegisterHandlerDirective("respond", parseRespond)
 | |
| 	RegisterHandlerDirective("abort", parseAbort)
 | |
| 	RegisterHandlerDirective("error", parseError)
 | |
| 	RegisterHandlerDirective("route", parseRoute)
 | |
| 	RegisterHandlerDirective("handle", parseHandle)
 | |
| 	RegisterDirective("handle_errors", parseHandleErrors)
 | |
| 	RegisterHandlerDirective("invoke", parseInvoke)
 | |
| 	RegisterDirective("log", parseLog)
 | |
| 	RegisterHandlerDirective("skip_log", parseLogSkip)
 | |
| 	RegisterHandlerDirective("log_skip", parseLogSkip)
 | |
| 	RegisterHandlerDirective("log_name", parseLogName)
 | |
| }
 | |
| 
 | |
| // parseBind parses the bind directive. Syntax:
 | |
| //
 | |
| //		bind <addresses...> [{
 | |
| //	   protocols [h1|h2|h2c|h3] [...]
 | |
| //	 }]
 | |
| func parseBind(h Helper) ([]ConfigValue, error) {
 | |
| 	h.Next() // consume directive name
 | |
| 	var addresses, protocols []string
 | |
| 	addresses = h.RemainingArgs()
 | |
| 
 | |
| 	for h.NextBlock(0) {
 | |
| 		switch h.Val() {
 | |
| 		case "protocols":
 | |
| 			protocols = h.RemainingArgs()
 | |
| 			if len(protocols) == 0 {
 | |
| 				return nil, h.Errf("protocols requires one or more arguments")
 | |
| 			}
 | |
| 		default:
 | |
| 			return nil, h.Errf("unknown subdirective: %s", h.Val())
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return []ConfigValue{{Class: "bind", Value: addressesWithProtocols{
 | |
| 		addresses: addresses,
 | |
| 		protocols: protocols,
 | |
| 	}}}, nil
 | |
| }
 | |
| 
 | |
| // parseTLS parses the tls directive. Syntax:
 | |
| //
 | |
| //	tls [<email>|internal|force_automate]|[<cert_file> <key_file>] {
 | |
| //	    protocols <min> [<max>]
 | |
| //	    ciphers   <cipher_suites...>
 | |
| //	    curves    <curves...>
 | |
| //	    client_auth {
 | |
| //	        mode                   [request|require|verify_if_given|require_and_verify]
 | |
| //	        trust_pool			   <module_name> [...]
 | |
| //	        trusted_leaf_cert      <base64_der>
 | |
| //	        trusted_leaf_cert_file <filename>
 | |
| //	    }
 | |
| //	    alpn                          <values...>
 | |
| //	    load                          <paths...>
 | |
| //	    ca                            <acme_ca_endpoint>
 | |
| //	    ca_root                       <pem_file>
 | |
| //	    key_type                      [ed25519|p256|p384|rsa2048|rsa4096]
 | |
| //	    dns                           [<provider_name> [...]]    (required, though, if DNS is not configured as global option)
 | |
| //	    propagation_delay             <duration>
 | |
| //	    propagation_timeout           <duration>
 | |
| //	    resolvers                     <dns_servers...>
 | |
| //	    dns_ttl                       <duration>
 | |
| //	    dns_challenge_override_domain <domain>
 | |
| //	    on_demand
 | |
| //	    reuse_private_keys
 | |
| //	    force_automate
 | |
| //	    eab                           <key_id> <mac_key>
 | |
| //	    issuer                        <module_name> [...]
 | |
| //	    get_certificate               <module_name> [...]
 | |
| //	    insecure_secrets_log          <log_file>
 | |
| //	}
 | |
| func parseTLS(h Helper) ([]ConfigValue, error) {
 | |
| 	h.Next() // consume directive name
 | |
| 
 | |
| 	cp := new(caddytls.ConnectionPolicy)
 | |
| 	var fileLoader caddytls.FileLoader
 | |
| 	var folderLoader caddytls.FolderLoader
 | |
| 	var certSelector caddytls.CustomCertSelectionPolicy
 | |
| 	var acmeIssuer *caddytls.ACMEIssuer
 | |
| 	var keyType string
 | |
| 	var internalIssuer *caddytls.InternalIssuer
 | |
| 	var issuers []certmagic.Issuer
 | |
| 	var certManagers []certmagic.Manager
 | |
| 	var onDemand bool
 | |
| 	var reusePrivateKeys bool
 | |
| 	var forceAutomate bool
 | |
| 
 | |
| 	// Track which DNS challenge options are set
 | |
| 	var dnsOptionsSet []string
 | |
| 
 | |
| 	firstLine := h.RemainingArgs()
 | |
| 	switch len(firstLine) {
 | |
| 	case 0:
 | |
| 	case 1:
 | |
| 		if firstLine[0] == "internal" {
 | |
| 			internalIssuer = new(caddytls.InternalIssuer)
 | |
| 		} else if firstLine[0] == "force_automate" {
 | |
| 			forceAutomate = true
 | |
| 		} else if !strings.Contains(firstLine[0], "@") {
 | |
| 			return nil, h.Err("single argument must either be 'internal', 'force_automate', or an email address")
 | |
| 		} else {
 | |
| 			acmeIssuer = &caddytls.ACMEIssuer{
 | |
| 				Email: firstLine[0],
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| 	case 2:
 | |
| 		// file certificate loader
 | |
| 		certFilename := firstLine[0]
 | |
| 		keyFilename := firstLine[1]
 | |
| 
 | |
| 		// tag this certificate so if multiple certs match, specifically
 | |
| 		// this one that the user has provided will be used, see #2588:
 | |
| 		// https://github.com/caddyserver/caddy/issues/2588 ... but we
 | |
| 		// must be careful about how we do this; being careless will
 | |
| 		// lead to failed handshakes
 | |
| 		//
 | |
| 		// we need to remember which cert files we've seen, since we
 | |
| 		// must load each cert only once; otherwise, they each get a
 | |
| 		// different tag... since a cert loaded twice has the same
 | |
| 		// bytes, it will overwrite the first one in the cache, and
 | |
| 		// only the last cert (and its tag) will survive, so any conn
 | |
| 		// policy that is looking for any tag other than the last one
 | |
| 		// to be loaded won't find it, and TLS handshakes will fail
 | |
| 		// (see end of issue #3004)
 | |
| 		//
 | |
| 		// tlsCertTags maps certificate filenames to their tag.
 | |
| 		// This is used to remember which tag is used for each
 | |
| 		// certificate files, since we need to avoid loading
 | |
| 		// the same certificate files more than once, overwriting
 | |
| 		// previous tags
 | |
| 		tlsCertTags, ok := h.State["tlsCertTags"].(map[string]string)
 | |
| 		if !ok {
 | |
| 			tlsCertTags = make(map[string]string)
 | |
| 			h.State["tlsCertTags"] = tlsCertTags
 | |
| 		}
 | |
| 
 | |
| 		tag, ok := tlsCertTags[certFilename]
 | |
| 		if !ok {
 | |
| 			// haven't seen this cert file yet, let's give it a tag
 | |
| 			// and add a loader for it
 | |
| 			tag = fmt.Sprintf("cert%d", len(tlsCertTags))
 | |
| 			fileLoader = append(fileLoader, caddytls.CertKeyFilePair{
 | |
| 				Certificate: certFilename,
 | |
| 				Key:         keyFilename,
 | |
| 				Tags:        []string{tag},
 | |
| 			})
 | |
| 			// remember this for next time we see this cert file
 | |
| 			tlsCertTags[certFilename] = tag
 | |
| 		}
 | |
| 		certSelector.AnyTag = append(certSelector.AnyTag, tag)
 | |
| 
 | |
| 	default:
 | |
| 		return nil, h.ArgErr()
 | |
| 	}
 | |
| 
 | |
| 	var hasBlock bool
 | |
| 	for h.NextBlock(0) {
 | |
| 		hasBlock = true
 | |
| 
 | |
| 		switch h.Val() {
 | |
| 		case "protocols":
 | |
| 			args := h.RemainingArgs()
 | |
| 			if len(args) == 0 {
 | |
| 				return nil, h.Errf("protocols requires one or two arguments")
 | |
| 			}
 | |
| 			if len(args) > 0 {
 | |
| 				if _, ok := caddytls.SupportedProtocols[args[0]]; !ok {
 | |
| 					return nil, h.Errf("wrong protocol name or protocol not supported: '%s'", args[0])
 | |
| 				}
 | |
| 				cp.ProtocolMin = args[0]
 | |
| 			}
 | |
| 			if len(args) > 1 {
 | |
| 				if _, ok := caddytls.SupportedProtocols[args[1]]; !ok {
 | |
| 					return nil, h.Errf("wrong protocol name or protocol not supported: '%s'", args[1])
 | |
| 				}
 | |
| 				cp.ProtocolMax = args[1]
 | |
| 			}
 | |
| 
 | |
| 		case "ciphers":
 | |
| 			for h.NextArg() {
 | |
| 				if !caddytls.CipherSuiteNameSupported(h.Val()) {
 | |
| 					return nil, h.Errf("wrong cipher suite name or cipher suite not supported: '%s'", h.Val())
 | |
| 				}
 | |
| 				cp.CipherSuites = append(cp.CipherSuites, h.Val())
 | |
| 			}
 | |
| 
 | |
| 		case "curves":
 | |
| 			for h.NextArg() {
 | |
| 				if _, ok := caddytls.SupportedCurves[h.Val()]; !ok {
 | |
| 					return nil, h.Errf("Wrong curve name or curve not supported: '%s'", h.Val())
 | |
| 				}
 | |
| 				cp.Curves = append(cp.Curves, h.Val())
 | |
| 			}
 | |
| 
 | |
| 		case "client_auth":
 | |
| 			cp.ClientAuthentication = &caddytls.ClientAuthentication{}
 | |
| 			if err := cp.ClientAuthentication.UnmarshalCaddyfile(h.NewFromNextSegment()); err != nil {
 | |
| 				return nil, err
 | |
| 			}
 | |
| 		case "alpn":
 | |
| 			args := h.RemainingArgs()
 | |
| 			if len(args) == 0 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			cp.ALPN = args
 | |
| 
 | |
| 		case "load":
 | |
| 			folderLoader = append(folderLoader, h.RemainingArgs()...)
 | |
| 
 | |
| 		case "ca":
 | |
| 			arg := h.RemainingArgs()
 | |
| 			if len(arg) != 1 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			if acmeIssuer == nil {
 | |
| 				acmeIssuer = new(caddytls.ACMEIssuer)
 | |
| 			}
 | |
| 			acmeIssuer.CA = arg[0]
 | |
| 
 | |
| 		case "key_type":
 | |
| 			arg := h.RemainingArgs()
 | |
| 			if len(arg) != 1 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			keyType = arg[0]
 | |
| 
 | |
| 		case "eab":
 | |
| 			arg := h.RemainingArgs()
 | |
| 			if len(arg) != 2 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			if acmeIssuer == nil {
 | |
| 				acmeIssuer = new(caddytls.ACMEIssuer)
 | |
| 			}
 | |
| 			acmeIssuer.ExternalAccount = &acme.EAB{
 | |
| 				KeyID:  arg[0],
 | |
| 				MACKey: arg[1],
 | |
| 			}
 | |
| 
 | |
| 		case "issuer":
 | |
| 			if !h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			modName := h.Val()
 | |
| 			modID := "tls.issuance." + modName
 | |
| 			unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
 | |
| 			if err != nil {
 | |
| 				return nil, err
 | |
| 			}
 | |
| 			issuer, ok := unm.(certmagic.Issuer)
 | |
| 			if !ok {
 | |
| 				return nil, h.Errf("module %s (%T) is not a certmagic.Issuer", modID, unm)
 | |
| 			}
 | |
| 			issuers = append(issuers, issuer)
 | |
| 
 | |
| 		case "get_certificate":
 | |
| 			if !h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			modName := h.Val()
 | |
| 			modID := "tls.get_certificate." + modName
 | |
| 			unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
 | |
| 			if err != nil {
 | |
| 				return nil, err
 | |
| 			}
 | |
| 			certManager, ok := unm.(certmagic.Manager)
 | |
| 			if !ok {
 | |
| 				return nil, h.Errf("module %s (%T) is not a certmagic.CertificateManager", modID, unm)
 | |
| 			}
 | |
| 			certManagers = append(certManagers, certManager)
 | |
| 
 | |
| 		case "dns":
 | |
| 			if acmeIssuer == nil {
 | |
| 				acmeIssuer = new(caddytls.ACMEIssuer)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges == nil {
 | |
| 				acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges.DNS == nil {
 | |
| 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 | |
| 			}
 | |
| 			// DNS provider configuration optional, since it may be configured globally via the TLS app with global options
 | |
| 			if h.NextArg() {
 | |
| 				provName := h.Val()
 | |
| 				modID := "dns.providers." + provName
 | |
| 				unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
 | |
| 				if err != nil {
 | |
| 					return nil, err
 | |
| 				}
 | |
| 				acmeIssuer.Challenges.DNS.ProviderRaw = caddyconfig.JSONModuleObject(unm, "name", provName, h.warnings)
 | |
| 			} else if h.Option("dns") == nil {
 | |
| 				// if DNS is omitted locally, it needs to be configured globally
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 
 | |
| 		case "resolvers":
 | |
| 			args := h.RemainingArgs()
 | |
| 			if len(args) == 0 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			if acmeIssuer == nil {
 | |
| 				acmeIssuer = new(caddytls.ACMEIssuer)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges == nil {
 | |
| 				acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges.DNS == nil {
 | |
| 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 | |
| 			}
 | |
| 			dnsOptionsSet = append(dnsOptionsSet, "resolvers")
 | |
| 			acmeIssuer.Challenges.DNS.Resolvers = args
 | |
| 
 | |
| 		case "propagation_delay":
 | |
| 			arg := h.RemainingArgs()
 | |
| 			if len(arg) != 1 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			delayStr := arg[0]
 | |
| 			delay, err := caddy.ParseDuration(delayStr)
 | |
| 			if err != nil {
 | |
| 				return nil, h.Errf("invalid propagation_delay duration %s: %v", delayStr, err)
 | |
| 			}
 | |
| 			if acmeIssuer == nil {
 | |
| 				acmeIssuer = new(caddytls.ACMEIssuer)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges == nil {
 | |
| 				acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges.DNS == nil {
 | |
| 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 | |
| 			}
 | |
| 			dnsOptionsSet = append(dnsOptionsSet, "propagation_delay")
 | |
| 			acmeIssuer.Challenges.DNS.PropagationDelay = caddy.Duration(delay)
 | |
| 
 | |
| 		case "propagation_timeout":
 | |
| 			arg := h.RemainingArgs()
 | |
| 			if len(arg) != 1 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			timeoutStr := arg[0]
 | |
| 			var timeout time.Duration
 | |
| 			if timeoutStr == "-1" {
 | |
| 				timeout = time.Duration(-1)
 | |
| 			} else {
 | |
| 				var err error
 | |
| 				timeout, err = caddy.ParseDuration(timeoutStr)
 | |
| 				if err != nil {
 | |
| 					return nil, h.Errf("invalid propagation_timeout duration %s: %v", timeoutStr, err)
 | |
| 				}
 | |
| 			}
 | |
| 			if acmeIssuer == nil {
 | |
| 				acmeIssuer = new(caddytls.ACMEIssuer)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges == nil {
 | |
| 				acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges.DNS == nil {
 | |
| 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 | |
| 			}
 | |
| 			dnsOptionsSet = append(dnsOptionsSet, "propagation_timeout")
 | |
| 			acmeIssuer.Challenges.DNS.PropagationTimeout = caddy.Duration(timeout)
 | |
| 
 | |
| 		case "dns_ttl":
 | |
| 			arg := h.RemainingArgs()
 | |
| 			if len(arg) != 1 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			ttlStr := arg[0]
 | |
| 			ttl, err := caddy.ParseDuration(ttlStr)
 | |
| 			if err != nil {
 | |
| 				return nil, h.Errf("invalid dns_ttl duration %s: %v", ttlStr, err)
 | |
| 			}
 | |
| 			if acmeIssuer == nil {
 | |
| 				acmeIssuer = new(caddytls.ACMEIssuer)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges == nil {
 | |
| 				acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges.DNS == nil {
 | |
| 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 | |
| 			}
 | |
| 			dnsOptionsSet = append(dnsOptionsSet, "dns_ttl")
 | |
| 			acmeIssuer.Challenges.DNS.TTL = caddy.Duration(ttl)
 | |
| 
 | |
| 		case "dns_challenge_override_domain":
 | |
| 			arg := h.RemainingArgs()
 | |
| 			if len(arg) != 1 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			if acmeIssuer == nil {
 | |
| 				acmeIssuer = new(caddytls.ACMEIssuer)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges == nil {
 | |
| 				acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
 | |
| 			}
 | |
| 			if acmeIssuer.Challenges.DNS == nil {
 | |
| 				acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
 | |
| 			}
 | |
| 			dnsOptionsSet = append(dnsOptionsSet, "dns_challenge_override_domain")
 | |
| 			acmeIssuer.Challenges.DNS.OverrideDomain = arg[0]
 | |
| 
 | |
| 		case "ca_root":
 | |
| 			arg := h.RemainingArgs()
 | |
| 			if len(arg) != 1 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			if acmeIssuer == nil {
 | |
| 				acmeIssuer = new(caddytls.ACMEIssuer)
 | |
| 			}
 | |
| 			acmeIssuer.TrustedRootsPEMFiles = append(acmeIssuer.TrustedRootsPEMFiles, arg[0])
 | |
| 
 | |
| 		case "on_demand":
 | |
| 			if h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			onDemand = true
 | |
| 
 | |
| 		case "reuse_private_keys":
 | |
| 			if h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			reusePrivateKeys = true
 | |
| 
 | |
| 		case "insecure_secrets_log":
 | |
| 			if !h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			cp.InsecureSecretsLog = h.Val()
 | |
| 
 | |
| 		default:
 | |
| 			return nil, h.Errf("unknown subdirective: %s", h.Val())
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// Validate DNS challenge config: any DNS challenge option except "dns" requires a DNS provider
 | |
| 	if acmeIssuer != nil && acmeIssuer.Challenges != nil && acmeIssuer.Challenges.DNS != nil {
 | |
| 		dnsCfg := acmeIssuer.Challenges.DNS
 | |
| 		providerSet := dnsCfg.ProviderRaw != nil || h.Option("dns") != nil
 | |
| 		if len(dnsOptionsSet) > 0 && !providerSet {
 | |
| 			return nil, h.Errf(
 | |
| 				"setting DNS challenge options [%s] requires a DNS provider (set with the 'dns' subdirective or 'acme_dns' global option)",
 | |
| 				strings.Join(dnsOptionsSet, ", "),
 | |
| 			)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// a naked tls directive is not allowed
 | |
| 	if len(firstLine) == 0 && !hasBlock {
 | |
| 		return nil, h.ArgErr()
 | |
| 	}
 | |
| 
 | |
| 	// begin building the final config values
 | |
| 	configVals := []ConfigValue{}
 | |
| 
 | |
| 	// certificate loaders
 | |
| 	if len(fileLoader) > 0 {
 | |
| 		configVals = append(configVals, ConfigValue{
 | |
| 			Class: "tls.cert_loader",
 | |
| 			Value: fileLoader,
 | |
| 		})
 | |
| 	}
 | |
| 	if len(folderLoader) > 0 {
 | |
| 		configVals = append(configVals, ConfigValue{
 | |
| 			Class: "tls.cert_loader",
 | |
| 			Value: folderLoader,
 | |
| 		})
 | |
| 	}
 | |
| 
 | |
| 	// some tls subdirectives are shortcuts that implicitly configure issuers, and the
 | |
| 	// user can also configure issuers explicitly using the issuer subdirective; the
 | |
| 	// logic to support both would likely be complex, or at least unintuitive
 | |
| 	if len(issuers) > 0 && (acmeIssuer != nil || internalIssuer != nil) {
 | |
| 		return nil, h.Err("cannot mix issuer subdirective (explicit issuers) with other issuer-specific subdirectives (implicit issuers)")
 | |
| 	}
 | |
| 	if acmeIssuer != nil && internalIssuer != nil {
 | |
| 		return nil, h.Err("cannot create both ACME and internal certificate issuers")
 | |
| 	}
 | |
| 
 | |
| 	// now we should either have: explicitly-created issuers, or an implicitly-created
 | |
| 	// ACME or internal issuer, or no issuers at all
 | |
| 	switch {
 | |
| 	case len(issuers) > 0:
 | |
| 		for _, issuer := range issuers {
 | |
| 			configVals = append(configVals, ConfigValue{
 | |
| 				Class: "tls.cert_issuer",
 | |
| 				Value: issuer,
 | |
| 			})
 | |
| 		}
 | |
| 
 | |
| 	case acmeIssuer != nil:
 | |
| 		// implicit ACME issuers (from various subdirectives) - use defaults; there might be more than one
 | |
| 		defaultIssuers := caddytls.DefaultIssuers(acmeIssuer.Email)
 | |
| 
 | |
| 		// if an ACME CA endpoint was set, the user expects to use that specific one,
 | |
| 		// not any others that may be defaults, so replace all defaults with that ACME CA
 | |
| 		if acmeIssuer.CA != "" {
 | |
| 			defaultIssuers = []certmagic.Issuer{acmeIssuer}
 | |
| 		}
 | |
| 
 | |
| 		for _, issuer := range defaultIssuers {
 | |
| 			// apply settings from the implicitly-configured ACMEIssuer to any
 | |
| 			// default ACMEIssuers, but preserve each default issuer's CA endpoint,
 | |
| 			// because, for example, if you configure the DNS challenge, it should
 | |
| 			// apply to any of the default ACMEIssuers, but you don't want to trample
 | |
| 			// out their unique CA endpoints
 | |
| 			if iss, ok := issuer.(*caddytls.ACMEIssuer); ok && iss != nil {
 | |
| 				acmeCopy := *acmeIssuer
 | |
| 				acmeCopy.CA = iss.CA
 | |
| 				issuer = &acmeCopy
 | |
| 			}
 | |
| 			configVals = append(configVals, ConfigValue{
 | |
| 				Class: "tls.cert_issuer",
 | |
| 				Value: issuer,
 | |
| 			})
 | |
| 		}
 | |
| 
 | |
| 	case internalIssuer != nil:
 | |
| 		configVals = append(configVals, ConfigValue{
 | |
| 			Class: "tls.cert_issuer",
 | |
| 			Value: internalIssuer,
 | |
| 		})
 | |
| 	}
 | |
| 
 | |
| 	// certificate key type
 | |
| 	if keyType != "" {
 | |
| 		configVals = append(configVals, ConfigValue{
 | |
| 			Class: "tls.key_type",
 | |
| 			Value: keyType,
 | |
| 		})
 | |
| 	}
 | |
| 
 | |
| 	// on-demand TLS
 | |
| 	if onDemand {
 | |
| 		configVals = append(configVals, ConfigValue{
 | |
| 			Class: "tls.on_demand",
 | |
| 			Value: true,
 | |
| 		})
 | |
| 	}
 | |
| 	for _, certManager := range certManagers {
 | |
| 		configVals = append(configVals, ConfigValue{
 | |
| 			Class: "tls.cert_manager",
 | |
| 			Value: certManager,
 | |
| 		})
 | |
| 	}
 | |
| 
 | |
| 	// reuse private keys TLS
 | |
| 	if reusePrivateKeys {
 | |
| 		configVals = append(configVals, ConfigValue{
 | |
| 			Class: "tls.reuse_private_keys",
 | |
| 			Value: true,
 | |
| 		})
 | |
| 	}
 | |
| 
 | |
| 	// if enabled, the names in the site addresses will be
 | |
| 	// added to the automation policies
 | |
| 	if forceAutomate {
 | |
| 		configVals = append(configVals, ConfigValue{
 | |
| 			Class: "tls.force_automate",
 | |
| 			Value: true,
 | |
| 		})
 | |
| 	}
 | |
| 
 | |
| 	// custom certificate selection
 | |
| 	if len(certSelector.AnyTag) > 0 {
 | |
| 		cp.CertSelection = &certSelector
 | |
| 	}
 | |
| 
 | |
| 	// connection policy -- always add one, to ensure that TLS
 | |
| 	// is enabled, because this directive was used (this is
 | |
| 	// needed, for instance, when a site block has a key of
 | |
| 	// just ":5000" - i.e. no hostname, and only on-demand TLS
 | |
| 	// is enabled)
 | |
| 	configVals = append(configVals, ConfigValue{
 | |
| 		Class: "tls.connection_policy",
 | |
| 		Value: cp,
 | |
| 	})
 | |
| 
 | |
| 	return configVals, nil
 | |
| }
 | |
| 
 | |
| // parseRoot parses the root directive. Syntax:
 | |
| //
 | |
| //	root [<matcher>] <path>
 | |
| func parseRoot(h Helper) ([]ConfigValue, error) {
 | |
| 	h.Next() // consume directive name
 | |
| 
 | |
| 	// count the tokens to determine what to do
 | |
| 	argsCount := h.CountRemainingArgs()
 | |
| 	if argsCount == 0 {
 | |
| 		return nil, h.Errf("too few arguments; must have at least a root path")
 | |
| 	}
 | |
| 	if argsCount > 2 {
 | |
| 		return nil, h.Errf("too many arguments; should only be a matcher and a path")
 | |
| 	}
 | |
| 
 | |
| 	// with only one arg, assume it's a root path with no matcher token
 | |
| 	if argsCount == 1 {
 | |
| 		if !h.NextArg() {
 | |
| 			return nil, h.ArgErr()
 | |
| 		}
 | |
| 		return h.NewRoute(nil, caddyhttp.VarsMiddleware{"root": h.Val()}), nil
 | |
| 	}
 | |
| 
 | |
| 	// parse the matcher token into a matcher set
 | |
| 	userMatcherSet, err := h.ExtractMatcherSet()
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	h.Next() // consume directive name again, matcher parsing does a reset
 | |
| 
 | |
| 	// advance to the root path
 | |
| 	if !h.NextArg() {
 | |
| 		return nil, h.ArgErr()
 | |
| 	}
 | |
| 	// make the route with the matcher
 | |
| 	return h.NewRoute(userMatcherSet, caddyhttp.VarsMiddleware{"root": h.Val()}), nil
 | |
| }
 | |
| 
 | |
| // parseFilesystem parses the fs directive. Syntax:
 | |
| //
 | |
| //	fs <filesystem>
 | |
| func parseFilesystem(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	h.Next() // consume directive name
 | |
| 	if !h.NextArg() {
 | |
| 		return nil, h.ArgErr()
 | |
| 	}
 | |
| 	if h.NextArg() {
 | |
| 		return nil, h.ArgErr()
 | |
| 	}
 | |
| 	return caddyhttp.VarsMiddleware{"fs": h.Val()}, nil
 | |
| }
 | |
| 
 | |
| // parseVars parses the vars directive. See its UnmarshalCaddyfile method for syntax.
 | |
| func parseVars(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	v := new(caddyhttp.VarsMiddleware)
 | |
| 	err := v.UnmarshalCaddyfile(h.Dispenser)
 | |
| 	return v, err
 | |
| }
 | |
| 
 | |
| // parseRedir parses the redir directive. Syntax:
 | |
| //
 | |
| //	redir [<matcher>] <to> [<code>]
 | |
| //
 | |
| // <code> can be "permanent" for 301, "temporary" for 302 (default),
 | |
| // a placeholder, or any number in the 3xx range or 401. The special
 | |
| // code "html" can be used to redirect only browser clients (will
 | |
| // respond with HTTP 200 and no Location header; redirect is performed
 | |
| // with JS and a meta tag).
 | |
| func parseRedir(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	h.Next() // consume directive name
 | |
| 	if !h.NextArg() {
 | |
| 		return nil, h.ArgErr()
 | |
| 	}
 | |
| 	to := h.Val()
 | |
| 
 | |
| 	var code string
 | |
| 	if h.NextArg() {
 | |
| 		code = h.Val()
 | |
| 	}
 | |
| 
 | |
| 	var body string
 | |
| 	var hdr http.Header
 | |
| 	switch code {
 | |
| 	case "permanent":
 | |
| 		code = "301"
 | |
| 
 | |
| 	case "temporary", "":
 | |
| 		code = "302"
 | |
| 
 | |
| 	case "html":
 | |
| 		// Script tag comes first since that will better imitate a redirect in the browser's
 | |
| 		// history, but the meta tag is a fallback for most non-JS clients.
 | |
| 		const metaRedir = `<!DOCTYPE html>
 | |
| <html>
 | |
| 	<head>
 | |
| 		<title>Redirecting...</title>
 | |
| 		<script>window.location.replace("%s");</script>
 | |
| 		<meta http-equiv="refresh" content="0; URL='%s'">
 | |
| 	</head>
 | |
| 	<body>Redirecting to <a href="%s">%s</a>...</body>
 | |
| </html>
 | |
| `
 | |
| 		safeTo := html.EscapeString(to)
 | |
| 		body = fmt.Sprintf(metaRedir, safeTo, safeTo, safeTo, safeTo)
 | |
| 		hdr = http.Header{"Content-Type": []string{"text/html; charset=utf-8"}}
 | |
| 		code = "200" // don't redirect non-browser clients
 | |
| 
 | |
| 	default:
 | |
| 		// Allow placeholders for the code
 | |
| 		if strings.HasPrefix(code, "{") {
 | |
| 			break
 | |
| 		}
 | |
| 		// Try to validate as an integer otherwise
 | |
| 		codeInt, err := strconv.Atoi(code)
 | |
| 		if err != nil {
 | |
| 			return nil, h.Errf("Not a supported redir code type or not valid integer: '%s'", code)
 | |
| 		}
 | |
| 		// Sometimes, a 401 with Location header is desirable because
 | |
| 		// requests made with XHR will "eat" the 3xx redirect; so if
 | |
| 		// the intent was to redirect to an auth page, a 3xx won't
 | |
| 		// work. Responding with 401 allows JS code to read the
 | |
| 		// Location header and do a window.location redirect manually.
 | |
| 		// see https://stackoverflow.com/a/2573589/846934
 | |
| 		// see https://github.com/oauth2-proxy/oauth2-proxy/issues/1522
 | |
| 		if codeInt < 300 || (codeInt > 399 && codeInt != 401) {
 | |
| 			return nil, h.Errf("Redir code not in the 3xx range or 401: '%v'", codeInt)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	// don't redirect non-browser clients
 | |
| 	if code != "200" {
 | |
| 		hdr = http.Header{"Location": []string{to}}
 | |
| 	}
 | |
| 
 | |
| 	return caddyhttp.StaticResponse{
 | |
| 		StatusCode: caddyhttp.WeakString(code),
 | |
| 		Headers:    hdr,
 | |
| 		Body:       body,
 | |
| 	}, nil
 | |
| }
 | |
| 
 | |
| // parseRespond parses the respond directive.
 | |
| func parseRespond(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	sr := new(caddyhttp.StaticResponse)
 | |
| 	err := sr.UnmarshalCaddyfile(h.Dispenser)
 | |
| 	return sr, err
 | |
| }
 | |
| 
 | |
| // parseAbort parses the abort directive.
 | |
| func parseAbort(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	h.Next() // consume directive
 | |
| 	for h.Next() || h.NextBlock(0) {
 | |
| 		return nil, h.ArgErr()
 | |
| 	}
 | |
| 	return &caddyhttp.StaticResponse{Abort: true}, nil
 | |
| }
 | |
| 
 | |
| // parseError parses the error directive.
 | |
| func parseError(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	se := new(caddyhttp.StaticError)
 | |
| 	err := se.UnmarshalCaddyfile(h.Dispenser)
 | |
| 	return se, err
 | |
| }
 | |
| 
 | |
| // parseRoute parses the route directive.
 | |
| func parseRoute(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	allResults, err := parseSegmentAsConfig(h)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 
 | |
| 	for _, result := range allResults {
 | |
| 		switch result.Value.(type) {
 | |
| 		case caddyhttp.Route, caddyhttp.Subroute:
 | |
| 		default:
 | |
| 			return nil, h.Errf("%s directive returned something other than an HTTP route or subroute: %#v (only handler directives can be used in routes)", result.directive, result.Value)
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	return buildSubroute(allResults, h.groupCounter, false)
 | |
| }
 | |
| 
 | |
| func parseHandle(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	return ParseSegmentAsSubroute(h)
 | |
| }
 | |
| 
 | |
| func parseHandleErrors(h Helper) ([]ConfigValue, error) {
 | |
| 	h.Next() // consume directive name
 | |
| 
 | |
| 	expression := ""
 | |
| 	args := h.RemainingArgs()
 | |
| 	if len(args) > 0 {
 | |
| 		codes := []string{}
 | |
| 		for _, val := range args {
 | |
| 			if len(val) != 3 {
 | |
| 				return nil, h.Errf("bad status value '%s'", val)
 | |
| 			}
 | |
| 			if strings.HasSuffix(val, "xx") {
 | |
| 				val = val[:1]
 | |
| 				_, err := strconv.Atoi(val)
 | |
| 				if err != nil {
 | |
| 					return nil, h.Errf("bad status value '%s': %v", val, err)
 | |
| 				}
 | |
| 				if expression != "" {
 | |
| 					expression += " || "
 | |
| 				}
 | |
| 				expression += fmt.Sprintf("{http.error.status_code} >= %s00 && {http.error.status_code} <= %s99", val, val)
 | |
| 				continue
 | |
| 			}
 | |
| 			_, err := strconv.Atoi(val)
 | |
| 			if err != nil {
 | |
| 				return nil, h.Errf("bad status value '%s': %v", val, err)
 | |
| 			}
 | |
| 			codes = append(codes, val)
 | |
| 		}
 | |
| 		if len(codes) > 0 {
 | |
| 			if expression != "" {
 | |
| 				expression += " || "
 | |
| 			}
 | |
| 			expression += "{http.error.status_code} in [" + strings.Join(codes, ", ") + "]"
 | |
| 		}
 | |
| 		// Reset cursor position to get ready for ParseSegmentAsSubroute
 | |
| 		h.Reset()
 | |
| 		h.Next()
 | |
| 		h.RemainingArgs()
 | |
| 		h.Prev()
 | |
| 	} else {
 | |
| 		// If no arguments present reset the cursor position to get ready for ParseSegmentAsSubroute
 | |
| 		h.Prev()
 | |
| 	}
 | |
| 
 | |
| 	handler, err := ParseSegmentAsSubroute(h)
 | |
| 	if err != nil {
 | |
| 		return nil, err
 | |
| 	}
 | |
| 	subroute, ok := handler.(*caddyhttp.Subroute)
 | |
| 	if !ok {
 | |
| 		return nil, h.Errf("segment was not parsed as a subroute")
 | |
| 	}
 | |
| 
 | |
| 	// wrap the subroutes
 | |
| 	wrappingRoute := caddyhttp.Route{
 | |
| 		HandlersRaw: []json.RawMessage{caddyconfig.JSONModuleObject(subroute, "handler", "subroute", nil)},
 | |
| 	}
 | |
| 	subroute = &caddyhttp.Subroute{
 | |
| 		Routes: []caddyhttp.Route{wrappingRoute},
 | |
| 	}
 | |
| 	if expression != "" {
 | |
| 		statusMatcher := caddy.ModuleMap{
 | |
| 			"expression": h.JSON(caddyhttp.MatchExpression{Expr: expression}),
 | |
| 		}
 | |
| 		subroute.Routes[0].MatcherSetsRaw = []caddy.ModuleMap{statusMatcher}
 | |
| 	}
 | |
| 	return []ConfigValue{
 | |
| 		{
 | |
| 			Class: "error_route",
 | |
| 			Value: subroute,
 | |
| 		},
 | |
| 	}, nil
 | |
| }
 | |
| 
 | |
| // parseInvoke parses the invoke directive.
 | |
| func parseInvoke(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	h.Next() // consume directive
 | |
| 	if !h.NextArg() {
 | |
| 		return nil, h.ArgErr()
 | |
| 	}
 | |
| 	for h.Next() || h.NextBlock(0) {
 | |
| 		return nil, h.ArgErr()
 | |
| 	}
 | |
| 
 | |
| 	// remember that we're invoking this name
 | |
| 	// to populate the server with these named routes
 | |
| 	if h.State[namedRouteKey] == nil {
 | |
| 		h.State[namedRouteKey] = map[string]struct{}{}
 | |
| 	}
 | |
| 	h.State[namedRouteKey].(map[string]struct{})[h.Val()] = struct{}{}
 | |
| 
 | |
| 	// return the handler
 | |
| 	return &caddyhttp.Invoke{Name: h.Val()}, nil
 | |
| }
 | |
| 
 | |
| // parseLog parses the log directive. Syntax:
 | |
| //
 | |
| //	log <logger_name> {
 | |
| //	    hostnames <hostnames...>
 | |
| //	    output <writer_module> ...
 | |
| //	    core   <core_module> ...
 | |
| //	    format <encoder_module> ...
 | |
| //	    level  <level>
 | |
| //	}
 | |
| func parseLog(h Helper) ([]ConfigValue, error) {
 | |
| 	return parseLogHelper(h, nil)
 | |
| }
 | |
| 
 | |
| // parseLogHelper is used both for the parseLog directive within Server Blocks,
 | |
| // as well as the global "log" option for configuring loggers at the global
 | |
| // level. The parseAsGlobalOption parameter is used to distinguish any differing logic
 | |
| // between the two.
 | |
| func parseLogHelper(h Helper, globalLogNames map[string]struct{}) ([]ConfigValue, error) {
 | |
| 	h.Next() // consume option name
 | |
| 
 | |
| 	// When the globalLogNames parameter is passed in, we make
 | |
| 	// modifications to the parsing behavior.
 | |
| 	parseAsGlobalOption := globalLogNames != nil
 | |
| 
 | |
| 	var configValues []ConfigValue
 | |
| 
 | |
| 	// Logic below expects that a name is always present when a
 | |
| 	// global option is being parsed; or an optional override
 | |
| 	// is supported for access logs.
 | |
| 	var logName string
 | |
| 
 | |
| 	if parseAsGlobalOption {
 | |
| 		if h.NextArg() {
 | |
| 			logName = h.Val()
 | |
| 
 | |
| 			// Only a single argument is supported.
 | |
| 			if h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 		} else {
 | |
| 			// If there is no log name specified, we
 | |
| 			// reference the default logger. See the
 | |
| 			// setupNewDefault function in the logging
 | |
| 			// package for where this is configured.
 | |
| 			logName = caddy.DefaultLoggerName
 | |
| 		}
 | |
| 
 | |
| 		// Verify this name is unused.
 | |
| 		_, used := globalLogNames[logName]
 | |
| 		if used {
 | |
| 			return nil, h.Err("duplicate global log option for: " + logName)
 | |
| 		}
 | |
| 		globalLogNames[logName] = struct{}{}
 | |
| 	} else {
 | |
| 		// An optional override of the logger name can be provided;
 | |
| 		// otherwise a default will be used, like "log0", "log1", etc.
 | |
| 		if h.NextArg() {
 | |
| 			logName = h.Val()
 | |
| 
 | |
| 			// Only a single argument is supported.
 | |
| 			if h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	cl := new(caddy.CustomLog)
 | |
| 
 | |
| 	// allow overriding the current site block's hostnames for this logger;
 | |
| 	// this is useful for setting up loggers per subdomain in a site block
 | |
| 	// with a wildcard domain
 | |
| 	customHostnames := []string{}
 | |
| 	noHostname := false
 | |
| 	for h.NextBlock(0) {
 | |
| 		switch h.Val() {
 | |
| 		case "hostnames":
 | |
| 			if parseAsGlobalOption {
 | |
| 				return nil, h.Err("hostnames is not allowed in the log global options")
 | |
| 			}
 | |
| 			args := h.RemainingArgs()
 | |
| 			if len(args) == 0 {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			customHostnames = append(customHostnames, args...)
 | |
| 
 | |
| 		case "output":
 | |
| 			if !h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			moduleName := h.Val()
 | |
| 
 | |
| 			// can't use the usual caddyfile.Unmarshaler flow with the
 | |
| 			// standard writers because they are in the caddy package
 | |
| 			// (because they are the default) and implementing that
 | |
| 			// interface there would unfortunately create circular import
 | |
| 			var wo caddy.WriterOpener
 | |
| 			switch moduleName {
 | |
| 			case "stdout":
 | |
| 				wo = caddy.StdoutWriter{}
 | |
| 			case "stderr":
 | |
| 				wo = caddy.StderrWriter{}
 | |
| 			case "discard":
 | |
| 				wo = caddy.DiscardWriter{}
 | |
| 			default:
 | |
| 				modID := "caddy.logging.writers." + moduleName
 | |
| 				unm, err := caddyfile.UnmarshalModule(h.Dispenser, modID)
 | |
| 				if err != nil {
 | |
| 					return nil, err
 | |
| 				}
 | |
| 				var ok bool
 | |
| 				wo, ok = unm.(caddy.WriterOpener)
 | |
| 				if !ok {
 | |
| 					return nil, h.Errf("module %s (%T) is not a WriterOpener", modID, unm)
 | |
| 				}
 | |
| 			}
 | |
| 			cl.WriterRaw = caddyconfig.JSONModuleObject(wo, "output", moduleName, h.warnings)
 | |
| 
 | |
| 		case "sampling":
 | |
| 			d := h.Dispenser.NewFromNextSegment()
 | |
| 			for d.NextArg() {
 | |
| 				// consume any tokens on the same line, if any.
 | |
| 			}
 | |
| 
 | |
| 			sampling := &caddy.LogSampling{}
 | |
| 			for nesting := d.Nesting(); d.NextBlock(nesting); {
 | |
| 				subdir := d.Val()
 | |
| 				switch subdir {
 | |
| 				case "interval":
 | |
| 					if !d.NextArg() {
 | |
| 						return nil, d.ArgErr()
 | |
| 					}
 | |
| 					interval, err := time.ParseDuration(d.Val() + "ns")
 | |
| 					if err != nil {
 | |
| 						return nil, d.Errf("failed to parse interval: %v", err)
 | |
| 					}
 | |
| 					sampling.Interval = interval
 | |
| 				case "first":
 | |
| 					if !d.NextArg() {
 | |
| 						return nil, d.ArgErr()
 | |
| 					}
 | |
| 					first, err := strconv.Atoi(d.Val())
 | |
| 					if err != nil {
 | |
| 						return nil, d.Errf("failed to parse first: %v", err)
 | |
| 					}
 | |
| 					sampling.First = first
 | |
| 				case "thereafter":
 | |
| 					if !d.NextArg() {
 | |
| 						return nil, d.ArgErr()
 | |
| 					}
 | |
| 					thereafter, err := strconv.Atoi(d.Val())
 | |
| 					if err != nil {
 | |
| 						return nil, d.Errf("failed to parse thereafter: %v", err)
 | |
| 					}
 | |
| 					sampling.Thereafter = thereafter
 | |
| 				default:
 | |
| 					return nil, d.Errf("unrecognized subdirective: %s", subdir)
 | |
| 				}
 | |
| 			}
 | |
| 
 | |
| 			cl.Sampling = sampling
 | |
| 
 | |
| 		case "core":
 | |
| 			if !h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			moduleName := h.Val()
 | |
| 			moduleID := "caddy.logging.cores." + moduleName
 | |
| 			unm, err := caddyfile.UnmarshalModule(h.Dispenser, moduleID)
 | |
| 			if err != nil {
 | |
| 				return nil, err
 | |
| 			}
 | |
| 			core, ok := unm.(zapcore.Core)
 | |
| 			if !ok {
 | |
| 				return nil, h.Errf("module %s (%T) is not a zapcore.Core", moduleID, unm)
 | |
| 			}
 | |
| 			cl.CoreRaw = caddyconfig.JSONModuleObject(core, "module", moduleName, h.warnings)
 | |
| 
 | |
| 		case "format":
 | |
| 			if !h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			moduleName := h.Val()
 | |
| 			moduleID := "caddy.logging.encoders." + moduleName
 | |
| 			unm, err := caddyfile.UnmarshalModule(h.Dispenser, moduleID)
 | |
| 			if err != nil {
 | |
| 				return nil, err
 | |
| 			}
 | |
| 			enc, ok := unm.(zapcore.Encoder)
 | |
| 			if !ok {
 | |
| 				return nil, h.Errf("module %s (%T) is not a zapcore.Encoder", moduleID, unm)
 | |
| 			}
 | |
| 			cl.EncoderRaw = caddyconfig.JSONModuleObject(enc, "format", moduleName, h.warnings)
 | |
| 
 | |
| 		case "level":
 | |
| 			if !h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			cl.Level = h.Val()
 | |
| 			if h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 
 | |
| 		case "include":
 | |
| 			if !parseAsGlobalOption {
 | |
| 				return nil, h.Err("include is not allowed in the log directive")
 | |
| 			}
 | |
| 			for h.NextArg() {
 | |
| 				cl.Include = append(cl.Include, h.Val())
 | |
| 			}
 | |
| 
 | |
| 		case "exclude":
 | |
| 			if !parseAsGlobalOption {
 | |
| 				return nil, h.Err("exclude is not allowed in the log directive")
 | |
| 			}
 | |
| 			for h.NextArg() {
 | |
| 				cl.Exclude = append(cl.Exclude, h.Val())
 | |
| 			}
 | |
| 
 | |
| 		case "no_hostname":
 | |
| 			if h.NextArg() {
 | |
| 				return nil, h.ArgErr()
 | |
| 			}
 | |
| 			noHostname = true
 | |
| 
 | |
| 		default:
 | |
| 			return nil, h.Errf("unrecognized subdirective: %s", h.Val())
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	var val namedCustomLog
 | |
| 	val.hostnames = customHostnames
 | |
| 	val.noHostname = noHostname
 | |
| 	isEmptyConfig := reflect.DeepEqual(cl, new(caddy.CustomLog))
 | |
| 
 | |
| 	// Skip handling of empty logging configs
 | |
| 
 | |
| 	if parseAsGlobalOption {
 | |
| 		// Use indicated name for global log options
 | |
| 		val.name = logName
 | |
| 	} else {
 | |
| 		if logName != "" {
 | |
| 			val.name = logName
 | |
| 		} else if !isEmptyConfig {
 | |
| 			// Construct a log name for server log streams
 | |
| 			logCounter, ok := h.State["logCounter"].(int)
 | |
| 			if !ok {
 | |
| 				logCounter = 0
 | |
| 			}
 | |
| 			val.name = fmt.Sprintf("log%d", logCounter)
 | |
| 			logCounter++
 | |
| 			h.State["logCounter"] = logCounter
 | |
| 		}
 | |
| 		if val.name != "" {
 | |
| 			cl.Include = []string{"http.log.access." + val.name}
 | |
| 		}
 | |
| 	}
 | |
| 	if !isEmptyConfig {
 | |
| 		val.log = cl
 | |
| 	}
 | |
| 	configValues = append(configValues, ConfigValue{
 | |
| 		Class: "custom_log",
 | |
| 		Value: val,
 | |
| 	})
 | |
| 	return configValues, nil
 | |
| }
 | |
| 
 | |
| // parseLogSkip parses the log_skip directive. Syntax:
 | |
| //
 | |
| //	log_skip [<matcher>]
 | |
| func parseLogSkip(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	h.Next() // consume directive name
 | |
| 
 | |
| 	// "skip_log" is deprecated, replaced by "log_skip"
 | |
| 	if h.Val() == "skip_log" {
 | |
| 		caddy.Log().Named("config.adapter.caddyfile").Warn("the 'skip_log' directive is deprecated, please use 'log_skip' instead!")
 | |
| 	}
 | |
| 
 | |
| 	if h.NextArg() {
 | |
| 		return nil, h.ArgErr()
 | |
| 	}
 | |
| 
 | |
| 	if h.NextBlock(0) {
 | |
| 		return nil, h.Err("log_skip directive does not accept blocks")
 | |
| 	}
 | |
| 
 | |
| 	return caddyhttp.VarsMiddleware{"log_skip": true}, nil
 | |
| }
 | |
| 
 | |
| // parseLogName parses the log_name directive. Syntax:
 | |
| //
 | |
| //	log_name <names...>
 | |
| func parseLogName(h Helper) (caddyhttp.MiddlewareHandler, error) {
 | |
| 	h.Next() // consume directive name
 | |
| 	return caddyhttp.VarsMiddleware{
 | |
| 		caddyhttp.AccessLoggerNameVarKey: h.RemainingArgs(),
 | |
| 	}, nil
 | |
| }
 |