OrgGo
/
caddy
mirror of https://github.com/caddyserver/caddy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

caddytls: Don't initialize default internal issuer unless necessary 

Otherwise, a password prompt can occur unnecessarily.
This commit is contained in:
Matthew Holt 2020-04-09 13:09:48 -06:00
parent 6e4132eb89
commit 85f5f47f31
No known key found for this signature in database
GPG Key ID: 2A349DD577D586A5
3 changed files with 37 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/caddyhttp/autohttps.go
View File

@ -339,7 +339,7 @@ uniqueDomainsLoop:
} }
redirTo += "{http.request.uri}" redirTo += "{http.request.uri}"
routes = append(routes, Route{ routes = append(routes, Route{
MatcherSets: []MatcherSet{MatcherSet{MatchProtocol("http")}}, MatcherSets: []MatcherSet{{MatchProtocol("http")}},
Handlers: []MiddlewareHandler{ Handlers: []MiddlewareHandler{
StaticResponse{ StaticResponse{
StatusCode: WeakString(strconv.Itoa(http.StatusPermanentRedirect)), StatusCode: WeakString(strconv.Itoa(http.StatusPermanentRedirect)),

2
modules/caddytls/automation.go
View File

@ -54,7 +54,7 @@ type AutomationConfig struct {
RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"` RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"`
defaultPublicAutomationPolicy *AutomationPolicy defaultPublicAutomationPolicy *AutomationPolicy
defaultInternalAutomationPolicy *AutomationPolicy defaultInternalAutomationPolicy *AutomationPolicy // only initialized if necessary
} }
// AutomationPolicy designates the policy for automating the // AutomationPolicy designates the policy for automating the

62
modules/caddytls/tls.go
View File

@ -89,29 +89,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
} }
t.certCache = certmagic.NewCache(cacheOpts) t.certCache = certmagic.NewCache(cacheOpts)
// automation/management policies
if t.Automation == nil {
t.Automation = new(AutomationConfig)
}
t.Automation.defaultPublicAutomationPolicy = new(AutomationPolicy)
err := t.Automation.defaultPublicAutomationPolicy.Provision(t)
if err != nil {
return fmt.Errorf("provisioning default public automation policy: %v", err)
}
t.Automation.defaultInternalAutomationPolicy = &AutomationPolicy{
IssuerRaw: json.RawMessage(`{"module":"internal"}`),
}
err = t.Automation.defaultInternalAutomationPolicy.Provision(t)
if err != nil {
return fmt.Errorf("provisioning default internal automation policy: %v", err)
}
for i, ap := range t.Automation.Policies {
err := ap.Provision(t)
if err != nil {
return fmt.Errorf("provisioning automation policy %d: %v", i, err)
}
}
// certificate loaders // certificate loaders
val, err := ctx.LoadModule(t, "CertificatesRaw") val, err := ctx.LoadModule(t, "CertificatesRaw")
if err != nil { if err != nil {
@ -119,9 +96,8 @@ func (t *TLS) Provision(ctx caddy.Context) error {
} }
for modName, modIface := range val.(map[string]interface{}) { for modName, modIface := range val.(map[string]interface{}) {
if modName == "automate" { if modName == "automate" {
// special case; these will be loaded in later // special case; these will be loaded in later using our automation facilities,
// using our automation facilities, which we // which we want to avoid doing during provisioning
// want to avoid during provisioning
if automateNames, ok := modIface.(*AutomateLoader); ok && automateNames != nil { if automateNames, ok := modIface.(*AutomateLoader); ok && automateNames != nil {
t.automateNames = []string(*automateNames) t.automateNames = []string(*automateNames)
} else { } else {
@ -132,6 +108,38 @@ func (t *TLS) Provision(ctx caddy.Context) error {
t.certificateLoaders = append(t.certificateLoaders, modIface.(CertificateLoader)) t.certificateLoaders = append(t.certificateLoaders, modIface.(CertificateLoader))
} }
// automation/management policies
if t.Automation == nil {
t.Automation = new(AutomationConfig)
}
t.Automation.defaultPublicAutomationPolicy = new(AutomationPolicy)
err = t.Automation.defaultPublicAutomationPolicy.Provision(t)
if err != nil {
return fmt.Errorf("provisioning default public automation policy: %v", err)
}
for _, n := range t.automateNames {
// if any names specified by the "automate" loader do not qualify for a public
// certificate, we should initialize a default internal automation policy
// (but we don't want to do this unnecessarily, since it may prompt for password!)
if certmagic.SubjectQualifiesForPublicCert(n) {
continue
}
t.Automation.defaultInternalAutomationPolicy = &AutomationPolicy{
IssuerRaw: json.RawMessage(`{"module":"internal"}`),
}
err = t.Automation.defaultInternalAutomationPolicy.Provision(t)
if err != nil {
return fmt.Errorf("provisioning default internal automation policy: %v", err)
}
break
}
for i, ap := range t.Automation.Policies {
err := ap.Provision(t)
if err != nil {
return fmt.Errorf("provisioning automation policy %d: %v", i, err)
}
}
// session ticket ephemeral keys (STEK) service and provider // session ticket ephemeral keys (STEK) service and provider
if t.SessionTickets != nil { if t.SessionTickets != nil {
err := t.SessionTickets.provision(ctx) err := t.SessionTickets.provision(ctx)
@ -340,7 +348,7 @@ func (t *TLS) getAutomationPolicyForName(name string) *AutomationPolicy {
} }
} }
} }
if certmagic.SubjectQualifiesForPublicCert(name) { if certmagic.SubjectQualifiesForPublicCert(name) || t.Automation.defaultInternalAutomationPolicy == nil {
return t.Automation.defaultPublicAutomationPolicy return t.Automation.defaultPublicAutomationPolicy
} }
return t.Automation.defaultInternalAutomationPolicy return t.Automation.defaultInternalAutomationPolicy