mirror of https://github.com/caddyserver/caddy.git
caddytls: Require 'ask' endpoint for on-demand TLS
This commit is contained in:
parent
6cc3cbbc69
commit
b97c76fb47
|
@ -168,23 +168,27 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
|
||||||
// on-demand TLS
|
// on-demand TLS
|
||||||
var ond *certmagic.OnDemandConfig
|
var ond *certmagic.OnDemandConfig
|
||||||
if ap.OnDemand {
|
if ap.OnDemand {
|
||||||
|
// ask endpoint is now required after a number of negligence cases causing abuse
|
||||||
|
if tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "" {
|
||||||
|
return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details")
|
||||||
|
}
|
||||||
ond = &certmagic.OnDemandConfig{
|
ond = &certmagic.OnDemandConfig{
|
||||||
DecisionFunc: func(name string) error {
|
DecisionFunc: func(name string) error {
|
||||||
// if an "ask" endpoint was defined, consult it first
|
|
||||||
if tlsApp.Automation != nil &&
|
|
||||||
tlsApp.Automation.OnDemand != nil &&
|
|
||||||
tlsApp.Automation.OnDemand.Ask != "" {
|
|
||||||
if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil {
|
if err := onDemandAskRequest(tlsApp.logger, tlsApp.Automation.OnDemand.Ask, name); err != nil {
|
||||||
// distinguish true errors from denials, because it's important to log actual errors
|
// distinguish true errors from denials, because it's important to elevate actual errors
|
||||||
if !errors.Is(err, errAskDenied) {
|
if errors.Is(err, errAskDenied) {
|
||||||
|
tlsApp.logger.Debug("certificate issuance denied",
|
||||||
|
zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask),
|
||||||
|
zap.String("domain", name),
|
||||||
|
zap.Error(err))
|
||||||
|
} else {
|
||||||
tlsApp.logger.Error("request to 'ask' endpoint failed",
|
tlsApp.logger.Error("request to 'ask' endpoint failed",
|
||||||
zap.Error(err),
|
zap.String("ask_endpoint", tlsApp.Automation.OnDemand.Ask),
|
||||||
zap.String("endpoint", tlsApp.Automation.OnDemand.Ask),
|
zap.String("domain", name),
|
||||||
zap.String("domain", name))
|
zap.Error(err))
|
||||||
}
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
|
||||||
// check the rate limiter last because
|
// check the rate limiter last because
|
||||||
// doing so makes a reservation
|
// doing so makes a reservation
|
||||||
if !onDemandRateLimiter.Allow() {
|
if !onDemandRateLimiter.Allow() {
|
||||||
|
@ -404,7 +408,7 @@ type OnDemandConfig struct {
|
||||||
// issuance of certificates from handshakes.
|
// issuance of certificates from handshakes.
|
||||||
RateLimit *RateLimit `json:"rate_limit,omitempty"`
|
RateLimit *RateLimit `json:"rate_limit,omitempty"`
|
||||||
|
|
||||||
// If Caddy needs to obtain or renew a certificate
|
// REQUIRED. If Caddy needs to obtain/renew a certificate
|
||||||
// during a TLS handshake, it will perform a quick
|
// during a TLS handshake, it will perform a quick
|
||||||
// HTTP request to this URL to check if it should be
|
// HTTP request to this URL to check if it should be
|
||||||
// allowed to try to get a certificate for the name
|
// allowed to try to get a certificate for the name
|
||||||
|
|
Loading…
Reference in New Issue