mirror of https://github.com/caddyserver/caddy.git
caddytls: dns_challenge_override_domain for challenge delegation (#4596)
* Add a override_domain option to allow DNS chanllenge delegation CNAME can be used to delegate answering the chanllenge to another DNS zone. One usage is to reduce the exposure of the DNS credential [1]. Based on the discussion in caddy/certmagic#160, we are adding an option to allow the user explicitly specify the domain to delegate, instead of following the CNAME chain. This needs caddy/certmagic#160. * rename override_domain to dns_challenge_override_domain * Update CertMagic; fix spelling Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
This commit is contained in:
parent
c8f2834b51
commit
d9b1d46325
|
@ -362,6 +362,22 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
|
||||||
}
|
}
|
||||||
acmeIssuer.Challenges.DNS.Resolvers = args
|
acmeIssuer.Challenges.DNS.Resolvers = args
|
||||||
|
|
||||||
|
case "dns_challenge_override_domain":
|
||||||
|
arg := h.RemainingArgs()
|
||||||
|
if len(arg) != 1 {
|
||||||
|
return nil, h.ArgErr()
|
||||||
|
}
|
||||||
|
if acmeIssuer == nil {
|
||||||
|
acmeIssuer = new(caddytls.ACMEIssuer)
|
||||||
|
}
|
||||||
|
if acmeIssuer.Challenges == nil {
|
||||||
|
acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
|
||||||
|
}
|
||||||
|
if acmeIssuer.Challenges.DNS == nil {
|
||||||
|
acmeIssuer.Challenges.DNS = new(caddytls.DNSChallengeConfig)
|
||||||
|
}
|
||||||
|
acmeIssuer.Challenges.DNS.OverrideDomain = arg[0]
|
||||||
|
|
||||||
case "ca_root":
|
case "ca_root":
|
||||||
arg := h.RemainingArgs()
|
arg := h.RemainingArgs()
|
||||||
if len(arg) != 1 {
|
if len(arg) != 1 {
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -8,7 +8,7 @@ require (
|
||||||
github.com/Masterminds/sprig/v3 v3.2.2
|
github.com/Masterminds/sprig/v3 v3.2.2
|
||||||
github.com/alecthomas/chroma v0.10.0
|
github.com/alecthomas/chroma v0.10.0
|
||||||
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
|
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
|
||||||
github.com/caddyserver/certmagic v0.15.4-0.20220217213750-797d29bcf32f
|
github.com/caddyserver/certmagic v0.15.4
|
||||||
github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
|
github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
|
||||||
github.com/fsnotify/fsnotify v1.5.1 // indirect
|
github.com/fsnotify/fsnotify v1.5.1 // indirect
|
||||||
github.com/go-chi/chi v4.1.2+incompatible
|
github.com/go-chi/chi v4.1.2+incompatible
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -189,8 +189,8 @@ github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl
|
||||||
github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
|
github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
|
||||||
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
|
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
|
||||||
github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw=
|
github.com/caarlos0/ctrlc v1.0.0/go.mod h1:CdXpj4rmq0q/1Eb44M9zi2nKB0QraNKuRGYGrrHhcQw=
|
||||||
github.com/caddyserver/certmagic v0.15.4-0.20220217213750-797d29bcf32f h1:sdjilRh0dxXpofiwDSFU7itmxuXetKB6xWd+lNRVq9s=
|
github.com/caddyserver/certmagic v0.15.4 h1:kz//9+Z/xw197jtIBxxUDub8pQi9gcYvhXk5Ouw2EkM=
|
||||||
github.com/caddyserver/certmagic v0.15.4-0.20220217213750-797d29bcf32f/go.mod h1:qhkAOthf72ufAcp3Y5jF2RaGE96oip3UbEQRIzwe3/8=
|
github.com/caddyserver/certmagic v0.15.4/go.mod h1:qhkAOthf72ufAcp3Y5jF2RaGE96oip3UbEQRIzwe3/8=
|
||||||
github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMSc6E5ydlp5NIonxObaeu/Iub/X03EKPVYo=
|
github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMSc6E5ydlp5NIonxObaeu/Iub/X03EKPVYo=
|
||||||
github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
|
github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
|
||||||
github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
|
github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
|
||||||
|
|
|
@ -144,6 +144,7 @@ func (iss *ACMEIssuer) Provision(ctx caddy.Context) error {
|
||||||
TTL: time.Duration(iss.Challenges.DNS.TTL),
|
TTL: time.Duration(iss.Challenges.DNS.TTL),
|
||||||
PropagationTimeout: time.Duration(iss.Challenges.DNS.PropagationTimeout),
|
PropagationTimeout: time.Duration(iss.Challenges.DNS.PropagationTimeout),
|
||||||
Resolvers: iss.Challenges.DNS.Resolvers,
|
Resolvers: iss.Challenges.DNS.Resolvers,
|
||||||
|
OverrideDomain: iss.Challenges.DNS.OverrideDomain,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -417,6 +418,19 @@ func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
|
||||||
return d.ArgErr()
|
return d.ArgErr()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
case "dns_challenge_override_domain":
|
||||||
|
arg := d.RemainingArgs()
|
||||||
|
if len(arg) != 1 {
|
||||||
|
return d.ArgErr()
|
||||||
|
}
|
||||||
|
if iss.Challenges == nil {
|
||||||
|
iss.Challenges = new(ChallengesConfig)
|
||||||
|
}
|
||||||
|
if iss.Challenges.DNS == nil {
|
||||||
|
iss.Challenges.DNS = new(DNSChallengeConfig)
|
||||||
|
}
|
||||||
|
iss.Challenges.DNS.OverrideDomain = arg[0]
|
||||||
|
|
||||||
case "preferred_chains":
|
case "preferred_chains":
|
||||||
chainPref, err := ParseCaddyfilePreferredChainsOptions(d)
|
chainPref, err := ParseCaddyfilePreferredChainsOptions(d)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -370,6 +370,11 @@ type DNSChallengeConfig struct {
|
||||||
// Often necessary to configure when using split-horizon DNS.
|
// Often necessary to configure when using split-horizon DNS.
|
||||||
Resolvers []string `json:"resolvers,omitempty"`
|
Resolvers []string `json:"resolvers,omitempty"`
|
||||||
|
|
||||||
|
// Override the domain to use for the DNS challenge. This
|
||||||
|
// is to delegate the challenge to a different domain,
|
||||||
|
// e.g. one that updates faster or one with a provider API.
|
||||||
|
OverrideDomain string `json:"override_domain,omitempty"`
|
||||||
|
|
||||||
solver acmez.Solver
|
solver acmez.Solver
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue