From e66040a6f0b384d9cebd38a78f746f08f4cb22c1 Mon Sep 17 00:00:00 2001 From: Will Norris Date: Sat, 18 May 2024 02:52:19 -0700 Subject: [PATCH] caddytls: set server name in context (#6324) Set the requested server name in a context value for CertGetter implementations to use. Pass ctx to tscert.GetCertificateWithContext. Signed-off-by: Will Norris --- go.mod | 2 +- go.sum | 4 ++-- modules/caddytls/certmanagers.go | 6 +++++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/go.mod b/go.mod index afe01682..c12eb128 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/spf13/cobra v1.8.0 github.com/spf13/pflag v1.0.5 github.com/stretchr/testify v1.9.0 - github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046 + github.com/tailscale/tscert v0.0.0-20240517230440-bbccfbf48933 github.com/yuin/goldmark v1.7.1 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 diff --git a/go.sum b/go.sum index 87c01bd2..84b0f157 100644 --- a/go.sum +++ b/go.sum @@ -410,8 +410,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046 h1:8rUlviSVOEe7TMk7W0gIPrW8MqEzYfZHpsNWSf8s2vg= -github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046/go.mod h1:kNGUQ3VESx3VZwRwA9MSCUegIl6+saPL8Noq82ozCaU= +github.com/tailscale/tscert v0.0.0-20240517230440-bbccfbf48933 h1:pV0H+XIvFoP7pl1MRtyPXh5hqoxB5I7snOtTHgrn6HU= +github.com/tailscale/tscert v0.0.0-20240517230440-bbccfbf48933/go.mod h1:kNGUQ3VESx3VZwRwA9MSCUegIl6+saPL8Noq82ozCaU= github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0= github.com/urfave/cli v1.22.14 h1:ebbhrRiGK2i4naQJr+1Xj92HXZCrK7MsyTS/ob3HnAk= github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA= diff --git a/modules/caddytls/certmanagers.go b/modules/caddytls/certmanagers.go index b2e2eb07..b383a03f 100644 --- a/modules/caddytls/certmanagers.go +++ b/modules/caddytls/certmanagers.go @@ -22,6 +22,9 @@ func init() { caddy.RegisterModule(HTTPCertGetter{}) } +// For referencing the requested SNI server name. +const ClientHelloSNICtxKey caddy.CtxKey = "client_hello_sni" + // Tailscale is a module that can get certificates from the local Tailscale process. type Tailscale struct { logger *zap.Logger @@ -41,6 +44,7 @@ func (ts *Tailscale) Provision(ctx caddy.Context) error { } func (ts Tailscale) GetCertificate(ctx context.Context, hello *tls.ClientHelloInfo) (*tls.Certificate, error) { + ctx = context.WithValue(ctx, ClientHelloSNICtxKey, hello.ServerName) canGetCert, err := ts.canHazCertificate(ctx, hello) if err == nil && !canGetCert { return nil, nil // pass-thru: Tailscale can't offer a cert for this name @@ -48,7 +52,7 @@ func (ts Tailscale) GetCertificate(ctx context.Context, hello *tls.ClientHelloIn if err != nil { ts.logger.Warn("could not get status; will try to get certificate anyway", zap.Error(err)) } - return tscert.GetCertificate(hello) + return tscert.GetCertificateWithContext(ctx, hello) } // canHazCertificate returns true if Tailscale reports it can get a certificate for the given ClientHello.