Commit Graph

2043 Commits

Author SHA1 Message Date
Kévin Dunglas 0287009ee5
intercept: fix http.intercept.header.* placeholder (#6429) 2024-07-03 08:43:13 -06:00
Matthew Holt f8861ca16b
reverseproxy: Wire up TLS options for H3 transport 2024-06-28 12:15:41 -06:00
Aziz Rmadi c2ccf8690f
fileserver: Remove newline characters from precomputed etags (#6394)
* Removed newline characters from precomputed etags

* Update modules/caddyhttp/fileserver/staticfiles.go

---------

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2024-06-19 13:27:10 +00:00
Matthew Holt 99dcdf7e42 caddyhttp: Convert IDNs to ASCII when provisioning Host matcher 2024-06-18 14:44:05 -06:00
Jason Yuan fab6375a8b
reverseproxy: add Max-Age option to sticky cookie (#6398)
* reverseproxy: add Max-Age option to sticky cookie

* Update selectionpolicies.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* Update selectionpolicies.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-06-15 07:50:31 -06:00
a aca4002fd8
caddyfile: Pass blocks to `import` for snippets (#6130)
* a

* a

* a

* a

* a

* a
2024-06-14 11:27:51 -06:00
Ririsoft 8e0d3e1ec5
logging: set file mode when the file already exist (#6391)
101d3e7 introduced a configuration option to set the log file mode.
This option was not taken into account if the file already exists,
making users having to delete their logs to have new logs created
with the right mode.
2024-06-12 15:17:46 -06:00
Omar Ramadan d85cc2ec10
logging: Customizable zap cores (#6381) 2024-06-10 09:03:24 -06:00
Will Norris 04fb9fe87f
go.mod: update tscert package (#6384)
The latest tscert allows callers to provide a custom http.Transport for
calling Tailscale's local API.

Updates tailscale/caddy-tailscale#66
2024-06-10 07:28:30 -06:00
Ririsoft 0bc27e5fb1
logging: fix file mode configuration parsing (#6383)
Commit 101d3e7 introduced file mode setting,
but was missing a JSON Marshaller so that
CaddyFile can be converted to JSON safely.
2024-06-08 11:34:18 -06:00
Andreas Kohn 9be4f194e0
caddyhttp: Write header if needed in responseRecorder.WriteResponse (#6380) 2024-06-07 07:25:36 -06:00
Andreas Kohn a10117f8bd
core: Split `run` into a public `ProvisionContext` and a private method (#6378)
* Split `run` into a public `BuildContext` and a private part

`BuildContext` can be used to set up a caddy context from a config, but not start any listeners
or active components: The returned context has the configured apps provisioned, but otherwise is
inert.

This is EXPERIMENTAL: Minimally it's missing documentation and the example for how this can be
used to run unit tests.

* Use the config from the context

The config passed into `BuildContext` can be nil, in which case `BuildContext` will just make one
up that works. In either case that will end up in the finished context.

* Rename `BuildContext` to `ProvisionContext` to better match the function

* Hide the `replaceAdminServer` parts

The admin server is a global thing, and in the envisioned use case for `ProvisionContext`
shouldn't actually exist. Hide this detail in a private `provisionContext` instead, and
only expose it publicly with `replaceAdminServer` set to `false`.

This should reduce foot-shooting potential further; in addition the documentation comment
now clearly spells out that the exact interface and implementation details of `ProvisionContext`
are experimental and subject to change.
2024-06-06 14:36:06 -06:00
Ririsoft 101d3e7407
logging: Customize log file permissions (#6314)
Adding a "mode" option to overwrite the default logfile permissions.
Default remains "0600" which is the one currently used by lumberjack.
2024-06-06 08:33:34 -06:00
Matthew Holt 3f1add6c9f
events: Getters for event info (close #6377) 2024-06-06 07:11:28 -06:00
Mohammed Al Sahaf 5db2f81695
ci: add version key for .goreleaser.yml (#6376)
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
2024-06-06 11:33:19 +03:00
Mohammed Al Sahaf 243351b2b1
cmd: remove zealous check of Caddyfile auto-detection (#6370)
* cmd: remove zealous check of Caddyfile auto-detection

* add test case

* remove redundant check, add comment

* one more case
2024-06-05 08:57:15 -06:00
Matt Holt 198f4385d2
caddyhttp: Add test cases to corpus (#6374)
* caddyhttp: Add test case to corpus

* One more test case

* Clean up stray comment

* More tests
2024-06-04 14:23:55 -06:00
Andreas Kohn e7ecc7ede2
Make it possible to configure the `DisableStorageCheck` setting for certmagic (#6368)
See discussion about this setting in https://github.com/caddyserver/certmagic/issues/201
2024-06-04 07:00:15 -06:00
Mohammed Al Sahaf 7088605cc1
cmd: fix regression in auto-detect of Caddyfile (#6362)
* cmd: fix regression in auto-detect of Caddyfile

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* fix typo

Co-authored-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>

* add tests

* address review comments

---------

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Git'Fellow <12234510+solracsf@users.noreply.github.com>
2024-06-02 11:40:56 +00:00
Mohammed Al Sahaf 15faeacb60
cmd: fix auto-detetction of .caddyfile extension (#6356)
* cmd: fix auto-detetction of .caddyfile extension

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* move conditions around and add clarifying comment

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* reject ambiguous config file name

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>

---------

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
2024-06-02 03:49:38 +00:00
Will Norris f8a2c60297
caddyhttp: properly sanitize requests for root path (#6360)
SanitizePathJoin protects against directory traversal attacks by
checking for requests whose URL path look like they are trying to
request something other than a local file, and returns the root
directory in those cases.

The method is also careful to ensure that requests which contain a
trailing slash include a trailing slash in the returned value.  However,
for requests that contain only a slash (requests for the root path), the
IsLocal check returns early before the matching trailing slash is
re-added.

This change updates SanitizePathJoin to only perform the
filepath.IsLocal check if the cleaned request URL path is non-empty.

---

This change also updates the existing SanitizePathJoin tests to use
filepath.FromSlash rather than filepath.Join. This makes the expected
value a little easier to read, but also has the advantage of not being
processed by filepath.Clean like filepath.Join is. This means that the
exact expect value will be compared, not the result of first cleaning
it.

Fixes #6352
2024-06-02 03:40:59 +00:00
Matthew Holt 01308b4bae
I'm so tired of typos 2024-06-01 20:43:35 -06:00
Matthew Holt b7280e6949 caddytls: Implement certmagic.RenewalInfoGetter
Fixes ARI errors reported here:
https://caddy.community/t/error-in-logs-with-updating-ari-after-upgrading-to-caddy-v2-8-1/24320
2024-06-01 18:02:49 -06:00
dependabot[bot] a63767d3f8
build(deps): bump golangci/golangci-lint-action from 5 to 6 (#6361)
Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 5 to 6.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v5...v6)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-02 02:26:31 +03:00
Francis Lavoie 40c582ce82
caddyhttp: Fix merging consecutive `client_ip` or `remote_ip` matchers (#6350) 2024-05-30 07:32:17 -06:00
Anton Kovalenko a52917a37d
core: MkdirAll appDataDir in InstanceID with 0o700 (#6340)
appDataDir components should be searchable (u+x) when they are
created, or else Caddy is unable to start with an empty HOME.
2024-05-30 10:38:09 +00:00
Ranveer Avhad e6f46c8d78
acmeserver: Add `sign_with_root` for Caddyfile (#6345)
* Added sign_with_root option available in the Caddyfile

* Added tests for sign_with_root to validate the adapted JSON config
2024-05-27 20:06:54 -04:00
Francis Lavoie f6d2c293e7
caddyfile: Reject global request matchers earlier (#6339) 2024-05-23 20:06:16 -06:00
Matthew Holt 2ce5c65269
core: Fix bug in AppIfConfigured (fix #6336) 2024-05-22 18:47:03 -06:00
a 61917c3443
fix a typo (#6333) 2024-05-21 18:41:41 -04:00
Francis Lavoie 224316eaec
autohttps: Move log WARN to INFO, reduce confusion (#6185)
* autohttps: Move log WARN to INFO, reduce confusion

* Change implicit condition back to WARN

---------

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2024-05-20 13:14:39 -06:00
Matt Holt 5f6758dab5
reverseproxy: Support HTTP/3 transport to backend (#6312)
Closes #5086
2024-05-20 13:06:43 -06:00
Francis Lavoie a6a45ff6c5
context: AppIfConfigured returns error; consider not-yet-provisioned modules (#6292)
* context: Add new `AppStrict()` method to avoid instantiating empty apps

* Rename AppStrict -> AppIfConfigured

---------

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2024-05-20 11:14:58 -06:00
Matthew Holt 73e094e1dd
Fix lint error about deprecated method in smallstep/certificates/authority 2024-05-20 10:56:25 -06:00
Matthew Holt d79c0f0dec
go.mod: Upgrade dependencies 2024-05-20 10:35:27 -06:00
Will Norris db3e19b7b5
caddytls: fix permission requirement with AutomationPolicy (#6328)
Certificate automation has permission modules that are designed to
prevent inappropriate issuance of unbounded or wildcard certificates.
When an explicit cert manager is used, no additional permission should
be necessary. For example, this should be a valid caddyfile:

    https:// {
      tls {
        get_certificate tailscale
      }
      respond OK
    }

This is accomplished when provisioning an AutomationPolicy by tracking
whether there were explicit managers configured directly on the policy
(in the ManagersRaw field). Only when a number of potentially unsafe
conditions are present AND no explicit cert managers are configured is
an error returned.

The problem arises from the fact that ctx.LoadModule deletes the raw
bytes after loading in order to save memory. The first time an
AutomationPolicy is provisioned, the ManagersRaw field is populated, and
everything is fine.

An AutomationPolicy with no subjects is treated as a special "catch-all"
policy. App.createAutomationPolicies ensures that this catch-all policy
has an ACME issuer, and then calls its Provision method again because it
may have changed. This second time Provision is called, ManagesRaw is no
longer populated, and the permission check fails because it appears as
though the policy has no explicit managers.

Address this by storing a new boolean on AutomationPolicy recording
whether it had explicit cert managers configured on it.

Also fix an inverted boolean check on this value when setting
failClosed.

Updates #6060
Updates #6229
Updates #6327

Signed-off-by: Will Norris <will@tailscale.com>
2024-05-20 09:48:59 -06:00
Will Norris 1fc151faec
caddytls: remove ClientHelloSNICtxKey (#6326) 2024-05-18 22:47:46 -04:00
Matt Holt 9ba999141b
caddyhttp: Trace individual middleware handlers (#6313)
* caddyhttp: Trace individual middleware handlers

* Fix typo
2024-05-18 14:48:42 -06:00
deneb f98f449f05
templates: Add `pathEscape` template function and use it in file browser (#6278)
* use url.PathEscape in file-server browse template

- add `pathEscape` to c.tpl.Funcs, using `url.PathEscape`
- use `pathEscape` in browse.html in place of `replace`

* document `pathEscape`

* Remove unnecessary pipe of img src to `html`
2024-05-18 12:55:36 -06:00
Will Norris e66040a6f0
caddytls: set server name in context (#6324)
Set the requested server name in a context value for CertGetter
implementations to use. Pass ctx to tscert.GetCertificateWithContext.

Signed-off-by: Will Norris <will@tailscale.com>
2024-05-18 03:52:19 -06:00
Mohammed Al Sahaf 44860482d2
chore: downgrade minimum Go version in go.mod (#6318)
* chore: downgrade minimum Go version in go.mod

* Upgrade certmagic and zerossl

---------

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2024-05-15 19:28:34 +00:00
Mohammed Al Sahaf 4c90f1427f
caddytest: normalize the JSON config (#6316)
* caddytest: normalize the JSON config
2024-05-14 07:50:14 +00:00
Kévin Dunglas fb63e2e40c
caddyhttp: New experimental handler for intercepting responses (#6232)
* feat: add generic response interceptors

* fix: cs

* rename intercept

* add some docs

* @francislavoie review (first round)

* Update modules/caddyhttp/intercept/intercept.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* shorthands: ir to resp

* mark exported symbols as experimental

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-05-13 17:38:18 +00:00
Matthew Holt 583c585c81 httpcaddyfile: Set challenge ports when http_port or https_port are used 2024-05-11 21:39:56 -06:00
Aziz Rmadi 4356635d12
logging: Add support for additional logger filters other than hostname (#6082)
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2024-05-11 13:31:44 +00:00
Matthew Holt 4af38e5ac8
caddyhttp: Log 4xx as INFO; 5xx as ERROR (close #6106) 2024-05-10 15:52:50 -06:00
Matthew Holt 399186abfc
Second half of 6dce493
Not sure how it got unstaged
2024-05-10 15:51:28 -06:00
Matthew Holt 6dce4934f0
caddyhttp: Alter log message when request is unhandled (close #5182) 2024-05-10 15:49:34 -06:00
Francis Lavoie 874d0ce822
chore: Bump Go version in CI (#6310) 2024-05-10 14:56:18 +00:00
Matthew Holt abdf1ae15c
go.mod: go 1.22.3
Seeing if this assists with some Go tooling logic
2024-05-10 08:32:44 -06:00