Commit Graph

610 Commits

Author SHA1 Message Date
Matthew Holt 28fdf64dc5
httpcaddyfile, caddytls: Multiple edge case fixes; add tests
- Create two default automation policies; if the TLS app is used in
  isolation with the 'automate' certificate loader, it will now use
  an internal issuer for internal-only names, and an ACME issuer for
  all other names by default.
- If the HTTP Caddyfile adds an 'automate' loader, it now also adds an
  automation policy for any names in that loader that do not qualify
  for public certificates so that they will be issued internally. (It
  might be nice if this wasn't necessary, but the alternative is to
  either make auto-HTTPS logic way more complex by scanning the names in
  the 'automate' loader, or to have an automation policy without an
  issuer switch between default issuer based on the name being issued
  a certificate - I think I like the latter option better, right now we
  do something kind of like that but at a level above each individual
  automation policies, we do that switch only when no automation
  policies match, rather than when a policy without an issuer does
  match.)
- Set the default LoggerName rather than a LoggerNames with an empty
  host value, which is now taken literally rather than as a catch-all.
- hostsFromKeys, the function that gets a list of hosts from server
  block keys, no longer returns an empty string in its resulting slice,
  ever.
2020-04-08 14:46:44 -06:00
Matthew Holt 0fe98038b6
caddyhttp: Fix logging name associations by adding a default 2020-04-08 14:39:20 -06:00
Matthew Holt 6e4c688ea7
logging: Only colorize console output 2020-04-08 14:37:37 -06:00
Francis Lavoie 5110643201
httpcaddyfile: Add key_type global option (#3231) 2020-04-08 11:09:38 -06:00
Matthew Holt 4d9b63d909 cel: Leverage DefaultAdapter to extend CEL's type system
Thanks to @TristonianJones for the tip!
105acfa086 (r38358983)
2020-04-08 10:44:40 -06:00
Matthew Holt e30deedcc1 caddyhttp: Return port placeholders as ints 2020-04-08 10:44:40 -06:00
Matt Holt fbd9515d35
basicauth: Re-prompt after invalid credentials (fix #3239) (#3240) 2020-04-07 20:39:13 -06:00
Matthew Holt 95f6bd7e5c
templates: Update docs 2020-04-07 12:29:09 -06:00
Matthew Holt b1ce9d4db7
templates: Add env function (closes #3237) 2020-04-07 12:26:08 -06:00
Matthew Holt 61679b74f5 Merge branch 'remove-ntlm' 2020-04-07 11:41:49 -06:00
Matthew Holt 2c1b663156
reverseproxy: Remove NTLM transport; refactor and improve docs 2020-04-07 11:39:14 -06:00
Matthew Holt 8b2dbc52ec
core: Rename ParsedAddress -> NetworkAddress 2020-04-07 08:33:45 -06:00
Matthew Holt 657f0cab17
docs: Clarify "not" matcher structure (see #3233) 2020-04-06 18:44:12 -06:00
Francis Lavoie 7be747fbe9
caddyhttp: Add missing LB policy Caddyfile unmarshalers (#3230) 2020-04-06 13:08:42 -06:00
Francis Lavoie 5b355cbed0
caddyhttp: Strictly forbid unnecessary blocks on matchers (#3229) 2020-04-06 13:07:07 -06:00
Francis Lavoie a3cfe437b1
caddyhttp: Support single-line not matcher (#3228)
* caddyhttp: Support single-line not matcher shortcut

* caddyhttp: Some tests, I guess
2020-04-06 13:05:49 -06:00
Matthew Holt 437d5095a6
templates: Use text/template; add experimental notice to docs
Using html/template.HTML like we were doing before caused nested include
to be HTML-escaped, which breaks sites. Now we do not escape any of the
output; template input is usually trusted, and if it's not, users should
employ escaping actions within their templates to keep it safe. The docs
already said this.
2020-04-06 12:51:53 -06:00
Matthew Holt 145aebbba5
httpcaddyfile: Carry bind setting through to ACME issuer (fixes #3232) 2020-04-06 12:24:35 -06:00
Matthew Holt 6a32daa225
caddytls: Support custom bind host for challenges (#3232) 2020-04-06 11:22:06 -06:00
Matthew Holt 81cdebf648
tests: Remove noisy logs 2020-04-06 10:41:42 -06:00
Matthew Holt 84c729e96a ci: Tweak commit prefixes to ignore 2020-04-04 13:29:48 -06:00
Matthew Holt 346c33b4d5 cmd: Log warning if --resume and --config used together
There's nothing actually risky/dangerous in this situation, it's mostly
an attempt to get the user's attention
2020-04-04 13:29:48 -06:00
Mark Sargent 78717ce5b0
chore: add adapt tests. fix load failure not failing tests (#3222)
* add adaption tests. fix load failure not failing tests

* removed unnecessary assignment
2020-04-03 21:02:46 -06:00
Matthew Holt 3d6fc1e1b7
httpcaddyfile: Yield cleaner JSON when conn policy or log name is empty 2020-04-03 20:19:46 -06:00
Matthew Holt c7ac7de38a
go.mod: Update CertMagic (again) v0.10.10 2020-04-03 17:46:43 -06:00
Matthew Holt 05164c895a
go.mod: Use latest Certmagic (v0.10.9) 2020-04-03 16:16:22 -06:00
Matthew Holt 1e8af27329
fastcgi: Account for lack of split path configuration (fix #3221) 2020-04-03 10:25:25 -06:00
Matthew Holt b6482e53c1 go.mod: Update CertMagic to v0.10.8
Fixes occasional panic due to closing closed channel
2020-04-03 09:33:04 -06:00
Matt Holt 20f6795413
Create FUNDING.yml
I guess this got left in the v1 branch when we switched, oops
2020-04-03 09:07:14 -06:00
Matt Holt 84f16852ab
ci: goreleaser: Drop some platforms and replacements (#3217)
Based on download stats, demand for 32-bit binaries these days is
extremely low. Also unify some of the filename conventions; just a
few bikeshedding changes :)
2020-04-02 18:07:57 -06:00
Matthew Holt 1456f15f9a readme: So much more ... what? Fixed cliffhanger 2020-04-02 16:46:52 -06:00
Mohammed Al Sahaf fdfe2ae53b
chore: ci: fix release action script (#3216)
* chore: ci: fixing the step name that captures the pushed tag

* chrore: ci: exclude commits prefixed with `ci:` from changelog
2020-04-02 16:44:44 -06:00
Matthew Holt 1c190b001b
httpcaddyfile: Refactor site key parsing; detect conflicting schemes
We now store the parsed site/server block keys with the server block,
rather than parsing the addresses every time we read them.

Also detect conflicting schemes, i.e. TLS and non-TLS cannot be served
from the same server (natively -- modules could be built for it).

Also do not add site subroutes (subroutes generated specifically from
site blocks in the Caddyfile) that are empty.
2020-04-02 14:24:53 -06:00
Mohammed Al Sahaf 3634c4593f
ci: fuzz: skip fuzz data that contains `import` (#3214)
Thus far the fuzzers have found a few crashers in the Caddyfile parser. However, the fuzzer have been stuck at import glob expansion after import glob expansion, which aren't reproducible.
2020-04-02 10:40:21 -06:00
Matthew Holt 7ca15861dd
caddytls: Encode big.Int as string with JSON 2020-04-02 09:43:33 -06:00
Matthew Holt 8ff330c555
Update readme 2020-04-02 09:43:08 -06:00
Matthew Holt 626f19a264
Fix for last commit 2020-04-01 21:07:38 -06:00
Matthew Holt 6ca5828221
caddytls: Refactor certificate selection policies (close #1575)
Certificate selection used to be a module, but this seems unnecessary,
especially since the built-in CustomSelectionPolicy allows quite complex
selection logic on a number of fields in certs. If we need to extend
that logic, we can, but I don't think there are SO many possibilities
that we need modules.

This update also allows certificate selection to choose between multiple
matching certs based on client compatibility and makes a number of other
improvements in the default cert selection logic, both here and in the
latest CertMagic.

The hardest part of this was the conn policy consolidation logic
(Caddyfile only, of course). We have to merge connection policies that
we can easily combine, because if two certs are manually loaded in a
Caddyfile site block, that produces two connection policies, and each
cert is tagged with a different tag, meaning only the first would ever
be selected. So given the same matchers, we can merge the two, but this
required improving the Tag selection logic to support multiple tags to
choose from, hence "tags" changed to "any_tag" or "all_tags" (but we
use any_tag in our Caddyfile logic).

Combining conn policies with conflicting settings is impossible, so
that should return an error if two policies with the exact same matchers
have non-empty settings that are not the same (the one exception being
any_tag which we can merge because the logic for them is to OR them).

It was a bit complicated. It seems to work in numerous tests I've
conducted, but we'll see how it pans out in the release candidates.
2020-04-01 20:49:35 -06:00
Matthew Holt 6fe04a30b1
caddyfile: Export NewTestDispenser() (close #2930)
This allows modules to test their UnmarshalCaddyfile methods.
2020-04-01 16:34:54 -06:00
Matthew Holt 19b45546a7
go.mod: Update smallstep/truststore
So that installation continues if Firefox is not installed

See https://github.com/smallstep/truststore/issues/3
2020-04-01 15:28:09 -06:00
Matthew Holt d322de6b42
gzip: Use klauspost/gzip, an optimized gzip implementation 2020-04-01 14:09:57 -06:00
Matthew Holt ce3ca541d8
caddytls: Update cipher suite names and curve names
Now using IANA-compliant names and Go 1.14's CipherSuites() function so
we don't have to maintain our own mapping of currently-secure cipher
suites.
2020-04-01 14:09:29 -06:00
Matthew Holt 581f1defcb
caddyhttp: Print actual listener address in log message (closes #2992)
Needed if port is 0, thus chosen by OS
2020-04-01 12:23:07 -06:00
Matthew Holt 0d2a3511dc caddyhttp: Update host matcher docs about wildcards 2020-04-01 11:41:04 -06:00
Matt Holt 73643ea736
caddyhttp: 'not' matcher now accepts multiple matcher sets and OR's them (#3208)
See https://caddy.community/t/v2-matcher-or-in-not/7355/
2020-04-01 10:58:29 -06:00
Matthew Holt 809e72792c
rewrite: Fix for rewrites with URI placeholders (#3209)
If a placeholder in the path component injects a query string such as
the {http.request.uri} placeholder is wont to do, we need to separate it
out from the path.
2020-04-01 00:43:40 -06:00
Matthew Holt 9fb0b1e838
caddytls: Add support for externalAccountBinding ACME extension 2020-03-31 21:08:02 -06:00
Matthew Holt 244b839f98
pki: Add trust subcommand to install root cert (closes #3204) 2020-03-31 17:56:36 -06:00
Matthew Holt 904d9cab39
httpcaddyfile: Include non-standard ports when mapping logger names
If a site block has a key like "http://localhost:2016", then the log for
that site must be mapped to "localhost:2016" and not just "localhost"
because "localhost:2016" will be the value of the Host header of requests.
But a key like "localhost:80" does not include the port since the Host
header will not include ":80" because it is a standard port.

Fixes https://caddy.community/t/v2-common-log-format-not-working/7352?u=matt
2020-03-30 18:39:21 -06:00
Matthew Holt ac65f690ae
caddyhttp: Rename MatchNegate type to MatchNot type
This is more congruent with its module name. A change that affects only
code, not configurations.
2020-03-30 11:53:19 -06:00