Caddy-Reverse_Proxy
/
caddy
mirror of https://github.com/caddyserver/caddy
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

acme_server: fix policy parsing in caddyfile (#7006) 

Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
pull/7009/head
Mohammed Al Sahaf 2025-05-08 20:54:07 +03:00 committed by GitHub
parent 051e73aefc
commit 44d078b670
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 245 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
caddytest/integration/caddyfile_adapt/acme_server_policy-allow.caddyfiletest 100644
View File

@ -0,0 +1,72 @@
{
pki {
ca custom-ca {
name "Custom CA"
}
}
}
acme.example.com {
acme_server {
ca custom-ca
allow {
domains host-1.internal.example.com host-2.internal.example.com
}
}
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"acme.example.com"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"ca": "custom-ca",
"handler": "acme_server",
"policy": {
"allow": {
"domains": [
"host-1.internal.example.com",
"host-2.internal.example.com"
]
}
}
}
]
}
]
}
],
"terminal": true
}
]
}
}
},
"pki": {
"certificate_authorities": {
"custom-ca": {
"name": "Custom CA"
}
}
}
}
}

80
caddytest/integration/caddyfile_adapt/acme_server_policy-both.caddyfiletest 100644
View File

@ -0,0 +1,80 @@
{
pki {
ca custom-ca {
name "Custom CA"
}
}
}
acme.example.com {
acme_server {
ca custom-ca
allow {
domains host-1.internal.example.com host-2.internal.example.com
}
deny {
domains dc.internal.example.com
}
}
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"acme.example.com"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"ca": "custom-ca",
"handler": "acme_server",
"policy": {
"allow": {
"domains": [
"host-1.internal.example.com",
"host-2.internal.example.com"
]
},
"deny": {
"domains": [
"dc.internal.example.com"
]
}
}
}
]
}
]
}
],
"terminal": true
}
]
}
}
},
"pki": {
"certificate_authorities": {
"custom-ca": {
"name": "Custom CA"
}
}
}
}
}

71
caddytest/integration/caddyfile_adapt/acme_server_policy-deny.caddyfiletest 100644
View File

@ -0,0 +1,71 @@
{
pki {
ca custom-ca {
name "Custom CA"
}
}
}
acme.example.com {
acme_server {
ca custom-ca
deny {
domains dc.internal.example.com
}
}
}
----------
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"acme.example.com"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"ca": "custom-ca",
"handler": "acme_server",
"policy": {
"deny": {
"domains": [
"dc.internal.example.com"
]
}
}
}
]
}
]
}
],
"terminal": true
}
]
}
}
},
"pki": {
"certificate_authorities": {
"custom-ca": {
"name": "Custom CA"
}
}
}
}
}

48
modules/caddypki/acmeserver/caddyfile.go
View File

@ -91,19 +91,17 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
acmeServer.Policy.AllowWildcardNames = true acmeServer.Policy.AllowWildcardNames = true
case "allow": case "allow":
r := &RuleSet{} r := &RuleSet{}
for h.Next() { for nesting := h.Nesting(); h.NextBlock(nesting); {
for h.NextBlock(h.Nesting() - 1) { if h.CountRemainingArgs() == 0 {
if h.CountRemainingArgs() == 0 { return nil, h.ArgErr() // TODO:
return nil, h.ArgErr() // TODO: }
} switch h.Val() {
switch h.Val() { case "domains":
case "domains": r.Domains = append(r.Domains, h.RemainingArgs()...)
r.Domains = append(r.Domains, h.RemainingArgs()...) case "ip_ranges":
case "ip_ranges": r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
r.IPRanges = append(r.IPRanges, h.RemainingArgs()...) default:
default: return nil, h.Errf("unrecognized 'allow' subdirective: %s", h.Val())
return nil, h.Errf("unrecognized 'allow' subdirective: %s", h.Val())
}
} }
} }
if acmeServer.Policy == nil { if acmeServer.Policy == nil {
@ -112,19 +110,17 @@ func parseACMEServer(h httpcaddyfile.Helper) ([]httpcaddyfile.ConfigValue, error
acmeServer.Policy.Allow = r acmeServer.Policy.Allow = r
case "deny": case "deny":
r := &RuleSet{} r := &RuleSet{}
for h.Next() { for nesting := h.Nesting(); h.NextBlock(nesting); {
for h.NextBlock(h.Nesting() - 1) { if h.CountRemainingArgs() == 0 {
if h.CountRemainingArgs() == 0 { return nil, h.ArgErr() // TODO:
return nil, h.ArgErr() // TODO: }
} switch h.Val() {
switch h.Val() { case "domains":
case "domains": r.Domains = append(r.Domains, h.RemainingArgs()...)
r.Domains = append(r.Domains, h.RemainingArgs()...) case "ip_ranges":
case "ip_ranges": r.IPRanges = append(r.IPRanges, h.RemainingArgs()...)
r.IPRanges = append(r.IPRanges, h.RemainingArgs()...) default:
default: return nil, h.Errf("unrecognized 'deny' subdirective: %s", h.Val())
return nil, h.Errf("unrecognized 'deny' subdirective: %s", h.Val())
}
} }
} }
if acmeServer.Policy == nil { if acmeServer.Policy == nil {