Caddy-Reverse_Proxy
/
caddy
mirror of https://github.com/caddyserver/caddy
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,968 Commits
39 Branches
145 Tags
44 MiB
Commit Graph

191 Commits (d2668cdbb06da8e2c96b072ee589465c20dd8118)

Author SHA1 Message Date
Mohammed Al Sahaf d2668cdbb0
doc: add `verifier` in `ClientAuthentication` caddyfile marshaler doc (#6263) 2024-04-23 07:01:54 -06:00
Matthew Holt 6a02999054
caddytls: Add Caddyfile support for on-demand permission module (close #6260) 2024-04-22 15:47:09 -06:00
Aziz Rmadi 3609a4af75
caddytls: Remove shim code supporting deprecated lego-dns (#6231) 
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
 2024-04-15 21:26:56 +00:00
Mohammed Al Sahaf 26748d06b4
connection policy: add `local_ip` matcher (#6074) 
* connection policy: add `local_ip`

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

---------

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
 2024-04-15 21:13:24 +03:00
Matt Holt 81413caea2
caddytls: Upgrade ACMEz to v2; support ZeroSSL API; various fixes (#6229) 
* WIP: acmez v2, CertMagic, and ZeroSSL issuer upgrades

* caddytls: ZeroSSLIssuer now uses ZeroSSL API instead of ACME

* Fix go.mod

* caddytls: Fix automation related to managers (fix #6060)

* Fix typo (appease linter)

* Fix HTTP validation with ZeroSSL API
 2024-04-13 21:31:43 -04:00
Matthew Holt dc9dd2e4b3
caddytls: Still provision permission module if ask is specified 
Only needed for JSON configs, and only temporarily as the ask property is deprecated and will be removed.
 2024-04-13 17:08:11 -06:00
reallylowest e0bf179c1a
modules: fix some typo in conments (#6206) 
Signed-off-by: reallylowest <sunjinping@outlook.com>
 2024-03-30 02:45:42 +00:00
Aziz Rmadi 3ae07a73dc
caddytls: clientauth: leaf verifier: make trusted leaf certs source pluggable (#6050) 
* Made trusted leaf certificates pluggable into the tls.client_auth.leaf
module

* Added leaf loaders modules: file, folder, pem aand storage

* Cleaned implementation of leaf cert loader modules

* Added tests for leaf certs file and folder loaders

* cmd: fix the output of the `Usage` section (#6138)

* core: OnExit hooks (#6128)

* core: OnExit callbacks

* core: Process-global OnExit callbacks

* ci: bump golangci/golangci-lint-action from 3 to 4 (#6141)

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: golangci/golangci-lint-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Added more leaf certificate loaders tests and cleaned up code

* Modified leaf cert loaders json field names and cleaned up storage loader comment

* Update modules/caddytls/leaffileloader.go

* Update LeafStorageLoader certificates field name

* Upgraded  protobuf version

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-03-05 14:55:37 -07:00
Mohammed Al Sahaf 03f703a00e
caddytls: verifier: caddyfile: re-add Caddyfile support (#6127) 
* caddytls: verifier: caddyfile: re-add Caddyfile support

* appease the linter

* caddytls: client_auth: verifier: change namespace to `tls.client_auth.verifier`
 2024-02-26 00:13:48 +03:00
Matt Holt 57c5b921a4
caddytls: Make on-demand 'ask' permission modular (#6055) 
* caddytls: Make on-demand 'ask' permission modular

This makes the 'ask' endpoint a module, which means that developers can
write custom plugins for granting permission for on-demand certificates.

Kicking myself that we didn't do it this way at the beginning, but who coulda known...

* Lint

* Error on conflicting config

* Fix bad merge

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
 2024-01-30 16:11:29 -07:00
Yolan Romailler 2fe69a828f
chore: enabling a few more linters (#5961) 
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
 2024-01-25 15:24:58 +00:00
Mohammed Al Sahaf e965b111cd
tls: modularize trusted CA providers (#5784) 
* tls: modularize client authentication trusted CA

* add `omitempty` to `CARaw`

* docs

* initial caddyfile support

* revert anything related to leaf cert validation

The certs are used differently than the CA pool flow

* complete caddyfile unmarshalling implementation

* Caddyfile syntax documentation

* enhance caddyfile parsing and documentation

Apply suggestions from code review

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* add client_auth caddyfile tests

* add caddyfile unmarshalling tests

* fix and add missed adapt tests

* fix rebase issue

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
 2024-01-25 11:44:41 +03:00
Francis Lavoie 750d0b8331
caddyfile: Normalize & flatten all unmarshalers (#6037) 2024-01-23 19:36:59 -05:00
Rithvik Vibhu ed41c924cf
tls: add reuse_private_keys (#6025) 2024-01-09 16:00:31 -07:00
Matt Holt 4a09cf0dc0
caddytls: Sync distributed storage cleaning (#5940) 
* caddytls: Log out remote addr to detect abuse

* caddytls: Sync distributed storage cleaning

* Handle errors

* Update certmagic to fix tiny bug

* Split off port when logging remote IP

* Upgrade CertMagic
 2023-12-07 11:00:02 -07:00
Andreas Kohn b24ae63ea6
caddytls: Context to DecisionFunc (#5923) 
See https://github.com/caddyserver/certmagic/pull/255
 2023-12-07 10:40:13 -07:00
Mohammed Al Sahaf 4173e2c77a
tls: accept placeholders in string values of certificate loaders (#5963) 
* tls: loader: accept placeholders in string values

* appease the linter
 2023-12-04 09:23:15 -07:00
Bas Westerbaan 289934f3d1
tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (#5852) 
… when compiled with cfgo (https://github.com/cloudflare/go).
 2023-10-11 13:45:37 -06:00
Matt Holt b377208ede
chore: Appease gosec linter (#5777) 
These happen to be harmless memory aliasing
but I guess the linter can't know that and we
can't really prove it in general.
 2023-08-23 20:47:54 -06:00
Jacob Gadikian d6f86cccf5
ci: use gci linter (#5708) 
* use gofmput to format code

* use gci to format imports

* reconfigure gci

* linter autofixes

* rearrange imports a little

* export GOOS=windows golangci-lint run ./... --fix
 2023-08-14 09:41:15 -06:00
Matthew Holt 080db93817
caddytls: Update docs for on-demand config 2023-08-09 11:15:01 -06:00
Jacob Gadikian b32f265eca
ci: Use gofumpt to format code (#5707) 2023-08-07 19:40:31 +00:00
Matt Holt 0e2c7e1d35
caddytls: Reuse certificate cache through reloads (#5623) 
* caddytls: Don't purge cert cache on config reload

* Update CertMagic

This actually avoids reloading managed certs from storage
when already in the cache, d'oh.

* Fix bug; re-implement HasCertificateForSubject

* Update go.mod: CertMagic tag
 2023-07-11 19:10:58 +00:00
Matthew Holt 4ba03c9d38
caddytls: Clarify some JSON config docs 2023-06-04 22:15:50 -06:00
Matt Holt 96919acc9d
caddyhttp: Refactor cert Managers (fix #5415) (#5533) 2023-05-15 10:47:30 -06:00
Matt Holt a02ecb0f88
caddytls: Check for nil ALPN; close #5470 (#5473) 
* Check for nil ALPN; close #5470

* Apply patch

* Actually I want to try this
 2023-05-13 07:09:20 -06:00
Matt Holt faf0399e80
caddytls: Configurable fallback SNI (#5527) 
* Initial implementation of fallback_sni

* Apply upstream patch
 2023-05-10 14:29:29 -06:00
Francis Lavoie e16a886814
caddytls: Eval replacer on automation policy subjects (#5459) 
Also renamed the field to SubjectsRaw, which can be considered a breaking change but I don't expect this to affect much.
 2023-03-27 21:16:22 +00:00
Matt Holt 0cc49c053f
caddytls: Zero out throttle window first (#5443) 
* caddytls: Zero out throttle window first

* Don't error for on-demand 

Fixes b97c76fb47

---------

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
 2023-03-20 12:06:00 -06:00
Matthew Holt a7af7c486e
caddytls: Allow on-demand w/o ask for internal-only 2023-03-14 10:29:27 -06:00
Matthew Holt b97c76fb47
caddytls: Require 'ask' endpoint for on-demand TLS 2023-03-14 10:02:44 -06:00
Francis Lavoie be53e432fc
caddytls: Relax the warning for on-demand (#5384) 2023-02-22 11:41:01 -07:00
Matthew Holt 0a3efd1641
caddytls: Debug log for ask endpoint 2023-01-30 09:30:53 -07:00
Yannick Ihmels 55035d327a
caddytls: Add `dns_ttl` config, improve Caddyfile `tls` options (#5287) 2023-01-06 14:44:00 -05:00
Matthew Holt e43b6d8178 core: Variadic Context.Logger(); soft deprecation 
Ideally I'd just remove the parameter to caddy.Context.Logger(), but
this would break most Caddy plugins.

Instead, I'm making it variadic and marking it as partially deprecated.
In the future, I might completely remove the parameter once most
plugins have updated.
 2022-09-16 16:55:36 -06:00
David Manouchehri 616418281b
caddyhttp: Support TLS key logging for debugging (#4808) 
* Add SSL key logging.

* Resolve merge conflict with master

* Add Caddyfile support; various fixes

* Also commit go.mod and go.sum, oops

* Appease linter

* Minor tweaks

* Add doc comment

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
 2022-09-16 14:05:37 -06:00
Matthew Holt 258071d857
caddytls: Debug log on implicit tailscale error (#5041) 2022-09-16 09:42:05 -06:00
Matthew Holt d35f618b10
caddytls: Error if placeholder is empty in 'ask' 
Fixes #5036
 2022-09-13 08:59:03 -06:00
Francis Lavoie d4d8bbcfc6
events: Implement event system (#4912) 
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
 2022-08-31 15:01:30 -06:00
Matthew Holt 3aabbc49a2 caddytls: Log error if ask request fails 
Errors returned from the DecisionFunc (whether to get a cert on-demand)
are used as a signal whether to allow a cert or not; *any* error
will forbid cert issuance.

We bubble up the error all the way to the caller, but that caller is the
Go standard library which might gobble it up.
Now we explicitly log connection errors so sysadmins can
ensure their ask endpoints are working.

Thanks to our sponsor AppCove for reporting this!
 2022-08-23 22:28:15 -06:00
WilczyńskiT c7772588bd
core: Change net.IP to netip.Addr; use netip.Prefix (#4966) 
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
 2022-08-17 16:10:57 -06:00
Matt Holt c79c08627d
caddyhttp: Enable HTTP/3 by default (#4707) 2022-08-15 12:01:58 -06:00
Matthew Holt b9618b8b98
Improve docs for ZeroSSL issuer 2022-08-08 12:50:06 -06:00
Francis Lavoie 141872ed80
chore: Bump up to Go 1.19, minimum 1.18 (#4925) 2022-08-02 16:39:09 -04:00
Matthew Holt 1bdd451913
caddytls: Remove PreferServerCipherSuites 
It has been deprecated by Go
 2022-07-28 14:50:51 -06:00
Matt Holt 412dcc07d3
caddytls: Reuse issuer between PreCheck and Issue (#4866) 
This enables EAB reuse for ZeroSSLIssuer (which is now supported by ZeroSSL).
 2022-07-05 18:12:25 -06:00
Gr33nbl00d 0a14f97e49
caddytls: Make peer certificate verification pluggable (#4389) 
* caddytls: Adding ClientCertValidator for custom client cert validations

* caddytls: Cleanups for ClientCertValidator changes

caddytls: Cleanups for ClientCertValidator changes

* Update modules/caddytls/connpolicy.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* Update modules/caddytls/connpolicy.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* Update modules/caddytls/connpolicy.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* Update modules/caddytls/connpolicy.go

Co-authored-by: Francis Lavoie <lavofr@gmail.com>

* Update modules/caddytls/connpolicy.go

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

* Update modules/caddytls/connpolicy.go

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

* Unexported field Validators, corrected renaming of LeafVerificationValidator to LeafCertClientAuth

* admin: Write proper status on invalid requests (#4569) (fix #4561)

* Apply suggestions from code review

* Register module; fix compilation

* Add log for deprecation notice

Co-authored-by: Roettges Florian <roettges.florian@scheidt-bachmann.de>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Alok Naushad <alokme123@gmail.com>
 2022-06-02 14:25:07 -06:00
Francis Lavoie 77a77c0219
caddytls: Add `propagation_delay`, support `propagation_timeout -1` (#4723) 2022-04-22 16:09:11 -06:00
Matthew Holt d06d0e79f8
go.mod: Upgrade CertMagic to v0.16.0 
Includes several breaking changes; code base updated accordingly.

- Added lots of context arguments
- Use fs.ErrNotExist
- Rename ACMEManager -> ACMEIssuer; CertificateManager -> Manager
 2022-03-25 11:28:54 -06:00
Ran Chen d9b1d46325
caddytls: dns_challenge_override_domain for challenge delegation (#4596) 
* Add a override_domain option to allow DNS chanllenge delegation

CNAME can be used to delegate answering the chanllenge to another DNS
zone. One usage is to reduce the exposure of the DNS credential [1].
Based on the discussion in caddy/certmagic#160, we are adding an option
to allow the user explicitly specify the domain to delegate, instead of
following the CNAME chain.

This needs caddy/certmagic#160.

* rename override_domain to dns_challenge_override_domain

* Update CertMagic; fix spelling

Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
 2022-03-08 12:03:43 -07:00