- 16 Mar, 2018 2 commits
-
-
Matthew Holt authored
-
Matthew Holt authored
Caddy can now obtain certificates when behind load balancers and/or in fleet/cluster configurations, without needing any extra configuration. The only requirement is sharing the same $CADDYPATH/acme folder. This works with the HTTP challenge, whereas before the DNS challenge was required. This commit allows one Caddy instance to initiate the HTTP challenge and another to complete it. When sharing that folder, certificate management is synchronized and coordinated, without the Caddy instances needing to know about each other. No load balancer reconfiguration should be required, either. Currently, this is only supported when using FileStorage for TLS storage (which is ~99.999% of users).
-
- 15 Mar, 2018 4 commits
-
-
Matthew Holt authored
-
Matthew Holt authored
Windows doesn't allow asterisk in file names, sigh...
-
Matthew Holt authored
For example, {label1} would match "sub" in "sub.example.com" or whatever value is in the wildcard spot of "*.example.com". Useful for rewrite!
-
Matthew Holt authored
- Using xenolf/lego's likely-temporary acmev2 branch - Cleaned up vendor folder a little bit (probably more to do) - Temporarily set default CA URL to v2 staging endpoint - Refactored user management a bit; updated tests (biggest change is how we get the email address, which now requires being able to make an ACME client with a User with a private key so that we can get the current ToS URL) - Automatic HTTPS now allows specific wildcard pattern hostnames - Commented out (but kept) the TLS-SNI code, as the challenge type may return in the future in a similar form
-
- 10 Mar, 2018 1 commit
-
-
Chris Werner Rau authored
-
- 21 Feb, 2018 2 commits
-
-
elcore authored
* caddy: Remove deprecated startup/shutdown directives * caddyhttp: Remove deprecated startup/shutdown directives Users should use 'on startup' and 'on shutdown' instead.
-
Matthew Holt authored
Fixes #2041
-
- 20 Feb, 2018 1 commit
-
-
Matthew Holt authored
-
- 18 Feb, 2018 2 commits
-
-
Toby Allen authored
* Allow Response Headers in logs * Remove log line * remove unneeded log import * Check if rr is nil. Added test to check * merge if statements * remove temp file
-
Matthew Holt authored
-
- 17 Feb, 2018 1 commit
-
-
Amos Ng authored
* Updated lucas-clemente/quic-go for QUIC 39+ support * Update quic-go to latest
-
- 16 Feb, 2018 4 commits
-
-
Toby Allen authored
* Trim path prefix using EscapedPath() * clarify comments * Added Tests for trimPathPrefix * Ensure path with trailing slash is properly trimmed * Updated tests to match prepatch behaviour * Updated tests to match prepatch behaviour * call parse on url rather than instance * add additional tests * return unmodified url if error. Additional tests
-
Matt Holt authored
tls: Restructure and improve certificate management
-
Matthew Holt authored
Only strip the port from the Location URL value if the port is NOT the HTTPSPort (before, we compared against DefaultHTTPSPort instead of HTTPSPort). The HTTPSPort can be changed, but is done so for port forwarding, since in reality you can't 'change' the standard HTTPS port, you can only forward it.
-
Matthew Holt authored
-
- 15 Feb, 2018 4 commits
-
-
Toby Allen authored
-
Matthew Holt authored
See discussion on #2015; the initial change had removed this check, and I can't remember why I removed it or if it was accidental. Anyway, it's back now.
-
Jason Daly authored
Re: #2009, 1.9 or newer is needed because of the introduction of `sync.Map`
-
Matthew Holt authored
See discussion on #2015 for how this situation was discovered. For a Caddyfile like this: localhost { ... } :2015 { ... } Running Caddy like this: caddy -host localhost Produces two sites both defined as `localhost:2015` because the flag changes the default host value to be `localhost`. This should be an error since the sites are not distinct and it is confusing. It can also cause issues with TLS handshakes loading the wrong cert, as the linked discussion shows.
-
- 14 Feb, 2018 1 commit
-
-
Matthew Holt authored
-
- 13 Feb, 2018 5 commits
-
-
Matthew Holt authored
-
Matthew Holt authored
# Conflicts: # sigtrap_posix.go
-
Matthew Holt authored
Also introduce caddy.OnProcessExit which is a list of functions that run before exiting the process cleanly; these do not count as shutdown callbacks, so they do not return errors and must execute quickly.
-
ssh://github.com/mholt/caddyMatthew Holt authored
-
Matthew Holt authored
-
- 11 Feb, 2018 2 commits
-
-
Etienne Bruines authored
Fixes #1961 According to RFC 7231 and RFC 7230, there's no reason a GET-Request can't have a body (other than it possibly not being supported by existing software). It's use is simply not defined, and is left to the application.
-
Matthew Holt authored
Not a huge issue, but has security implications if OAuth tokens leaked
-
- 04 Feb, 2018 1 commit
-
-
Matthew Holt authored
- Expose the list of Caddy instances through caddy.Instances() - Added arbitrary storage to caddy.Instance - The cache of loaded certificates is no longer global; now scoped per-instance, meaning upon reload (like SIGUSR1) the old cert cache will be discarded entirely, whereas before, aggressively reloading config that added and removed lots of sites would cause unnecessary build-up in the cache over time. - Key certificates in the cache by their SHA-256 hash instead of by their names. This means certificates will not be duplicated in memory (within each instance), making Caddy much more memory-efficient for large-scale deployments with thousands of sites sharing certs. - Perform name-to-certificate lookups scoped per caddytls.Config instead of a single global lookup. This prevents certificates from stepping on each other when they overlap in their names. - Do not allow TLS configurations keyed by the same hostname to be different; this now throws an error. - Updated relevant tests, with a stark awareness that more tests are needed. - Change the NewContext function signature to include an *Instance. - Strongly recommend (basically require) use of caddytls.NewConfig() to create a new *caddytls.Config, to ensure pointers to the instance certificate cache are initialized properly. - Update the TLS-SNI challenge solver (even though TLS-SNI is disabled currently on the CA side). Store temporary challenge cert in instance cache, but do so directly by the ACME challenge name, not the hash. Modified the getCertificate function to check the cache directly for a name match if one isn't found otherwise. This will allow any caddytls.Config to be able to help solve a TLS-SNI challenge, with one extra side-effect that might actually be kind of interesting (and useless): clients could send a certificate's hash as the SNI and Caddy would be able to serve that certificate for the handshake. - Do not attempt to match a "default" (random) certificate when SNI is present but unrecognized; return no certificate so a TLS alert happens instead. - Store an Instance in the list of instances even while the instance is still starting up (this allows access to the cert cache for performing renewals at startup, etc). Will be removed from list again if instance startup fails. - Laid groundwork for ACMEv2 and Let's Encrypt wildcard support. Server type plugins will need to be updated slightly to accommodate minor adjustments to their API (like passing in an Instance). This commit includes the changes for the HTTP server. Certain Caddyfile configurations might error out with this change, if they configured different TLS settings for the same hostname. This change trades some complexity for other complexity, but ultimately this new complexity is more correct and robust than earlier logic. Fixes #1991 Fixes #1994 Fixes #1303
-
- 03 Feb, 2018 5 commits
-
-
Toby Allen authored
-
magikstm authored
-
Phillipp Engelke authored
Adding the bash command for downloading the caddy.service file from the reposetory. Because it was easy to forget where you find it.
-
Tw authored
Signed-off-by: Tw <tw19881113@gmail.com>
-
Matthew Holt authored
-
- 30 Jan, 2018 1 commit
-
-
Michael Schubert authored
-
- 27 Jan, 2018 1 commit
-
-
Matthew Holt authored
-
- 16 Jan, 2018 3 commits
-
-
Miek Gieben authored
* shutdown: allow graceful shutdown for SIGTERM on posix The signal is already trapped; make it do the same thing as SIGQUIT to be more inline with Unix/Linux shutdown expectations. Fixes #1993 * Implement comment feedback ideas
-
Whitestrake authored
-
Heri Sim authored
* Turn on KeepAlive in QuicConfig of RoundTripper * Update reverseproxy.go
-