Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caddy
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
caddy
Commits
0b2e0548
Commit
0b2e0548
authored
Jul 01, 2019
by
Matthew Holt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
tls: Deprecate 'max_certs' in favor of 'ask'; use latest CertMagic
parent
6f019285
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
40 additions
and
13 deletions
+40
-13
caddytls/setup.go
caddytls/setup.go
+37
-10
go.mod
go.mod
+1
-1
go.sum
go.sum
+2
-2
No files found.
caddytls/setup.go
View file @
0b2e0548
...
@@ -21,12 +21,13 @@ import (
...
@@ -21,12 +21,13 @@ import (
"fmt"
"fmt"
"io/ioutil"
"io/ioutil"
"log"
"log"
"net/http"
"net/url"
"net/url"
"os"
"os"
"path/filepath"
"path/filepath"
"strconv"
"strings"
"strings"
"sync/atomic"
"sync/atomic"
"time"
"github.com/mholt/caddy"
"github.com/mholt/caddy"
"github.com/mholt/caddy/telemetry"
"github.com/mholt/caddy/telemetry"
...
@@ -289,11 +290,8 @@ func setupTLS(c *caddy.Controller) error {
...
@@ -289,11 +290,8 @@ func setupTLS(c *caddy.Controller) error {
if
onDemand
{
if
onDemand
{
config
.
Manager
.
OnDemand
=
new
(
certmagic
.
OnDemandConfig
)
config
.
Manager
.
OnDemand
=
new
(
certmagic
.
OnDemandConfig
)
if
maxCerts
!=
""
{
if
maxCerts
!=
""
{
maxCertsNum
,
err
:=
strconv
.
Atoi
(
maxCerts
)
log
.
Println
(
"[WARNING] The max_certs subdirective is now deprecated and offers no protection; please use ask instead."
)
if
err
!=
nil
||
maxCertsNum
<
1
{
fmt
.
Printf
(
"WARNING: The max_certs subdirective is now deprecated and offers no protection; please use ask instead."
)
return
c
.
Err
(
"max_certs must be a positive integer"
)
}
config
.
Manager
.
OnDemand
.
MaxObtain
=
int32
(
maxCertsNum
)
}
}
if
askURL
!=
""
{
if
askURL
!=
""
{
parsedURL
,
err
:=
url
.
Parse
(
askURL
)
parsedURL
,
err
:=
url
.
Parse
(
askURL
)
...
@@ -303,7 +301,29 @@ func setupTLS(c *caddy.Controller) error {
...
@@ -303,7 +301,29 @@ func setupTLS(c *caddy.Controller) error {
if
parsedURL
.
Scheme
!=
"http"
&&
parsedURL
.
Scheme
!=
"https"
{
if
parsedURL
.
Scheme
!=
"http"
&&
parsedURL
.
Scheme
!=
"https"
{
return
c
.
Err
(
"ask URL must use http or https"
)
return
c
.
Err
(
"ask URL must use http or https"
)
}
}
config
.
Manager
.
OnDemand
.
AskURL
=
parsedURL
config
.
Manager
.
OnDemand
.
DecisionFunc
=
func
(
name
string
)
error
{
askURLParsed
,
err
:=
url
.
Parse
(
askURL
)
if
err
!=
nil
{
return
fmt
.
Errorf
(
"parsing ask URL: %v"
,
err
)
}
qs
:=
askURLParsed
.
Query
()
qs
.
Set
(
"domain"
,
name
)
askURLParsed
.
RawQuery
=
qs
.
Encode
()
resp
,
err
:=
onDemandAskClient
.
Get
(
askURLParsed
.
String
())
if
err
!=
nil
{
return
fmt
.
Errorf
(
"error checking %v to deterine if certificate for hostname '%s' should be allowed: %v"
,
askURL
,
name
,
err
)
}
resp
.
Body
.
Close
()
if
resp
.
StatusCode
<
200
||
resp
.
StatusCode
>
299
{
return
fmt
.
Errorf
(
"certificate for hostname '%s' not allowed; non-2xx status code %d returned from %v"
,
name
,
resp
.
StatusCode
,
askURL
)
}
return
nil
}
}
}
}
}
...
@@ -314,7 +334,7 @@ func setupTLS(c *caddy.Controller) error {
...
@@ -314,7 +334,7 @@ func setupTLS(c *caddy.Controller) error {
// load a single certificate and key, if specified
// load a single certificate and key, if specified
if
certificateFile
!=
""
&&
keyFile
!=
""
{
if
certificateFile
!=
""
&&
keyFile
!=
""
{
err
:=
config
.
Manager
.
CacheUnmanagedCertificatePEMFile
(
certificateFile
,
keyFile
)
err
:=
config
.
Manager
.
CacheUnmanagedCertificatePEMFile
(
certificateFile
,
keyFile
,
nil
)
if
err
!=
nil
{
if
err
!=
nil
{
return
c
.
Errf
(
"Unable to load certificate and key files for '%s': %v"
,
c
.
Key
,
err
)
return
c
.
Errf
(
"Unable to load certificate and key files for '%s': %v"
,
c
.
Key
,
err
)
}
}
...
@@ -341,7 +361,7 @@ func setupTLS(c *caddy.Controller) error {
...
@@ -341,7 +361,7 @@ func setupTLS(c *caddy.Controller) error {
if
err
!=
nil
{
if
err
!=
nil
{
return
fmt
.
Errorf
(
"self-signed certificate generation: %v"
,
err
)
return
fmt
.
Errorf
(
"self-signed certificate generation: %v"
,
err
)
}
}
err
=
config
.
Manager
.
CacheUnmanagedTLSCertificate
(
ssCert
)
err
=
config
.
Manager
.
CacheUnmanagedTLSCertificate
(
ssCert
,
nil
)
if
err
!=
nil
{
if
err
!=
nil
{
return
fmt
.
Errorf
(
"self-signed: %v"
,
err
)
return
fmt
.
Errorf
(
"self-signed: %v"
,
err
)
}
}
...
@@ -437,7 +457,7 @@ func loadCertsInDir(cfg *Config, c *caddy.Controller, dir string) error {
...
@@ -437,7 +457,7 @@ func loadCertsInDir(cfg *Config, c *caddy.Controller, dir string) error {
return
c
.
Errf
(
"%s: no private key block found"
,
path
)
return
c
.
Errf
(
"%s: no private key block found"
,
path
)
}
}
err
=
cfg
.
Manager
.
CacheUnmanagedCertificatePEMBytes
(
certPEMBytes
,
keyPEMBytes
)
err
=
cfg
.
Manager
.
CacheUnmanagedCertificatePEMBytes
(
certPEMBytes
,
keyPEMBytes
,
nil
)
if
err
!=
nil
{
if
err
!=
nil
{
return
c
.
Errf
(
"%s: failed to load cert and key for '%s': %v"
,
path
,
c
.
Key
,
err
)
return
c
.
Errf
(
"%s: failed to load cert and key for '%s': %v"
,
path
,
c
.
Key
,
err
)
}
}
...
@@ -475,4 +495,11 @@ func constructDefaultClusterPlugin() (certmagic.Storage, error) {
...
@@ -475,4 +495,11 @@ func constructDefaultClusterPlugin() (certmagic.Storage, error) {
return
&
certmagic
.
FileStorage
{
Path
:
caddy
.
AssetsPath
()},
nil
return
&
certmagic
.
FileStorage
{
Path
:
caddy
.
AssetsPath
()},
nil
}
}
var
onDemandAskClient
=
&
http
.
Client
{
Timeout
:
10
*
time
.
Second
,
CheckRedirect
:
func
(
req
*
http
.
Request
,
via
[]
*
http
.
Request
)
error
{
return
fmt
.
Errorf
(
"following http redirects is not allowed"
)
},
}
const
configMapKey
=
"tls_custom_configs"
const
configMapKey
=
"tls_custom_configs"
go.mod
View file @
0b2e0548
...
@@ -14,7 +14,7 @@ require (
...
@@ -14,7 +14,7 @@ require (
github.com/klauspost/cpuid v1.2.0
github.com/klauspost/cpuid v1.2.0
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 // indirect
github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 // indirect
github.com/lucas-clemente/quic-go v0.10.2
github.com/lucas-clemente/quic-go v0.10.2
github.com/mholt/certmagic v0.6.
1
github.com/mholt/certmagic v0.6.
2-0.20190624175158-6a42ef9fe8c2
github.com/naoina/go-stringutil v0.1.0 // indirect
github.com/naoina/go-stringutil v0.1.0 // indirect
github.com/naoina/toml v0.1.1
github.com/naoina/toml v0.1.1
github.com/russross/blackfriday v0.0.0-20170610170232-067529f716f4
github.com/russross/blackfriday v0.0.0-20170610170232-067529f716f4
...
...
go.sum
View file @
0b2e0548
...
@@ -44,8 +44,8 @@ github.com/lucas-clemente/quic-go v0.10.2/go.mod h1:hvaRS9IHjFLMq76puFJeWNfmn+H7
...
@@ -44,8 +44,8 @@ github.com/lucas-clemente/quic-go v0.10.2/go.mod h1:hvaRS9IHjFLMq76puFJeWNfmn+H7
github.com/lucas-clemente/quic-go-certificates v0.0.0-20160823095156-d2f86524cced h1:zqEC1GJZFbGZA0tRyNZqRjep92K5fujFtFsu5ZW7Aug=
github.com/lucas-clemente/quic-go-certificates v0.0.0-20160823095156-d2f86524cced h1:zqEC1GJZFbGZA0tRyNZqRjep92K5fujFtFsu5ZW7Aug=
github.com/lucas-clemente/quic-go-certificates v0.0.0-20160823095156-d2f86524cced/go.mod h1:NCcRLrOTZbzhZvixZLlERbJtDtYsmMw8Jc4vS8Z0g58=
github.com/lucas-clemente/quic-go-certificates v0.0.0-20160823095156-d2f86524cced/go.mod h1:NCcRLrOTZbzhZvixZLlERbJtDtYsmMw8Jc4vS8Z0g58=
github.com/marten-seemann/qtls v0.2.3/go.mod h1:xzjG7avBwGGbdZ8dTGxlBnLArsVKLvwmjgmPuiQEcYk=
github.com/marten-seemann/qtls v0.2.3/go.mod h1:xzjG7avBwGGbdZ8dTGxlBnLArsVKLvwmjgmPuiQEcYk=
github.com/mholt/certmagic v0.6.
1 h1:3u4+xP+ohbYOxlpEzfaxOceNpSUmERdB+71AT2fKyqo
=
github.com/mholt/certmagic v0.6.
2-0.20190624175158-6a42ef9fe8c2 h1:xKE9kZ5C8gelJC3+BNM6LJs1x21rivK7yxfTZMAuY2s
=
github.com/mholt/certmagic v0.6.
1
/go.mod h1:g4cOPxcjV0oFq3qwpjSA30LReKD8AoIfwAY9VvG35NY=
github.com/mholt/certmagic v0.6.
2-0.20190624175158-6a42ef9fe8c2
/go.mod h1:g4cOPxcjV0oFq3qwpjSA30LReKD8AoIfwAY9VvG35NY=
github.com/miekg/dns v1.1.3 h1:1g0r1IvskvgL8rR+AcHzUA+oFmGcQlaIm4IqakufeMM=
github.com/miekg/dns v1.1.3 h1:1g0r1IvskvgL8rR+AcHzUA+oFmGcQlaIm4IqakufeMM=
github.com/miekg/dns v1.1.3/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/miekg/dns v1.1.3/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
github.com/naoina/go-stringutil v0.1.0 h1:rCUeRUHjBjGTSHl0VC00jUPLz8/F9dDzYI70Hzifhks=
github.com/naoina/go-stringutil v0.1.0 h1:rCUeRUHjBjGTSHl0VC00jUPLz8/F9dDzYI70Hzifhks=
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment