Commit 4462e397 authored by Matthew Holt's avatar Matthew Holt

httpserver: max_certs now forces On-Demand TLS even if name is known

Original feature request in forum:
https://forum.caddyserver.com/t/caddy-with-specific-hosts-but-on-demand-tls/1704?u=matt

Before, Caddy obtained certificates for every name it could at startup.
And it would only obtain certificates during the handshake for sites
defined with a hostname that didn't qualify at startup (like
"*.example.com" or ":443"). This made sense for most situations, and
helped ensure that certificates were obtained as early and reliably as
possible.

With this change, Caddy will NOT obtain certificates for hostnames it
knows at startup (even if they qualify) if OnDemand is enabled.

But I think this change generalizes well, because a user who specifies
max_certs is deliberately turning on On-Demand TLS, fully aware of
the consequences. It seems dubious to ignore that config when the user
deliberately put it there. We'll see how this goes.
parent a56a8334
...@@ -23,6 +23,9 @@ func activateHTTPS(cctx caddy.Context) error { ...@@ -23,6 +23,9 @@ func activateHTTPS(cctx caddy.Context) error {
// place certificates and keys on disk // place certificates and keys on disk
for _, c := range ctx.siteConfigs { for _, c := range ctx.siteConfigs {
if c.TLS.OnDemand {
continue // obtain these certificates on-demand instead
}
err := c.TLS.ObtainCert(c.TLS.Hostname, operatorPresent) err := c.TLS.ObtainCert(c.TLS.Hostname, operatorPresent)
if err != nil { if err != nil {
return err return err
...@@ -65,15 +68,15 @@ func markQualifiedForAutoHTTPS(configs []*SiteConfig) { ...@@ -65,15 +68,15 @@ func markQualifiedForAutoHTTPS(configs []*SiteConfig) {
} }
// enableAutoHTTPS configures each config to use TLS according to default settings. // enableAutoHTTPS configures each config to use TLS according to default settings.
// It will only change configs that are marked as managed, and assumes that // It will only change configs that are marked as managed but not on-demand, and
// certificates and keys are already on disk. If loadCertificates is true, // assumes that certificates and keys are already on disk. If loadCertificates is
// the certificates will be loaded from disk into the cache for this process // true, the certificates will be loaded from disk into the cache for this process
// to use. If false, TLS will still be enabled and configured with default // to use. If false, TLS will still be enabled and configured with default settings,
// settings, but no certificates will be parsed loaded into the cache, and // but no certificates will be parsed loaded into the cache, and the returned error
// the returned error value will always be nil. // value will always be nil.
func enableAutoHTTPS(configs []*SiteConfig, loadCertificates bool) error { func enableAutoHTTPS(configs []*SiteConfig, loadCertificates bool) error {
for _, cfg := range configs { for _, cfg := range configs {
if cfg == nil || cfg.TLS == nil || !cfg.TLS.Managed { if cfg == nil || cfg.TLS == nil || !cfg.TLS.Managed || cfg.TLS.OnDemand {
continue continue
} }
cfg.TLS.Enabled = true cfg.TLS.Enabled = true
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment