Commit 91da965a authored by Jonas Östanbäck's avatar Jonas Östanbäck Committed by Matt Holt

Disable warning for insecure CA if located on private network. (#1599)

* Disable warning for insecure CA if located on private network.
 * Add IsPrivateNetwork function
 * Add tests
Signed-off-by: default avatarJonas Östanbäck <jonas.ostanback@gmail.com>

* Add more testcases
Signed-off-by: default avatarJonas Östanbäck <jonas.ostanback@gmail.com>

* Rename IsPrivateNetwork -> IsInternal
Signed-off-by: default avatarJonas Östanbäck <jonas.ostanback@gmail.com>
parent b37da039
...@@ -763,6 +763,35 @@ func IsLoopback(addr string) bool { ...@@ -763,6 +763,35 @@ func IsLoopback(addr string) bool {
strings.HasPrefix(host, "127.") strings.HasPrefix(host, "127.")
} }
// IsInternal returns true if the IP of addr
// belongs to a private network IP range. addr must only
// be an IP or an IP:port combination.
// Loopback addresses are considered false.
func IsInternal(addr string) bool {
private_networks := []string{
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"fc00::/7",
}
host, _, err := net.SplitHostPort(addr)
if err != nil {
host = addr // happens if the addr is just a hostname
}
ip := net.ParseIP(host)
if ip == nil {
return false
}
for _, private_network := range private_networks {
_, ipnet, _ := net.ParseCIDR(private_network)
if ipnet.Contains(ip) {
return true
}
}
return false
}
// Upgrade re-launches the process, preserving the listeners // Upgrade re-launches the process, preserving the listeners
// for a graceful restart. It does NOT load new configuration; // for a graceful restart. It does NOT load new configuration;
// it only starts the process anew with a fresh binary. // it only starts the process anew with a fresh binary.
......
...@@ -61,6 +61,65 @@ func TestIsLoopback(t *testing.T) { ...@@ -61,6 +61,65 @@ func TestIsLoopback(t *testing.T) {
} }
} }
func TestIsInternal(t *testing.T) {
for i, test := range []struct {
input string
expect bool
}{
{"9.255.255.255", false},
{"10.0.0.0", true},
{"10.0.0.1", true},
{"10.255.255.254", true},
{"10.255.255.255", true},
{"11.0.0.0", false},
{"10.0.0.5:1234", true},
{"11.0.0.5:1234", false},
{"172.15.255.255", false},
{"172.16.0.0", true},
{"172.16.0.1", true},
{"172.31.255.254", true},
{"172.31.255.255", true},
{"172.32.0.0", false},
{"172.16.0.1:1234", true},
{"192.167.255.255", false},
{"192.168.0.0", true},
{"192.168.0.1", true},
{"192.168.255.254", true},
{"192.168.255.255", true},
{"192.169.0.0", false},
{"192.168.0.1:1234", true},
{"fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false},
{"fc00::", true},
{"fc00::1", true},
{"fdff:ffff:ffff:ffff:ffff:ffff:ffff:fffe", true},
{"fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true},
{"fe00::", false},
{"fd12:3456:789a:1::1:1234", true},
{"example.com", false},
{"localhost", false},
{"localhost:1234", false},
{"localhost:", false},
{"127.0.0.1", false},
{"127.0.0.1:443", false},
{"127.0.1.5", false},
{"12.7.0.1", false},
{"[::1]", false},
{"[::1]:1234", false},
{"::1", false},
{"::", false},
{"[::]", false},
{"local", false},
} {
if got, want := IsInternal(test.input), test.expect; got != want {
t.Errorf("Test %d (%s): expected %v but was %v", i, test.input, want, got)
}
}
}
func TestListenerAddrEqual(t *testing.T) { func TestListenerAddrEqual(t *testing.T) {
ln1, err := net.Listen("tcp", "[::]:0") ln1, err := net.Listen("tcp", "[::]:0")
if err != nil { if err != nil {
......
...@@ -61,7 +61,7 @@ var newACMEClient = func(config *Config, allowPrompts bool) (*ACMEClient, error) ...@@ -61,7 +61,7 @@ var newACMEClient = func(config *Config, allowPrompts bool) (*ACMEClient, error)
if err != nil { if err != nil {
return nil, err return nil, err
} }
if u.Scheme != "https" && !caddy.IsLoopback(u.Host) && !strings.HasPrefix(u.Host, "10.") { if u.Scheme != "https" && !caddy.IsLoopback(u.Host) && !caddy.IsInternal(u.Host) {
return nil, fmt.Errorf("%s: insecure CA URL (HTTPS required)", caURL) return nil, fmt.Errorf("%s: insecure CA URL (HTTPS required)", caURL)
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment