Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caddy
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
caddy
Commits
bb80f991
Commit
bb80f991
authored
Jan 03, 2016
by
Matthew Holt
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
tls: Allow opening block without specifying cert+key args
parent
946ff5e8
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
42 additions
and
11 deletions
+42
-11
caddy/setup/tls.go
caddy/setup/tls.go
+8
-7
caddy/setup/tls_test.go
caddy/setup/tls_test.go
+34
-4
No files found.
caddy/setup/tls.go
View file @
bb80f991
...
@@ -11,12 +11,12 @@ import (
...
@@ -11,12 +11,12 @@ import (
// TLS sets up the TLS configuration (but does not activate Let's Encrypt; that is handled elsewhere).
// TLS sets up the TLS configuration (but does not activate Let's Encrypt; that is handled elsewhere).
func
TLS
(
c
*
Controller
)
(
middleware
.
Middleware
,
error
)
{
func
TLS
(
c
*
Controller
)
(
middleware
.
Middleware
,
error
)
{
if
c
.
Port
==
"http"
{
if
c
.
Scheme
==
"http"
{
c
.
TLS
.
Enabled
=
false
c
.
TLS
.
Enabled
=
false
log
.
Printf
(
"[WARNING] TLS disabled for %s://%s. To force TLS over the plaintext HTTP port, "
+
log
.
Printf
(
"[WARNING] TLS disabled for %s://%s. To force TLS over the plaintext HTTP port, "
+
"specify port 80 explicitly (https://%s:80)."
,
c
.
Port
,
c
.
Host
,
c
.
Host
)
"specify port 80 explicitly (https://%s:80)."
,
c
.
Scheme
,
c
.
Address
()
,
c
.
Host
)
}
else
{
}
else
{
c
.
TLS
.
Enabled
=
true
//
they had a tls directive, so assume it's on unless we confirm otherwise later
c
.
TLS
.
Enabled
=
true
//
assume this for now
}
}
for
c
.
Next
()
{
for
c
.
Next
()
{
...
@@ -37,13 +37,11 @@ func TLS(c *Controller) (middleware.Middleware, error) {
...
@@ -37,13 +37,11 @@ func TLS(c *Controller) (middleware.Middleware, error) {
// served on the HTTPS port; that is what user would expect, and
// served on the HTTPS port; that is what user would expect, and
// makes it consistent with how the letsencrypt package works.
// makes it consistent with how the letsencrypt package works.
if
c
.
Port
==
""
{
if
c
.
Port
==
""
{
c
.
Port
=
"
https
"
c
.
Port
=
"
443
"
}
}
default
:
return
nil
,
c
.
ArgErr
()
}
}
// Optional block
// Optional block
with extra parameters
for
c
.
NextBlock
()
{
for
c
.
NextBlock
()
{
switch
c
.
Val
()
{
switch
c
.
Val
()
{
case
"protocols"
:
case
"protocols"
:
...
@@ -74,6 +72,9 @@ func TLS(c *Controller) (middleware.Middleware, error) {
...
@@ -74,6 +72,9 @@ func TLS(c *Controller) (middleware.Middleware, error) {
if
len
(
c
.
TLS
.
ClientCerts
)
==
0
{
if
len
(
c
.
TLS
.
ClientCerts
)
==
0
{
return
nil
,
c
.
ArgErr
()
return
nil
,
c
.
ArgErr
()
}
}
// TODO: Allow this? It's a bad idea to allow HTTP. If we do this, make sure invoking tls at all (even manually) also sets up a redirect if possible?
// case "allow_http":
// c.TLS.DisableHTTPRedir = true
default
:
default
:
return
nil
,
c
.
Errf
(
"Unknown keyword '%s'"
,
c
.
Val
())
return
nil
,
c
.
Errf
(
"Unknown keyword '%s'"
,
c
.
Val
())
}
}
...
...
caddy/setup/tls_test.go
View file @
bb80f991
...
@@ -66,11 +66,12 @@ func TestTLSParseBasic(t *testing.T) {
...
@@ -66,11 +66,12 @@ func TestTLSParseBasic(t *testing.T) {
}
}
func
TestTLSParseIncompleteParams
(
t
*
testing
.
T
)
{
func
TestTLSParseIncompleteParams
(
t
*
testing
.
T
)
{
// This doesn't do anything useful but is allowed in case the user wants to be explicit
// about TLS being enabled...
c
:=
NewTestController
(
`tls`
)
c
:=
NewTestController
(
`tls`
)
_
,
err
:=
TLS
(
c
)
_
,
err
:=
TLS
(
c
)
if
err
=
=
nil
{
if
err
!
=
nil
{
t
.
Errorf
(
"Expected
errors (first check), but no error returned"
)
t
.
Errorf
(
"Expected
no error, but got %v"
,
err
)
}
}
}
}
...
@@ -95,10 +96,39 @@ func TestTLSParseWithOptionalParams(t *testing.T) {
...
@@ -95,10 +96,39 @@ func TestTLSParseWithOptionalParams(t *testing.T) {
}
}
if
len
(
c
.
TLS
.
Ciphers
)
-
1
!=
3
{
if
len
(
c
.
TLS
.
Ciphers
)
-
1
!=
3
{
t
.
Errorf
(
"Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v"
,
len
(
c
.
TLS
.
Ciphers
))
t
.
Errorf
(
"Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v"
,
len
(
c
.
TLS
.
Ciphers
)
-
1
)
}
}
func
TestTLSDefaultWithOptionalParams
(
t
*
testing
.
T
)
{
params
:=
`tls {
ciphers RSA-3DES-EDE-CBC-SHA
}`
c
:=
NewTestController
(
params
)
_
,
err
:=
TLS
(
c
)
if
err
!=
nil
{
t
.
Errorf
(
"Expected no errors, got: %v"
,
err
)
}
if
len
(
c
.
TLS
.
Ciphers
)
-
1
!=
1
{
t
.
Errorf
(
"Expected 1 ciphers (not including TLS_FALLBACK_SCSV), got %v"
,
len
(
c
.
TLS
.
Ciphers
)
-
1
)
}
}
}
}
// TODO: If we allow this... but probably not a good idea.
// func TestTLSDisableHTTPRedirect(t *testing.T) {
// c := NewTestController(`tls {
// allow_http
// }`)
// _, err := TLS(c)
// if err != nil {
// t.Errorf("Expected no error, but got %v", err)
// }
// if !c.TLS.DisableHTTPRedir {
// t.Error("Expected HTTP redirect to be disabled, but it wasn't")
// }
// }
func
TestTLSParseWithWrongOptionalParams
(
t
*
testing
.
T
)
{
func
TestTLSParseWithWrongOptionalParams
(
t
*
testing
.
T
)
{
// Test protocols wrong params
// Test protocols wrong params
params
:=
`tls cert.crt cert.key {
params
:=
`tls cert.crt cert.key {
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment