- 11 Feb, 2016 1 commit
-
-
Matthew Holt authored
Biggest change is no longer using standard library's tls.Config.getCertificate function to get a certificate during TLS handshake. Implemented our own cache which can be changed dynamically at runtime, even during TLS handshakes. As such, restarts are no longer required after certificate renewals or OCSP updates. We also allow loading multiple certificates and keys per host, even by specifying a directory (tls got a new 'load' command for that). Renamed the letsencrypt package to https in a gradual effort to become more generic; and https is more fitting for what the package does now. There are still some known bugs, e.g. reloading where a new certificate is required but port 80 isn't currently listening, will cause the challenge to fail. There's still plenty of cleanup to do and tests to write. It is especially confusing right now how we enable "on-demand" TLS during setup and keep track of that. But this change should basically work so far.
-
- 26 Jan, 2016 1 commit
-
-
Matthew Holt authored
-
- 25 Jan, 2016 5 commits
-
-
Matthew Holt authored
-
Matthew Holt authored
-
Matthew Holt authored
-
Matthew Holt authored
-
Matthew Holt authored
Challenge names now have their own type and constants
-
- 23 Jan, 2016 3 commits
-
-
Matthew Holt authored
-
Matt Holt authored
proxy: add a insecure_skip_verify option - closes #320
-
Filippo Valsorda authored
-
- 16 Jan, 2016 2 commits
-
-
Matt Holt authored
letsencrypt: Fix perm of user key
-
Xidorn Quan authored
-
- 15 Jan, 2016 2 commits
-
-
Matt Holt authored
gzip: Add .svg to default ext list
-
Matthew Holt authored
-
- 14 Jan, 2016 1 commit
-
-
Alexey Khalyapin authored
-
- 13 Jan, 2016 4 commits
-
-
Matthew Holt authored
-
Matthew Holt authored
-
Matthew Holt authored
Implements "on-demand TLS" as I call it, which means obtaining TLS certificates on-the-fly during TLS handshakes if a certificate for the requested hostname is not already available. Only the first request for a new hostname will experience higher latency; subsequent requests will get the new certificates right out of memory. Code still needs lots of cleanup but the feature is basically working.
-
Matthew Holt authored
I've built this on Go 1.6 beta 1 and made some changes to be more compatible. Namely, I removed the use of the /x/net/http2 package and let net/http enable h2 by default; updated the way h2 is disabled (if the user requires it); moved TLS_FALLBACK_SCSV to the front of the cipher suites list (all values not accepted by http2 must go after those allowed by it); removed the NextProto default of http/1.1; set the http.Server.TLSConfig value to the TLS config used by the listener (we left it nil before, but this prevents automatic enabling of h2). It is very likely there is more to do, but at least already Caddy uses HTTP/2 when built with Go 1.6.
-
- 12 Jan, 2016 7 commits
-
-
Matthew Holt authored
-
Matthew Holt authored
-
Matthew Holt authored
-
Matthew Holt authored
-
Matthew Holt authored
Also only set custom address if alternate port is specified (rather than using a blank address; just cleaner this way)
-
Matt Holt authored
gzip: Fix for wrong content-type when templates is used.
-
Abiola Ibrahim authored
-
- 11 Jan, 2016 5 commits
-
-
Matthew Holt authored
-
Matthew Holt authored
This change fixes the scenario where you reload the config and it tries to obtain a cert from the ACME server, but no email address is found or terms have not been agreed to in-process. This is unfortunate but it should not stop the server from reloading, so we assume empty email address in this case.
-
Matthew Holt authored
-
Matthew Holt authored
This prevents serving HTTPS over port 80 or HTTP over 443. It's confusing and we don't allow it.
-
Matthew Holt authored
It is unexpected to serve localhost on port 443 or any server on 443 if TLS is disabled, even if the port is blank. Also don't warn about how to force TLS on the HTTP port.
-
- 10 Jan, 2016 2 commits
-
-
Matthew Holt authored
The docs link to this structure and all its methods related to the browse template; keeping them together makes it possible to link to the whole block of code that is relevant.
-
Matthew Holt authored
-
- 09 Jan, 2016 2 commits
-
-
Matthew Holt authored
-
Matthew Holt authored
-
- 08 Jan, 2016 5 commits
-
-
Matthew Holt authored
Doesn't test the SkipInsecureVerify proxy setting, but that can be done at another time.
-
Matthew Holt authored
-
Matthew Holt authored
-
Matthew Holt authored
-
Matthew Holt authored
-