1. 21 Jan, 2017 2 commits
    • Matt Holt's avatar
      Merge pull request #1366 from mholt/tls-sni-renew-fix · 9369b814
      Matt Holt authored
      tls: Fix background certificate renewals that use TLS-SNI challenge
      9369b814
    • Matthew Holt's avatar
      tls: Fix background certificate renewals that use TLS-SNI challenge · 0e34c7c9
      Matthew Holt authored
      The loop which performs renewals in the background obtains a read lock
      on the certificate cache map, so that it can be safely iterated. Before
      this fix, it would obtain the renewals in the read lock. This has been
      fine, except that the TLS-SNI challenge, when invoked after Caddy has
      already started, requires adding a certificate to the cache. Doing this
      requires an exclusive write lock. But it cannot obtain a write lock
      because a read lock is obtained higher in the stack, while the loop
      iterates. In other words, it's a deadlock.
      
      I was able to reproduce this issue consistently locally, after jumping
      through many hoops to force a renewal in a short time that bypasses
      Let's Encrypt's authz caching. I was also able to verify that by queuing
      renewals (like we do deletions and OCSP updates), lock contention is
      relieved and the deadlock is avoided.
      
      This only affects background renewals where the TLS-SNI(-01) challenge
      are used. Users report seeing strange errors in the logs after this
      happens ("tls: client offered an unsupported, maximum protocol version
      of 301"), but I was not able to reproduce these locally. I was also not
      able to reproduce the leak of sockets which are left in CLOSE_WAIT.
      I am not sure if those are symptoms of running in production on Linux
      and are related to this bug, or not.
      
      Either way, this is an important fix. I do not yet know the ripple
      effects this will have on other symptoms we've been chasing. But it
      definitely resolves a deadlock during renewals.
      0e34c7c9
  2. 18 Jan, 2017 1 commit
    • Tw's avatar
      proxy: fix TestReverseProxy failure on go tip (#1360) · ecf852ea
      Tw authored
      Because of this commit(6e36811c37399d60cbce587b7c48e611009c5aec) on go tip,
      it will probe the request's body to determine whether to use chunked transfer
      encoding which trailers depend on it.
      So we just offer a non empty body to make trailers work.
      
      fix issue #1359
      Signed-off-by: default avatarTw <tw19881113@gmail.com>
      ecf852ea
  3. 17 Jan, 2017 1 commit
  4. 14 Jan, 2017 3 commits
    • M-A's avatar
      Add {whenISO} to record timestamp in ISO 8601 format in UTC. (#1353) · 8464020f
      M-A authored
      * Add {whenISO} to record timestamp in ISO 8601 format in UTC.
      
      ISO 8601 is the standard time format and is easy to parse.
      
      This change assumes users desiring ISO 8016 generally prefer UTC for simplicity.
      This results in {whenISO} to be significantly shorter than {when}:
      {when}    = "02/Jan/2006:15:04:05 +0000"
      {whenISO} = "2006-01-02T15:04:12Z"
      
      Add unit test to verify both, as there was no unit test for {when}.
      
      * Rename {whenISO} to {when_iso}
      8464020f
    • Henrique Dias's avatar
      Add StartupHooks to Plugins (#1330) · 0155b0c5
      Henrique Dias authored
      * Update run.go
      
      * Update plugins.go
      
      * Update plugins.go
      
      * Update run.go
      
      * typo
      
      * Update plugins.go
      
      * Update plugins.go
      
      * Requested changes by @mholt
      0155b0c5
    • Toby Allen's avatar
      Add a cli parameter to -validate a Caddyfile. Issue #1328 (#1344) · 21d92d68
      Toby Allen authored
      * Allow -validate flag to validate caddyfile and return
      
      * Ensure logging without -log flag
      
      * Changes to validate seperatly to Starup func
      
      * Removed change to Start signature.  Created function to ValidateCaddyfile
      
      * comment and tidyup
      
      * ValidateandExecuteDirectives with justValidate option
      
      * remove debugging code
      
      * Tidy up comments
      
      * additional parameter added to calls to mustLogFataf
      
      * ValidateAndExecuteDirectives needs to only return err
      21d92d68
  5. 11 Jan, 2017 4 commits
  6. 10 Jan, 2017 3 commits
  7. 09 Jan, 2017 2 commits
  8. 08 Jan, 2017 1 commit
  9. 04 Jan, 2017 2 commits
  10. 03 Jan, 2017 1 commit
  11. 01 Jan, 2017 4 commits
  12. 30 Dec, 2016 3 commits
  13. 29 Dec, 2016 1 commit
  14. 28 Dec, 2016 2 commits
  15. 27 Dec, 2016 1 commit
  16. 26 Dec, 2016 4 commits
  17. 23 Dec, 2016 2 commits
  18. 22 Dec, 2016 1 commit
  19. 21 Dec, 2016 2 commits
    • Matthew Holt's avatar
      Version 0.9.4 · 7dc1dc1c
      Matthew Holt authored
      7dc1dc1c
    • Leonard Hecker's avatar
      Fixed HTTP/2 support for the proxy middleware (#1300) · a3aa414f
      Leonard Hecker authored
      * Fixed HTTP/2 support for the proxy middleware
      
      http.Transport instances whose TLSClientConfig, Dial, or DialTLS field
      is non-nil will be configured without HTTP/2 support by default.
      
      This commit adds the proper calls to http2.ConfigureTransport()
      everywhere a http.Transport is created and thus fixes HTTP/2 in the
      proxy middleware whenever insecure_skip_verify or keepalive is provided.
      
      * Added HTTP/2 support check to TestReverseProxyInsecureSkipVerify
      a3aa414f