Commit 6bc3e753 authored by Matthew Holt's avatar Matthew Holt

tls: Command line flags to disable HTTP and TLS-SNI challenges

This could have just as easily been a tls directive property in the
Caddyfile, but I figure if these challenges are being disabled, it's
because of port availability or process privileges, both of which would
affect all sites served by this process. The names of the flag are long
but descriptive.

I've never needed this but I hear of quite a few people who say they
need this ability, so here it is.
parent df9d062a
...@@ -29,6 +29,8 @@ func init() { ...@@ -29,6 +29,8 @@ func init() {
flag.BoolVar(&caddytls.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement") flag.BoolVar(&caddytls.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
flag.StringVar(&caddytls.DefaultCAUrl, "ca", "https://acme-v01.api.letsencrypt.org/directory", "URL to certificate authority's ACME server directory") flag.StringVar(&caddytls.DefaultCAUrl, "ca", "https://acme-v01.api.letsencrypt.org/directory", "URL to certificate authority's ACME server directory")
flag.BoolVar(&caddytls.DisableHTTPChallenge, "disable-http-challenge", caddytls.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
flag.BoolVar(&caddytls.DisableTLSSNIChallenge, "disable-tls-sni-challenge", caddytls.DisableTLSSNIChallenge, "Disable the ACME TLS-SNI challenge")
flag.StringVar(&conf, "conf", "", "Caddyfile to load (default \""+caddy.DefaultConfigFile+"\")") flag.StringVar(&conf, "conf", "", "Caddyfile to load (default \""+caddy.DefaultConfigFile+"\")")
flag.StringVar(&cpu, "cpu", "100%", "CPU cap") flag.StringVar(&cpu, "cpu", "100%", "CPU cap")
flag.BoolVar(&plugins, "plugins", false, "List installed plugins") flag.BoolVar(&plugins, "plugins", false, "List installed plugins")
......
...@@ -143,6 +143,18 @@ var newACMEClient = func(config *Config, allowPrompts bool) (*ACMEClient, error) ...@@ -143,6 +143,18 @@ var newACMEClient = func(config *Config, allowPrompts bool) (*ACMEClient, error)
if caddy.HasListenerWithAddress(net.JoinHostPort(config.ListenHost, useTLSSNIPort)) { if caddy.HasListenerWithAddress(net.JoinHostPort(config.ListenHost, useTLSSNIPort)) {
c.acmeClient.SetChallengeProvider(acme.TLSSNI01, tlsSniSolver{}) c.acmeClient.SetChallengeProvider(acme.TLSSNI01, tlsSniSolver{})
} }
// Disable any challenges that should not be used
var disabledChallenges []acme.Challenge
if DisableHTTPChallenge {
disabledChallenges = append(disabledChallenges, acme.HTTP01)
}
if DisableTLSSNIChallenge {
disabledChallenges = append(disabledChallenges, acme.TLSSNI01)
}
if len(disabledChallenges) > 0 {
c.acmeClient.ExcludeChallenges(disabledChallenges)
}
} else { } else {
// Otherwise, use DNS challenge exclusively // Otherwise, use DNS challenge exclusively
......
...@@ -20,6 +20,9 @@ func HTTPChallengeHandler(w http.ResponseWriter, r *http.Request, listenHost, al ...@@ -20,6 +20,9 @@ func HTTPChallengeHandler(w http.ResponseWriter, r *http.Request, listenHost, al
if !strings.HasPrefix(r.URL.Path, challengeBasePath) { if !strings.HasPrefix(r.URL.Path, challengeBasePath) {
return false return false
} }
if DisableHTTPChallenge {
return false
}
if !namesObtaining.Has(r.Host) { if !namesObtaining.Has(r.Host) {
return false return false
} }
......
...@@ -167,6 +167,12 @@ var ( ...@@ -167,6 +167,12 @@ var (
// DefaultKeyType is used as the type of key for new certificates // DefaultKeyType is used as the type of key for new certificates
// when no other key type is specified. // when no other key type is specified.
DefaultKeyType = acme.RSA2048 DefaultKeyType = acme.RSA2048
// DisableHTTPChallenge will disable all HTTP challenges.
DisableHTTPChallenge bool
// DisableTLSSNIChallenge will disable all TLS-SNI challenges.
DisableTLSSNIChallenge bool
) )
var storageProviders = make(map[string]StorageConstructor) var storageProviders = make(map[string]StorageConstructor)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment