tls: Command line flags to disable HTTP and TLS-SNI challenges

This could have just as easily been a tls directive property in the Caddyfile, but I figure if these challenges are being disabled, it's because of port availability or process privileges, both of which would affect all sites served by this process. The names of the flag are long but descriptive. I've never needed this but I hear of quite a few people who say they need this ability, so here it is.

tls: Command line flags to disable HTTP and TLS-SNI challenges
This could have just as easily been a tls directive property in the Caddyfile, but I figure if these challenges are being disabled, it's because of port availability or process privileges, both of which would affect all sites served by this process. The names of the flag are long but descriptive. I've never needed this but I hear of quite a few people who say they need this ability, so here it is.
6bc3e753 · Matthew Holt · df9d062a · 6bc3e753 · 6bc3e753 · 6bc3e753
Commit 6bc3e753 authored Mar 08, 2017 by Matthew Holt
Showing with 23 additions and 0 deletions

caddy/caddymain/run.go caddy/caddymain/run.go +2 -0

caddytls/client.go caddytls/client.go +12 -0

caddytls/httphandler.go caddytls/httphandler.go +3 -0

caddytls/tls.go caddytls/tls.go +6 -0

No files found.
--- a/caddy/caddymain/run.go
+++ b/caddy/caddymain/run.go
@@ -29,6 +29,8 @@ func init() {

 	flag.BoolVar(&caddytls.Agreed, "agree", false, "Agree to the CA's Subscriber Agreement")
 	flag.StringVar(&caddytls.DefaultCAUrl, "ca", "https://acme-v01.api.letsencrypt.org/directory", "URL to certificate authority's ACME server directory")
+	flag.BoolVar(&caddytls.DisableHTTPChallenge, "disable-http-challenge", caddytls.DisableHTTPChallenge, "Disable the ACME HTTP challenge")
+	flag.BoolVar(&caddytls.DisableTLSSNIChallenge, "disable-tls-sni-challenge", caddytls.DisableTLSSNIChallenge, "Disable the ACME TLS-SNI challenge")
 	flag.StringVar(&conf, "conf", "", "Caddyfile to load (default \""+caddy.DefaultConfigFile+"\")")
 	flag.StringVar(&cpu, "cpu", "100%", "CPU cap")
 	flag.BoolVar(&plugins, "plugins", false, "List installed plugins")

--- a/caddytls/client.go
+++ b/caddytls/client.go
@@ -143,6 +143,18 @@ var newACMEClient = func(config *Config, allowPrompts bool) (*ACMEClient, error)
 		if caddy.HasListenerWithAddress(net.JoinHostPort(config.ListenHost, useTLSSNIPort)) {
 			c.acmeClient.SetChallengeProvider(acme.TLSSNI01, tlsSniSolver{})
 		}
+
+		// Disable any challenges that should not be used
+		var disabledChallenges []acme.Challenge
+		if DisableHTTPChallenge {
+			disabledChallenges = append(disabledChallenges, acme.HTTP01)
+		}
+		if DisableTLSSNIChallenge {
+			disabledChallenges = append(disabledChallenges, acme.TLSSNI01)
+		}
+		if len(disabledChallenges) > 0 {
+			c.acmeClient.ExcludeChallenges(disabledChallenges)
+		}
 	} else {
 		// Otherwise, use DNS challenge exclusively


--- a/caddytls/httphandler.go
+++ b/caddytls/httphandler.go
@@ -20,6 +20,9 @@ func HTTPChallengeHandler(w http.ResponseWriter, r *http.Request, listenHost, al
 	if !strings.HasPrefix(r.URL.Path, challengeBasePath) {
 		return false
 	}
+	if DisableHTTPChallenge {
+		return false
+	}
 	if !namesObtaining.Has(r.Host) {
 		return false
 	}

--- a/caddytls/tls.go
+++ b/caddytls/tls.go
@@ -167,6 +167,12 @@ var (
 	// DefaultKeyType is used as the type of key for new certificates
 	// when no other key type is specified.
 	DefaultKeyType = acme.RSA2048
+
+	// DisableHTTPChallenge will disable all HTTP challenges.
+	DisableHTTPChallenge bool
+
+	// DisableTLSSNIChallenge will disable all TLS-SNI challenges.
+	DisableTLSSNIChallenge bool
 )

 var storageProviders = make(map[string]StorageConstructor)