- 10 Mar, 2017 5 commits
-
-
Leonard Hecker authored
* Fixed #1484 Fixed a nil pointer runtime error in newConnHijackerTransport, where the access to the TLSClientConfig did not check for nil values. * Minor improvement to UseInsecureTransport This prevents overwriting a possibly preexisting TLSClientConfig, even though only a single field should be changed.
-
Nathan Caza authored
* add support for listener middleware * add proxyprotocol directive * make caddy.Listener interface required * Remove tcpKeepAliveListener wrapper from Serve() This is now done in the Listen() function, along with other potential middleware.
-
ssut authored
* Fix for missing content-length header when using QUIC If request.ContentLength is set then it will be used instead of getting it from request.Header map since quic-go(lucas-clemente/quic-go@bb24be8) will not store (and pass) the Content-Length header using its header map. This fixes a potential issue where FastCGI POST requests body empty when QUIC is enabled. (#1370) * Change the data type for fastcgi contentLength to int64 quic-go uses int64 for contentLength * Fix an error for undeclared variable * Fix test for fcgiclient the data type for contentLength
-
Matt Holt authored
Log certificate location
-
Matt Holt authored
templates: Set MIME type
-
- 09 Mar, 2017 1 commit
-
-
Kurt Jung authored
* Support realms with basic authentication * Add test for default basicauth directive in which realm is not specified * Correct typo: missing space * Remove 'path' subdirective
-
- 08 Mar, 2017 1 commit
-
-
Matthew Holt authored
This could have just as easily been a tls directive property in the Caddyfile, but I figure if these challenges are being disabled, it's because of port availability or process privileges, both of which would affect all sites served by this process. The names of the flag are long but descriptive. I've never needed this but I hear of quite a few people who say they need this ability, so here it is.
-
- 07 Mar, 2017 6 commits
-
-
Matt Holt authored
httpserver: Flags to customize HTTP and HTTPS ports (including for ACME challenges)
-
Matt Holt authored
Adding ServerIP context
-
Jiri Tyr authored
-
crvv authored
If use gzip and templates at the same time, the response body will be gzipped data. And in this case, the Content-Type header won't be set by Caddy code. Then Go http package will set "Content-Type" to wrong value "application/x-gzip" which is determined by response body. So the header Contenty-Type should be set in templates middleware.
-
Matthew Holt authored
See: https://forum.caddyserver.com/t/reloading-template-files-as-they-change/1483/3?u=matt The server takes a moment to start; if USR1 is received before the instance is saved, it would panic because no instances have been saved. Instead, we just ignore the signal since no config has finished loading.
-
Matthew Holt authored
This commit removes _almost_ all instances of hard-coded ports 80 and 443 strings, and now allows the user to define what the HTTP and HTTPS ports are by the -http-port and -https-ports flags. (One instance of "80" is still hard-coded in tls.go because it cannot import httpserver to get access to the HTTP port variable. I don't suspect this will be a problem in practice, but one workaround would be to define an exported variable in the caddytls package and let the httpserver package set it as well as its own HTTPPort variable.) The port numbers required by the ACME challenges HTTP-01 and TLS-SNI-01 are hard-coded into the spec as ports 80 and 443 for good reasons, but the big question is whether they necessarily need to be the HTTP and HTTPS ports. Although the answer is probably no, they chose those ports for convenience and widest compatibility/deployability. So this commit also assumes that the "HTTP port" is necessarily the same port on which to serve the HTTP-01 challenge, and the "HTTPS port" is necessarily the same one on which to serve the TLS-SNI-01 challenge. In other words, changing the HTTP and HTTPS ports also changes the ports the challenges will be served on. If you change the HTTP and HTTPS ports, you are responsible for configuring your system to forward ports 80 and 443 properly. Closes #918 and closes #1293. Also related: #468.
-
- 06 Mar, 2017 1 commit
-
-
Toby Allen authored
-
- 03 Mar, 2017 1 commit
-
-
Samuel BERTHE authored
* feat(request placeholders): adds {?arg} * test(request placeholders): test query argument extractor {?arg}
-
- 28 Feb, 2017 2 commits
-
-
ericdreeves authored
* Use RequestURI when redirecting to canonical path. Caddy may trim a request's URL path when it starts with the path that's associated with the virtual host. This change uses the path from the request's RequestURI when performing a redirect. Fix issue #1327. * Rename redirurl to redirURL. * Redirect to the full URL. The scheme and host from the virtual host's site configuration is used in order to redirect to the full URL. * Add comment and remove redundant check. * Store the original URL path in request context. By storing the original URL path as a value in the request context, middlewares can access both it and the sanitized path. The default default FileServer handler will use the original URL on redirects. * Replace contextKey type with CtxKey. In addition to moving the CtxKey definition to the caddy package, this change updates the CtxKey references in the httpserver, fastcgi, and basicauth packages. * httpserver: Fix reference to CtxKey
-
Matthew Holt authored
-
- 22 Feb, 2017 3 commits
-
-
Matthew Holt authored
-
Matthew Holt authored
Timeouts are important for mitigating slowloris, yes. But after a number of complaints and seeing that default timeouts are a sore point of confusion, we're disabling them now. However, the code that sets default timeouts remains intact; the defaults are just the zero value. While Caddy aims to be secure by default, Caddy also aims to serve a worldwide audience. Even my own internet here in Utah is poor at times, with bad WiFi signal, causing some connections to take over 10s to be established. Many use the Internet while commuting on slower connection speeds. Latency across country borders is another concern. As such, disabling default timeouts will serve a greater population of users than enabling them, as slowloris is easy to mitigate and does not seem to be reported often (I've only seen it once). It's also very difficult sometimes to distinguish slowloris from genuine slow networks. That decision is best left to the site owner for now.
-
Matthew Holt authored
-
- 21 Feb, 2017 2 commits
-
-
Matthew Holt authored
-
Matt Holt authored
* tls: Refactor TLS config innards with a few minor syntax changes muststaple -> must_staple "http2 off" -> "alpn" with list of ALPN values * Fix typo * Fix QUIC handler * Inline struct field assignments
-
- 20 Feb, 2017 3 commits
-
-
Matt Holt authored
-
Toby Allen authored
Revert removed method IncrNest
-
Mateusz Gajewski authored
-
- 19 Feb, 2017 1 commit
-
-
Mateusz Gajewski authored
* Disable TLS completely if there is no listener with tls enabled * Format code
-
- 18 Feb, 2017 4 commits
-
-
Rick Beton authored
* Revised fileserver Accept-Encoding and ETag * calculateEtag improved following microbenchmarking
-
Mateusz Gajewski authored
* Push down headers from client * Push first, serve later * After review fixes
-
Matthew Holt authored
-
Mateusz Gajewski authored
* Remove manual TLS clone method * WiP tls * Use GetClientConfig for tls.Config * gofmt -s -w * GetConfig * Handshake * Removed comment * Disable HTTP2 on demand * Remove junk * Remove http2 enable (no-op)
-
- 17 Feb, 2017 7 commits
-
-
Kurt Jung authored
* Store name of authenticated user in basicauth for use by upstream middleware such as fastcgi and cgi. * Use request context to transfer name of authorized user from basicauth to upstream middleware. Test retrieval of name from context. * Remove development code that was inadvertently left in place * Use keys of type httpserver.CtxKey to access Context values
-
Matt Holt authored
* WIP: Implement HTTPS interception detection by Durumeric, et. al. Special thanks to @FiloSottile for guidance with the custom listener. * Add {{.IsMITM}} context action and {mitm} placeholder * Improve MITM detection heuristics for Firefox and Edge * Add tests for MITM detection heuristics * Improve Safari heuristics for interception detection * Read ClientHello during first Read() instead of during Accept() As far as I can tell, reading the ClientHello during Accept() prevents new connections from being accepted during the read. Since Read() should be called in its own goroutine, this keeps Accept() non-blocking. * Clean up MITM detection handler; make possible to close connection * Use standard lib cipher suite values when possible * Improve Edge heuristics and test cases * Refactor MITM checking logic; add some debug statements for now * Fix bug in MITM heuristic tests and actual heuristic code * Fix gofmt * Remove debug statements; preparing for merge
-
Mateusz Gajewski authored
* WIP * HTTP2/Push for golang 1.8 * Push plugin completed for review * Correct build tag * Move push plugin position * Add build tags to tests * Gofmt that code * Add header/method validations * Load push plugin * Fixes for wrapping writers * Push after delivering file * Fixes, review changes * Remove build tags, support new syntax * Fix spelling * gofmt -s -w . * Gogland time * Add interface guards * gofmt * After review fixes
-
elcore authored
-
Matt Holt authored
proxy: handle encoded path in URL
-
Tw authored
fix issue #1362 Signed-off-by: Tw <tw19881113@gmail.com>
-
elcore authored
* Implement curve X25519 * caddytls: Added a default curves list * caddytls: Improve tests
-
- 16 Feb, 2017 3 commits