1. 24 Feb, 2019 2 commits
  2. 13 Feb, 2019 1 commit
  3. 08 Feb, 2019 4 commits
    • Matt Holt's avatar
      caddytls: Change clustering to be a plugin to the caddytls package (#2459) · 1867ded1
      Matt Holt authored
      * caddytls: Change clustering to be a plugin to the caddytls package
      
      Should resolve the failure in
      https://github.com/coredns/coredns/pull/2541.
      
      This change is breaking to clustering plugin developers (not Caddy
      users), but logical, since only the caddytls package uses CertMagic
      directly (the httpserver package also uses it, but only because it also
      uses the caddytls plugin); and it is early enough that no clustering
      plugins really exist yet.
      
      This will also require a change of devportal
      so that it looks for a different registration function, which has moved
      to the caddytls package.
      
      * Remove unused variable
      
      * caddyhttp: Fix test (adjust plugin counting)
      
      * ummmm, remove extra line break
      
      somehow VS Code didn't fmt on save... weird.
      1867ded1
    • Matthew Holt's avatar
      ummmm, remove extra line break · 22db8bcf
      Matthew Holt authored
      somehow VS Code didn't fmt on save... weird.
      22db8bcf
    • Matthew Holt's avatar
      Remove unused variable · 7d737427
      Matthew Holt authored
      7d737427
    • Matthew Holt's avatar
      caddytls: Change clustering to be a plugin to the caddytls package · eac939e9
      Matthew Holt authored
      Should resolve the failure in
      https://github.com/coredns/coredns/pull/2541.
      
      This change is breaking to clustering plugin developers (not Caddy
      users), but logical, since only the caddytls package uses CertMagic
      directly (the httpserver package also uses it, but only because it also
      uses the caddytls plugin); and it is early enough that no clustering
      plugins really exist yet.
      
      This will also require a change of devportal
      so that it looks for a different registration function, which has moved
      to the caddytls package.
      eac939e9
  4. 28 Jan, 2019 1 commit
  5. 18 Jan, 2019 1 commit
  6. 20 Dec, 2018 1 commit
  7. 13 Dec, 2018 1 commit
  8. 11 Dec, 2018 2 commits
    • Matthew Holt's avatar
    • Matthew Holt's avatar
      Extract most of caddytls core code into external CertMagic package · e0f1a02c
      Matthew Holt authored
      All code relating to a caddytls.Config and setting it up from the
      Caddyfile is still intact; only the certificate management-related
      code was removed into a separate package.
      
      I don't expect this to build in CI successfully; updating dependencies
      and vendor is coming next.
      
      I've also removed the ad-hoc, half-baked storage plugins that we need
      to finish making first-class Caddy plugins (they were never documented
      anyway). The new certmagic package has a much better storage interface,
      and we can finally move toward making a new storage plugin type, but
      it shouldn't be configurable in the Caddyfile, I think, since it doesn't
      make sense for a Caddy instance to use more than one storage config...
      
      We also have the option of eliminating DNS provider plugins and just
      shipping all of lego's DNS providers by using a lego package (the
      caddytls/setup.go file has a comment describing how) -- but it doubles
      Caddy's binary size by 100% from about 19 MB to around 40 MB...!
      e0f1a02c
  9. 30 Oct, 2018 3 commits
    • Matthew Holt's avatar
    • Ruslan Drozhdzh's avatar
    • Eugen Kleiner's avatar
      caddy: Add OnRestartFailed callback (#2262) · 86060ef9
      Eugen Kleiner authored
      * Add callback OnRestartFailed to caddy.Controller
      
      * markdown: Fix 500 error (#2266)
      
      * Addressed the comments
      
      * Update paths for filebrowser plugins
      
      * httpserver: update minify ordering (#2273)
      
      * Bump required version of golang to 1.10 in README.md (#2267)
      
      Adding TLS client cert placeholders #2217 uses features of go
      v1.10.  Update README requirements accordingly.
      
      * Update CI to use Go 1.11
      
      * caddytls: gofmt (Go 1.11) (#2241)
      
      * Ensure assets path exists before writing UUID file
      
      * Adding {when_unix_ms} requests placeholder (unix timestamp with a milliseconds precision) (#2260)
      
      * update to quic-go v0.10.0 (#2288)
      
      quic-go now vendors all of its dependencies, so we don't need to vendor
      them here.
      
      Created by running:
      gvt delete github.com/lucas-clemente/quic-go
      gvt delete github.com/bifurcation/mint
      gvt delete github.com/lucas-clemente/aes12
      gvt delete github.com/lucas-clemente/fnv128a
      gvt delete github.com/lucas-clemente/quic-go-certificates
      gvt delete github.com/aead/chacha20
      gvt delete github.com/hashicorp/golang-lru
      gvt fetch -tag v0.10.0-no-integrationtests github.com/lucas-clemente/quic-go
      
      * fastcgi: Add default timeouts (#2265)
      
      Default fastcgi timeout is 60 seconds
      Add tests
      
      * Fix AppVeyor builds (#2289)
      
      * Attempting to fix AppVeyor builds
      
      * Trying again, 2015 image this time
      
      * Use Appveyor's Go 1.11 stack
      
      * Restore GOPATH\bin to PATH and delete old image config
      
      * Add gcc to path manually
      
      * Addressed the comments
      
      * Fix broken link to sourcegraph in README (#2285)
      
      * Fix deadlock, ensure instances mutex unlocked (#2296)
      
      it's a stupid mistake
      
      * proxy: Use DualStack=true in defaultDialer (#2305)
      
      * ci: get golint tool from `golang.org/x/lint/golint` (#2324)
      
      * templates: TLSVersion (#2323)
      
      * new template action: TLS protocol version
      
      * new template action: use caddytls.GetSupportedProtocolName
      
      Avoids code duplication by reusing existing method to get TLS protocol
      version used on connection. Also adds tests
      
      * Don't return error on onRestartFail. Only log it.
      86060ef9
  10. 18 Sep, 2018 1 commit
  11. 02 Apr, 2018 1 commit
  12. 24 Mar, 2018 1 commit
  13. 23 Mar, 2018 1 commit
  14. 21 Mar, 2018 1 commit
  15. 15 Feb, 2018 1 commit
    • Matthew Holt's avatar
      httpserver: Raise error when adjusted site addresses clash at startup · be96cc0e
      Matthew Holt authored
      See discussion on #2015 for how this situation was discovered. For a
      Caddyfile like this:
      
      	localhost {
      		...
      	}
      	:2015 {
      		...
      	}
      
      Running Caddy like this:
      
      	caddy -host localhost
      
      Produces two sites both defined as `localhost:2015` because the flag
      changes the default host value to be `localhost`. This should be an
      error since the sites are not distinct and it is confusing. It can also
      cause issues with TLS handshakes loading the wrong cert, as the linked
      discussion shows.
      be96cc0e
  16. 13 Feb, 2018 1 commit
  17. 10 Feb, 2018 1 commit
  18. 04 Feb, 2018 1 commit
    • Matthew Holt's avatar
      tls: Restructure and improve certificate management · fc2ff915
      Matthew Holt authored
      - Expose the list of Caddy instances through caddy.Instances()
      
      - Added arbitrary storage to caddy.Instance
      
      - The cache of loaded certificates is no longer global; now scoped
        per-instance, meaning upon reload (like SIGUSR1) the old cert cache
        will be discarded entirely, whereas before, aggressively reloading
        config that added and removed lots of sites would cause unnecessary
        build-up in the cache over time.
      
      - Key certificates in the cache by their SHA-256 hash instead of
        by their names. This means certificates will not be duplicated in
        memory (within each instance), making Caddy much more memory-efficient
        for large-scale deployments with thousands of sites sharing certs.
      
      - Perform name-to-certificate lookups scoped per caddytls.Config instead
        of a single global lookup. This prevents certificates from stepping on
        each other when they overlap in their names.
      
      - Do not allow TLS configurations keyed by the same hostname to be
        different; this now throws an error.
      
      - Updated relevant tests, with a stark awareness that more tests are
        needed.
      
      - Change the NewContext function signature to include an *Instance.
      
      - Strongly recommend (basically require) use of caddytls.NewConfig()
        to create a new *caddytls.Config, to ensure pointers to the instance
        certificate cache are initialized properly.
      
      - Update the TLS-SNI challenge solver (even though TLS-SNI is disabled
        currently on the CA side). Store temporary challenge cert in instance
        cache, but do so directly by the ACME challenge name, not the hash.
        Modified the getCertificate function to check the cache directly for
        a name match if one isn't found otherwise. This will allow any
        caddytls.Config to be able to help solve a TLS-SNI challenge, with one
        extra side-effect that might actually be kind of interesting (and
        useless): clients could send a certificate's hash as the SNI and
        Caddy would be able to serve that certificate for the handshake.
      
      - Do not attempt to match a "default" (random) certificate when SNI
        is present but unrecognized; return no certificate so a TLS alert
        happens instead.
      
      - Store an Instance in the list of instances even while the instance
        is still starting up (this allows access to the cert cache for
        performing renewals at startup, etc). Will be removed from list again
        if instance startup fails.
      
      - Laid groundwork for ACMEv2 and Let's Encrypt wildcard support.
      
      Server type plugins will need to be updated slightly to accommodate
      minor adjustments to their API (like passing in an Instance). This
      commit includes the changes for the HTTP server.
      
      Certain Caddyfile configurations might error out with this change, if
      they configured different TLS settings for the same hostname.
      
      This change trades some complexity for other complexity, but ultimately
      this new complexity is more correct and robust than earlier logic.
      
      Fixes #1991
      Fixes #1994
      Fixes #1303
      fc2ff915
  19. 07 Nov, 2017 1 commit
  20. 31 Oct, 2017 2 commits
  21. 02 Oct, 2017 1 commit
  22. 23 Sep, 2017 1 commit
  23. 12 Aug, 2017 1 commit
    • Matt Holt's avatar
      SIGUSR2 triggers graceful binary upgrades (spawns new process) (#1814) · 5e089630
      Matt Holt authored
      * SIGUSR2 triggers graceful binary upgrades (spawns new process)
      
      * Move some functions around, hopefully fixing Windows build
      
      * Clean up a couple file closes and add links to useful debugging thread
      
      * Use two underscores in upgrade env var
      
      To help ensure uniqueness / avoid possible collisions
      5e089630
  24. 30 Apr, 2017 1 commit
  25. 26 Apr, 2017 1 commit
  26. 20 Apr, 2017 1 commit
  27. 13 Mar, 2017 1 commit
  28. 11 Mar, 2017 1 commit
    • Toby Allen's avatar
      Fix issue #1346 {path} logging {uri} and add {rewrite_uri} placeholder (#1481) · cfe52084
      Toby Allen authored
      * Fixed issue with {path} actually {uri}
      
      * Test added for path rewrite
      
      * add in uri_escaped
      
      * added rewrite_uri and test
      
      * fix broken test.  Just checks for existance of rewrite header
      
      * gitignore
      
      * Use context to store uri value
      
      * ignore .vscode
      
      * tidy up, removal of comments and invalidated tests
      
      * Remove commented out code.
      
      * added comment as requested by lint
      
      * fixed spelling mistake
      
      * clarified code with variable name
      
      * added context for uri and test
      
      * added TODO comment to move consts
      cfe52084
  29. 28 Feb, 2017 1 commit
    • ericdreeves's avatar
      Use RequestURI when redirecting to canonical path. (#1331) · 0a0d2cc1
      ericdreeves authored
      * Use RequestURI when redirecting to canonical path.
      
      Caddy may trim a request's URL path when it starts with the path that's
      associated with the virtual host. This change uses the path from the request's
      RequestURI when performing a redirect.
      
      Fix issue #1327.
      
      * Rename redirurl to redirURL.
      
      * Redirect to the full URL.
      
      The scheme and host from the virtual host's site configuration is used
      in order to redirect to the full URL.
      
      * Add comment and remove redundant check.
      
      * Store the original URL path in request context.
      
      By storing the original URL path as a value in the request context,
      middlewares can access both it and the sanitized path. The default
      default FileServer handler will use the original URL on redirects.
      
      * Replace contextKey type with CtxKey.
      
      In addition to moving the CtxKey definition to the caddy package, this
      change updates the CtxKey references in the httpserver, fastcgi, and
      basicauth packages.
      
      * httpserver: Fix reference to CtxKey
      0a0d2cc1
  30. 17 Feb, 2017 1 commit
    • Matt Holt's avatar
      Detect HTTPS interception (#1430) · 82cbd7a9
      Matt Holt authored
      * WIP: Implement HTTPS interception detection by Durumeric, et. al.
      
      Special thanks to @FiloSottile for guidance with the custom listener.
      
      * Add {{.IsMITM}} context action and {mitm} placeholder
      
      * Improve MITM detection heuristics for Firefox and Edge
      
      * Add tests for MITM detection heuristics
      
      * Improve Safari heuristics for interception detection
      
      * Read ClientHello during first Read() instead of during Accept()
      
      As far as I can tell, reading the ClientHello during Accept() prevents
      new connections from being accepted during the read. Since Read() should
      be called in its own goroutine, this keeps Accept() non-blocking.
      
      * Clean up MITM detection handler; make possible to close connection
      
      * Use standard lib cipher suite values when possible
      
      * Improve Edge heuristics and test cases
      
      * Refactor MITM checking logic; add some debug statements for now
      
      * Fix bug in MITM heuristic tests and actual heuristic code
      
      * Fix gofmt
      
      * Remove debug statements; preparing for merge
      82cbd7a9
  31. 24 Jan, 2017 1 commit
  32. 14 Jan, 2017 1 commit
    • Toby Allen's avatar
      Add a cli parameter to -validate a Caddyfile. Issue #1328 (#1344) · 21d92d68
      Toby Allen authored
      * Allow -validate flag to validate caddyfile and return
      
      * Ensure logging without -log flag
      
      * Changes to validate seperatly to Starup func
      
      * Removed change to Start signature.  Created function to ValidateCaddyfile
      
      * comment and tidyup
      
      * ValidateandExecuteDirectives with justValidate option
      
      * remove debugging code
      
      * Tidy up comments
      
      * additional parameter added to calls to mustLogFataf
      
      * ValidateAndExecuteDirectives needs to only return err
      21d92d68