2019-07-01 00:07:58 +02:00
// Copyright 2015 Matthew Holt and The Caddy Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
2019-03-26 19:00:54 +01:00
package caddyhttp
import (
2019-08-09 20:05:47 +02:00
"bytes"
2019-03-27 02:42:52 +01:00
"context"
2019-04-25 21:54:48 +02:00
"crypto/tls"
2019-08-09 20:05:47 +02:00
"encoding/json"
2019-03-26 22:45:51 +01:00
"fmt"
2019-08-09 20:05:47 +02:00
"io"
2019-05-20 23:46:34 +02:00
weakrand "math/rand"
2019-03-26 22:45:51 +01:00
"net"
"net/http"
"strconv"
"strings"
"time"
2019-03-26 19:00:54 +01:00
2019-07-02 20:37:06 +02:00
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/modules/caddytls"
2019-09-10 16:03:37 +02:00
"github.com/lucas-clemente/quic-go/http3"
2019-04-25 21:54:48 +02:00
"github.com/mholt/certmagic"
2019-10-28 21:39:37 +01:00
"go.uber.org/zap"
2019-03-26 19:00:54 +01:00
)
func init ( ) {
2019-05-20 23:46:34 +02:00
weakrand . Seed ( time . Now ( ) . UnixNano ( ) )
2019-04-25 21:54:48 +02:00
2019-08-21 18:46:35 +02:00
err := caddy . RegisterModule ( App { } )
2019-03-26 19:00:54 +01:00
if err != nil {
2019-10-28 21:39:37 +01:00
caddy . Log ( ) . Fatal ( err . Error ( ) )
2019-03-26 19:00:54 +01:00
}
}
2019-12-29 21:16:34 +01:00
// App is a robust, production-ready HTTP server.
//
// HTTPS is enabled by default if host matchers with qualifying names are used
// in any of routes; certificates are automatically provisioned and renewed.
// Additionally, automatic HTTPS will also enable HTTPS for servers that listen
// only on the HTTPS port but which do not have any TLS connection policies
// defined by adding a good, default TLS connection policy.
//
// In HTTP routes, additional placeholders are available:
//
// Placeholder | Description
// ------------|---------------
// `{http.request.cookie.*}` | HTTP request cookie
// `{http.request.header.*}` | Specific request header field
// `{http.request.host.labels.*}` | Request host labels (0-based from right); e.g. for foo.example.com: 0=com, 1=example, 2=foo
// `{http.request.host}` | The host part of the request's Host header
// `{http.request.hostport}` | The host and port from the request's Host header
// `{http.request.method}` | The request method
// `{http.request.orig.method}` | The request's original method
// `{http.request.orig.path.dir}` | The request's original directory
// `{http.request.orig.path.file}` | The request's original filename
// `{http.request.orig.uri.path}` | The request's original path
// `{http.request.orig.uri.query_string}` | The request's original full query string (with `?`)
// `{http.request.orig.uri.query}` | The request's original query string (without `?`)
// `{http.request.orig.uri}` | The request's original URI
// `{http.request.port}` | The port part of the request's Host header
// `{http.request.proto}` | The protocol of the request
// `{http.request.remote.host}` | The host part of the remote client's address
// `{http.request.remote.port}` | The port part of the remote client's address
// `{http.request.remote}` | The address of the remote client
// `{http.request.scheme}` | The request scheme
// `{http.request.uri.path.*}` | Parts of the path, split by `/` (0-based from left)
// `{http.request.uri.path.dir}` | The directory, excluding leaf filename
// `{http.request.uri.path.file}` | The filename of the path, excluding directory
// `{http.request.uri.path}` | The path component of the request URI
// `{http.request.uri.query_string}` | The full query string (with `?`)
// `{http.request.uri.query.*}` | Individual query string value
// `{http.request.uri.query}` | The query string (without `?`)
// `{http.request.uri}` | The full request URI
// `{http.response.header.*}` | Specific response header field
// `{http.vars.*}` | Custom variables in the HTTP handler chain
2019-05-14 22:14:05 +02:00
type App struct {
2019-12-10 21:36:46 +01:00
// HTTPPort specifies the port to use for HTTP (as opposed to HTTPS),
// which is used when setting up HTTP->HTTPS redirects or ACME HTTP
// challenge solvers. Default: 80.
HTTPPort int ` json:"http_port,omitempty" `
// HTTPSPort specifies the port to use for HTTPS, which is used when
// solving the ACME TLS-ALPN challenges, or whenever HTTPS is needed
// but no specific port number is given. Default: 443.
HTTPSPort int ` json:"https_port,omitempty" `
// GracePeriod is how long to wait for active connections when shutting
// down the server. Once the grace period is over, connections will
// be forcefully closed.
GracePeriod caddy . Duration ` json:"grace_period,omitempty" `
// Servers is the list of servers, keyed by arbitrary names chosen
// at your discretion for your own convenience; the keys do not
// affect functionality.
Servers map [ string ] * Server ` json:"servers,omitempty" `
2019-03-27 02:42:52 +01:00
2019-09-10 16:03:37 +02:00
servers [ ] * http . Server
h3servers [ ] * http3 . Server
h3listeners [ ] net . PacketConn
2019-05-17 00:05:38 +02:00
2019-10-28 21:39:37 +01:00
ctx caddy . Context
logger * zap . Logger
2019-03-26 19:00:54 +01:00
}
2019-08-21 18:46:35 +02:00
// CaddyModule returns the Caddy module information.
func ( App ) CaddyModule ( ) caddy . ModuleInfo {
return caddy . ModuleInfo {
2019-12-10 21:36:46 +01:00
ID : "http" ,
New : func ( ) caddy . Module { return new ( App ) } ,
2019-08-21 18:46:35 +02:00
}
}
2019-05-14 22:14:05 +02:00
// Provision sets up the app.
2019-06-14 19:58:28 +02:00
func ( app * App ) Provision ( ctx caddy . Context ) error {
2019-05-17 00:05:38 +02:00
app . ctx = ctx
2019-10-28 21:39:37 +01:00
app . logger = ctx . Logger ( app )
2019-05-17 00:05:38 +02:00
2019-06-14 19:58:28 +02:00
repl := caddy . NewReplacer ( )
2019-05-20 18:59:20 +02:00
2019-10-28 21:39:37 +01:00
for srvName , srv := range app . Servers {
srv . logger = app . logger . Named ( "log" )
srv . errorLogger = app . logger . Named ( "log.error" )
2019-11-16 01:01:07 +01:00
// only enable access logs if configured
if srv . Logs != nil {
srv . accessLogger = app . logger . Named ( "log.access" )
}
2019-06-26 18:49:32 +02:00
if srv . AutoHTTPS == nil {
// avoid nil pointer dereferences
srv . AutoHTTPS = new ( AutoHTTPSConfig )
}
2019-09-18 07:13:21 +02:00
// if not explicitly configured by the user, disallow TLS
// client auth bypass (domain fronting) which could
// otherwise be exploited by sending an unprotected SNI
// value during a TLS handshake, then putting a protected
// domain in the Host header after establishing connection;
// this is a safe default, but we allow users to override
// it for example in the case of running a proxy where
// domain fronting is desired and access is not restricted
// based on hostname
if srv . StrictSNIHost == nil && srv . hasTLSClientAuth ( ) {
trueBool := true
srv . StrictSNIHost = & trueBool
2019-09-03 17:35:36 +02:00
}
2019-05-20 18:59:20 +02:00
for i := range srv . Listen {
2019-10-28 21:39:37 +01:00
lnOut , err := repl . ReplaceOrErr ( srv . Listen [ i ] , true , true )
if err != nil {
return fmt . Errorf ( "server %s, listener %d: %v" ,
srvName , i , err )
}
srv . Listen [ i ] = lnOut
2019-05-20 18:59:20 +02:00
}
2019-06-26 18:49:32 +02:00
2019-05-22 21:13:39 +02:00
if srv . Routes != nil {
err := srv . Routes . Provision ( ctx )
if err != nil {
2019-10-28 21:39:37 +01:00
return fmt . Errorf ( "server %s: setting up server routes: %v" , srvName , err )
2019-05-22 21:13:39 +02:00
}
2019-04-12 04:42:55 +02:00
}
2019-06-26 18:49:32 +02:00
2019-05-22 21:13:39 +02:00
if srv . Errors != nil {
err := srv . Errors . Routes . Provision ( ctx )
if err != nil {
2019-10-28 21:39:37 +01:00
return fmt . Errorf ( "server %s: setting up server error handling routes: %v" , srvName , err )
2019-05-22 21:13:39 +02:00
}
2019-04-01 04:41:29 +02:00
}
2019-07-12 06:02:47 +02:00
if srv . MaxRehandles == nil {
srv . MaxRehandles = & DefaultMaxRehandles
}
2019-04-25 21:54:48 +02:00
}
2019-04-01 04:41:29 +02:00
2019-04-25 21:54:48 +02:00
return nil
}
2019-05-14 22:14:05 +02:00
// Validate ensures the app's configuration is valid.
2019-05-17 00:05:38 +02:00
func ( app * App ) Validate ( ) error {
2019-05-07 17:56:13 +02:00
// each server must use distinct listener addresses
lnAddrs := make ( map [ string ] string )
2019-05-17 00:05:38 +02:00
for srvName , srv := range app . Servers {
2019-05-07 17:56:13 +02:00
for _ , addr := range srv . Listen {
2019-11-11 23:33:38 +01:00
listenAddr , err := caddy . ParseNetworkAddress ( addr )
2019-05-07 17:56:13 +02:00
if err != nil {
return fmt . Errorf ( "invalid listener address '%s': %v" , addr , err )
}
2019-11-11 23:33:38 +01:00
// check that every address in the port range is unique to this server;
// we do not use <= here because PortRangeSize() adds 1 to EndPort for us
for i := uint ( 0 ) ; i < listenAddr . PortRangeSize ( ) ; i ++ {
addr := caddy . JoinNetworkAddress ( listenAddr . Network , listenAddr . Host , strconv . Itoa ( int ( listenAddr . StartPort + i ) ) )
if sn , ok := lnAddrs [ addr ] ; ok {
return fmt . Errorf ( "server %s: listener address repeated: %s (already claimed by server '%s')" , srvName , addr , sn )
2019-05-07 17:56:13 +02:00
}
2019-11-11 23:33:38 +01:00
lnAddrs [ addr ] = srvName
2019-05-07 17:56:13 +02:00
}
}
}
2019-05-20 18:59:20 +02:00
// each server's max rehandle value must be valid
for srvName , srv := range app . Servers {
2019-07-12 06:02:47 +02:00
if srv . MaxRehandles != nil && * srv . MaxRehandles < 0 {
return fmt . Errorf ( "%s: invalid max_rehandles value: %d" , srvName , * srv . MaxRehandles )
2019-05-20 18:59:20 +02:00
}
}
2019-05-07 17:56:13 +02:00
return nil
}
2019-05-14 22:14:05 +02:00
// Start runs the app. It sets up automatic HTTPS if enabled.
2019-05-17 00:05:38 +02:00
func ( app * App ) Start ( ) error {
err := app . automaticHTTPS ( )
2019-04-25 21:54:48 +02:00
if err != nil {
2019-05-21 01:15:38 +02:00
return fmt . Errorf ( "enabling automatic HTTPS: %v" , err )
2019-04-25 21:54:48 +02:00
}
2019-05-17 00:05:38 +02:00
for srvName , srv := range app . Servers {
2019-03-27 02:42:52 +01:00
s := & http . Server {
2019-03-26 22:45:51 +01:00
ReadTimeout : time . Duration ( srv . ReadTimeout ) ,
ReadHeaderTimeout : time . Duration ( srv . ReadHeaderTimeout ) ,
2019-05-23 21:16:34 +02:00
WriteTimeout : time . Duration ( srv . WriteTimeout ) ,
IdleTimeout : time . Duration ( srv . IdleTimeout ) ,
MaxHeaderBytes : srv . MaxHeaderBytes ,
2019-04-01 04:41:29 +02:00
Handler : srv ,
2019-03-26 22:45:51 +01:00
}
for _ , lnAddr := range srv . Listen {
2019-11-11 23:33:38 +01:00
listenAddr , err := caddy . ParseNetworkAddress ( lnAddr )
2019-03-26 22:45:51 +01:00
if err != nil {
2019-04-25 21:54:48 +02:00
return fmt . Errorf ( "%s: parsing listen address '%s': %v" , srvName , lnAddr , err )
2019-03-26 22:45:51 +01:00
}
2019-12-01 01:53:25 +01:00
for i := uint ( 0 ) ; i < listenAddr . PortRangeSize ( ) ; i ++ {
2019-11-11 23:33:38 +01:00
hostport := listenAddr . JoinHostPort ( i )
ln , err := caddy . Listen ( listenAddr . Network , hostport )
2019-03-26 22:45:51 +01:00
if err != nil {
2019-11-11 23:33:38 +01:00
return fmt . Errorf ( "%s: listening on %s: %v" , listenAddr . Network , hostport , err )
2019-03-26 22:45:51 +01:00
}
2019-04-25 21:54:48 +02:00
2019-09-03 17:35:36 +02:00
// enable HTTP/2 by default
2019-04-25 21:54:48 +02:00
for _ , pol := range srv . TLSConnPolicies {
if len ( pol . ALPN ) == 0 {
pol . ALPN = append ( pol . ALPN , defaultALPN ... )
}
}
// enable TLS
2019-11-11 23:33:38 +01:00
if len ( srv . TLSConnPolicies ) > 0 && int ( i ) != app . httpPort ( ) {
2019-05-17 00:05:38 +02:00
tlsCfg , err := srv . TLSConnPolicies . TLSConfig ( app . ctx )
2019-04-25 21:54:48 +02:00
if err != nil {
2019-11-11 23:33:38 +01:00
return fmt . Errorf ( "%s/%s: making TLS configuration: %v" , listenAddr . Network , hostport , err )
2019-04-25 21:54:48 +02:00
}
ln = tls . NewListener ( ln , tlsCfg )
2019-09-10 16:03:37 +02:00
/////////
// TODO: HTTP/3 support is experimental for now
if srv . ExperimentalHTTP3 {
2019-10-28 21:39:37 +01:00
app . logger . Info ( "enabling experimental HTTP/3 listener" ,
2019-11-11 23:33:38 +01:00
zap . String ( "addr" , hostport ) ,
2019-10-28 21:39:37 +01:00
)
2019-11-11 23:33:38 +01:00
h3ln , err := caddy . ListenPacket ( "udp" , hostport )
2019-09-10 16:03:37 +02:00
if err != nil {
return fmt . Errorf ( "getting HTTP/3 UDP listener: %v" , err )
}
h3srv := & http3 . Server {
Server : & http . Server {
2019-11-11 23:33:38 +01:00
Addr : hostport ,
2019-09-10 16:03:37 +02:00
Handler : srv ,
TLSConfig : tlsCfg ,
} ,
}
go h3srv . Serve ( h3ln )
app . h3servers = append ( app . h3servers , h3srv )
app . h3listeners = append ( app . h3listeners , h3ln )
2019-09-12 02:49:21 +02:00
srv . h3server = h3srv
2019-09-10 16:03:37 +02:00
}
/////////
2019-04-25 21:54:48 +02:00
}
2019-03-26 22:45:51 +01:00
go s . Serve ( ln )
2019-05-17 00:05:38 +02:00
app . servers = append ( app . servers , s )
2019-03-26 22:45:51 +01:00
}
}
}
return nil
}
2019-05-07 17:56:13 +02:00
// Stop gracefully shuts down the HTTP server.
2019-05-17 00:05:38 +02:00
func ( app * App ) Stop ( ) error {
2019-05-07 17:56:13 +02:00
ctx := context . Background ( )
2019-05-17 00:05:38 +02:00
if app . GracePeriod > 0 {
2019-05-07 17:56:13 +02:00
var cancel context . CancelFunc
2019-05-17 00:05:38 +02:00
ctx , cancel = context . WithTimeout ( ctx , time . Duration ( app . GracePeriod ) )
2019-05-07 17:56:13 +02:00
defer cancel ( )
}
2019-05-17 00:05:38 +02:00
for _ , s := range app . servers {
2019-05-07 17:56:13 +02:00
err := s . Shutdown ( ctx )
2019-03-27 02:42:52 +01:00
if err != nil {
return err
}
}
2019-09-10 16:03:37 +02:00
// TODO: Closing the http3.Server is the right thing to do,
// however, doing so sometimes causes connections from clients
// to fail after config reloads due to a bug that is yet
// unsolved: https://github.com/caddyserver/caddy/pull/2727
// for _, s := range app.h3servers {
// // TODO: CloseGracefully, once implemented upstream
// // (see https://github.com/lucas-clemente/quic-go/issues/2103)
// err := s.Close()
// if err != nil {
// return err
// }
// }
// as of September 2019, closing the http3.Server
// instances doesn't close their underlying listeners
// so we have todo that ourselves
// (see https://github.com/lucas-clemente/quic-go/issues/2103)
for _ , pc := range app . h3listeners {
err := pc . Close ( )
if err != nil {
return err
}
}
2019-03-27 02:42:52 +01:00
return nil
}
2019-05-17 00:05:38 +02:00
func ( app * App ) automaticHTTPS ( ) error {
tlsAppIface , err := app . ctx . App ( "tls" )
2019-04-29 17:22:00 +02:00
if err != nil {
return fmt . Errorf ( "getting tls app: %v" , err )
}
tlsApp := tlsAppIface . ( * caddytls . TLS )
2019-04-25 21:54:48 +02:00
2019-09-19 02:01:32 +02:00
// this map will store associations of HTTP listener
// addresses to the routes that do HTTP->HTTPS redirects
lnAddrRedirRoutes := make ( map [ string ] Route )
2019-05-07 17:56:13 +02:00
2019-10-14 19:29:36 +02:00
repl := caddy . NewReplacer ( )
2019-05-17 00:05:38 +02:00
for srvName , srv := range app . Servers {
2019-04-25 21:54:48 +02:00
srv . tlsApp = tlsApp
2019-06-26 18:49:32 +02:00
if srv . AutoHTTPS . Disabled {
2019-04-25 21:54:48 +02:00
continue
}
2019-05-22 22:14:26 +02:00
// skip if all listeners use the HTTP port
2019-09-19 02:01:32 +02:00
if ! srv . listenersUseAnyPortOtherThan ( app . httpPort ( ) ) {
2019-10-28 21:39:37 +01:00
app . logger . Info ( "server is only listening on the HTTP port, so no automatic HTTPS will be applied to this server" ,
zap . String ( "server_name" , srvName ) ,
zap . Int ( "http_port" , app . httpPort ( ) ) ,
)
2019-05-22 22:14:26 +02:00
continue
}
2019-12-29 07:56:08 +01:00
// if all listeners are on the HTTPS port, make sure
// there is at least one TLS connection policy; it
// should be obvious that they want to use TLS without
// needing to specify one empty policy to enable it
if ! srv . listenersUseAnyPortOtherThan ( app . httpsPort ( ) ) && len ( srv . TLSConnPolicies ) == 0 {
app . logger . Info ( "server is only listening on the HTTPS port but has no TLS connection policies; adding one to enable TLS" ,
zap . String ( "server_name" , srvName ) ,
zap . Int ( "https_port" , app . httpsPort ( ) ) ,
)
srv . TLSConnPolicies = append ( srv . TLSConnPolicies , new ( caddytls . ConnectionPolicy ) )
}
2019-04-29 17:22:00 +02:00
// find all qualifying domain names, de-duplicated
2019-04-25 21:54:48 +02:00
domainSet := make ( map [ string ] struct { } )
2019-10-28 21:39:37 +01:00
for routeIdx , route := range srv . Routes {
for matcherSetIdx , matcherSet := range route . MatcherSets {
for matcherIdx , m := range matcherSet {
2019-05-22 21:13:39 +02:00
if hm , ok := m . ( * MatchHost ) ; ok {
2019-10-28 21:39:37 +01:00
for hostMatcherIdx , d := range * hm {
d , err = repl . ReplaceOrErr ( d , true , false )
if err != nil {
return fmt . Errorf ( "%s: route %d, matcher set %d, matcher %d, host matcher %d: %v" ,
srvName , routeIdx , matcherSetIdx , matcherIdx , hostMatcherIdx , err )
}
2019-06-26 18:57:18 +02:00
if certmagic . HostQualifies ( d ) &&
! srv . AutoHTTPS . Skipped ( d , srv . AutoHTTPS . Skip ) {
2019-06-21 16:08:26 +02:00
domainSet [ d ] = struct { } { }
2019-05-22 21:13:39 +02:00
}
2019-04-25 21:54:48 +02:00
}
}
}
}
}
2019-04-29 17:22:00 +02:00
if len ( domainSet ) > 0 {
// marshal the domains into a slice
2019-06-26 18:57:18 +02:00
var domains , domainsForCerts [ ] string
2019-04-29 17:22:00 +02:00
for d := range domainSet {
domains = append ( domains , d )
2019-06-26 18:57:18 +02:00
if ! srv . AutoHTTPS . Skipped ( d , srv . AutoHTTPS . SkipCerts ) {
2019-08-09 20:05:47 +02:00
// if a certificate for this name is already loaded,
// don't obtain another one for it, unless we are
// supposed to ignore loaded certificates
if ! srv . AutoHTTPS . IgnoreLoadedCerts &&
2019-09-13 19:46:58 +02:00
len ( tlsApp . AllMatchingCertificates ( d ) ) > 0 {
2019-10-28 21:39:37 +01:00
app . logger . Info ( "skipping automatic certificate management because one or more matching certificates are already loaded" ,
zap . String ( "domain" , d ) ,
zap . String ( "server_name" , srvName ) ,
)
2019-08-09 20:05:47 +02:00
continue
}
2019-06-26 18:57:18 +02:00
domainsForCerts = append ( domainsForCerts , d )
}
2019-04-29 17:22:00 +02:00
}
2019-06-05 06:43:21 +02:00
// ensure that these certificates are managed properly;
// for example, it's implied that the HTTPPort should also
// be the port the HTTP challenge is solved on, and so
// for HTTPS port and TLS-ALPN challenge also - we need
// to tell the TLS app to manage these certs by honoring
// those port configurations
acmeManager := & caddytls . ACMEManagerMaker {
2019-09-30 17:07:43 +02:00
Challenges : & caddytls . ChallengesConfig {
HTTP : & caddytls . HTTPChallengeConfig {
2019-09-19 02:01:32 +02:00
AlternatePort : app . HTTPPort , // we specifically want the user-configured port, if any
2019-06-05 06:43:21 +02:00
} ,
2019-09-30 17:07:43 +02:00
TLSALPN : & caddytls . TLSALPNChallengeConfig {
2019-09-19 02:01:32 +02:00
AlternatePort : app . HTTPSPort , // we specifically want the user-configured port, if any
2019-06-05 06:43:21 +02:00
} ,
} ,
}
2019-09-30 17:07:43 +02:00
if tlsApp . Automation == nil {
tlsApp . Automation = new ( caddytls . AutomationConfig )
}
2019-06-05 06:43:21 +02:00
tlsApp . Automation . Policies = append ( tlsApp . Automation . Policies ,
caddytls . AutomationPolicy {
2019-06-26 18:57:18 +02:00
Hosts : domainsForCerts ,
2019-06-05 06:43:21 +02:00
Management : acmeManager ,
} )
2019-04-29 17:22:00 +02:00
// manage their certificates
2019-10-28 21:39:37 +01:00
app . logger . Info ( "enabling automatic TLS certificate management" ,
zap . Strings ( "domains" , domainsForCerts ) ,
)
2019-06-26 18:57:18 +02:00
err := tlsApp . Manage ( domainsForCerts )
2019-04-25 21:54:48 +02:00
if err != nil {
return fmt . Errorf ( "%s: managing certificate for %s: %s" , srvName , domains , err )
}
2019-04-29 17:22:00 +02:00
2019-09-03 17:35:36 +02:00
// tell the server to use TLS if it is not already doing so
if srv . TLSConnPolicies == nil {
srv . TLSConnPolicies = caddytls . ConnectionPolicies {
& caddytls . ConnectionPolicy { ALPN : defaultALPN } ,
}
2019-04-25 21:54:48 +02:00
}
2019-04-29 17:22:00 +02:00
2019-06-26 18:49:32 +02:00
if srv . AutoHTTPS . DisableRedir {
2019-05-07 17:56:13 +02:00
continue
}
2019-10-28 21:39:37 +01:00
app . logger . Info ( "enabling automatic HTTP->HTTPS redirects" ,
zap . Strings ( "domains" , domains ) ,
)
2019-06-26 18:57:18 +02:00
2019-05-07 17:56:13 +02:00
// create HTTP->HTTPS redirects
for _ , addr := range srv . Listen {
2019-09-05 21:14:39 +02:00
netw , host , port , err := caddy . SplitNetworkAddress ( addr )
2019-05-07 17:56:13 +02:00
if err != nil {
return fmt . Errorf ( "%s: invalid listener address: %v" , srvName , addr )
}
2019-06-21 22:36:26 +02:00
2019-05-07 17:56:13 +02:00
if parts := strings . SplitN ( port , "-" , 2 ) ; len ( parts ) == 2 {
port = parts [ 0 ]
}
2019-05-21 01:15:38 +02:00
redirTo := "https://{http.request.host}"
2019-05-07 17:56:13 +02:00
2019-09-19 02:01:32 +02:00
if port != strconv . Itoa ( app . httpsPort ( ) ) {
2019-05-07 17:56:13 +02:00
redirTo += ":" + port
}
2019-05-21 01:15:38 +02:00
redirTo += "{http.request.uri}"
2019-05-07 17:56:13 +02:00
2019-09-19 02:01:32 +02:00
// build the plaintext HTTP variant of this address
httpRedirLnAddr := caddy . JoinNetworkAddress ( netw , host , strconv . Itoa ( app . httpPort ( ) ) )
// create the route that does the redirect and associate
// it with the listener address it will be served from
lnAddrRedirRoutes [ httpRedirLnAddr ] = Route {
2019-08-21 18:46:35 +02:00
MatcherSets : [ ] MatcherSet {
2019-05-22 21:13:39 +02:00
{
MatchProtocol ( "http" ) ,
MatchHost ( domains ) ,
} ,
2019-05-07 17:56:13 +02:00
} ,
2019-08-21 18:46:35 +02:00
Handlers : [ ] MiddlewareHandler {
2019-07-12 01:02:57 +02:00
StaticResponse {
2019-11-11 22:01:42 +01:00
StatusCode : WeakString ( strconv . Itoa ( http . StatusPermanentRedirect ) ) ,
2019-07-09 20:58:39 +02:00
Headers : http . Header {
"Location" : [ ] string { redirTo } ,
"Connection" : [ ] string { "close" } ,
} ,
Close : true ,
2019-05-07 17:56:13 +02:00
} ,
} ,
2019-09-19 02:01:32 +02:00
}
2019-05-07 17:56:13 +02:00
}
}
}
2019-09-19 02:01:32 +02:00
// if there are HTTP->HTTPS redirects to add, do so now
if len ( lnAddrRedirRoutes ) > 0 {
var redirServerAddrs [ ] string
var redirRoutes [ ] Route
// for each redirect listener, see if there's already a
2019-11-11 22:01:42 +01:00
// server configured to listen on that exact address; if so,
// simply add the redirect route to the end of its route
2019-09-19 02:01:32 +02:00
// list; otherwise, we'll create a new server for all the
// listener addresses that are unused and serve the
// remaining redirects from it
redirRoutesLoop :
for addr , redirRoute := range lnAddrRedirRoutes {
for srvName , srv := range app . Servers {
if srv . hasListenerAddress ( addr ) {
// user has configured a server for the same address
// that the redirect runs from; simply append our
// redirect route to the existing routes, with a
// caveat that their config might override ours
2019-10-28 21:39:37 +01:00
app . logger . Warn ( "server is listening on same interface as redirects, so automatic HTTP->HTTPS redirects might be overridden by your own configuration" ,
zap . String ( "server_name" , srvName ) ,
zap . String ( "interface" , addr ) ,
)
2019-09-19 02:01:32 +02:00
srv . Routes = append ( srv . Routes , redirRoute )
continue redirRoutesLoop
2019-05-07 17:56:13 +02:00
}
}
2019-09-19 02:01:32 +02:00
// no server with this listener address exists;
// save this address and route for custom server
redirServerAddrs = append ( redirServerAddrs , addr )
redirRoutes = append ( redirRoutes , redirRoute )
2019-05-07 17:56:13 +02:00
}
2019-09-19 02:01:32 +02:00
// if there are routes remaining which do not belong
// in any existing server, make our own to serve the
// rest of the redirects
if len ( redirServerAddrs ) > 0 {
app . Servers [ "remaining_auto_https_redirects" ] = & Server {
2019-10-31 18:45:18 +01:00
Listen : redirServerAddrs ,
Routes : redirRoutes ,
tlsApp : tlsApp , // required to solve HTTP challenge
logger : app . logger . Named ( "log" ) ,
errorLogger : app . logger . Named ( "log.error" ) ,
2019-09-19 02:01:32 +02:00
}
2019-04-25 21:54:48 +02:00
}
}
return nil
}
2019-09-19 02:01:32 +02:00
func ( app * App ) httpPort ( ) int {
if app . HTTPPort == 0 {
return DefaultHTTPPort
}
return app . HTTPPort
}
func ( app * App ) httpsPort ( ) int {
if app . HTTPSPort == 0 {
return DefaultHTTPSPort
2019-05-07 17:56:13 +02:00
}
2019-09-19 02:01:32 +02:00
return app . HTTPSPort
2019-05-07 17:56:13 +02:00
}
2019-04-25 21:54:48 +02:00
var defaultALPN = [ ] string { "h2" , "http/1.1" }
2019-05-20 18:59:20 +02:00
// RequestMatcher is a type that can match to a request.
2019-07-09 20:58:39 +02:00
// A route matcher MUST NOT modify the request, with the
// only exception being its context.
2019-05-20 18:59:20 +02:00
type RequestMatcher interface {
2019-04-01 04:41:29 +02:00
Match ( * http . Request ) bool
}
// Handler is like http.Handler except ServeHTTP may return an error.
//
// If any handler encounters an error, it should be returned for proper
// handling. Return values should be propagated down the middleware chain
2019-07-09 20:58:39 +02:00
// by returning it unchanged. Returned errors should not be re-wrapped
// if they are already HandlerError values.
2019-04-01 04:41:29 +02:00
type Handler interface {
ServeHTTP ( http . ResponseWriter , * http . Request ) error
}
// HandlerFunc is a convenience type like http.HandlerFunc.
type HandlerFunc func ( http . ResponseWriter , * http . Request ) error
// ServeHTTP implements the Handler interface.
func ( f HandlerFunc ) ServeHTTP ( w http . ResponseWriter , r * http . Request ) error {
return f ( w , r )
}
2019-07-09 20:58:39 +02:00
// Middleware chains one Handler to the next by being passed
// the next Handler in the chain.
type Middleware func ( HandlerFunc ) HandlerFunc
// MiddlewareHandler is like Handler except it takes as a third
// argument the next handler in the chain. The next handler will
// never be nil, but may be a no-op handler if this is the last
// handler in the chain. Handlers which act as middleware should
// call the next handler's ServeHTTP method so as to propagate
// the request down the chain properly. Handlers which act as
// responders (content origins) need not invoke the next handler,
// since the last handler in the chain should be the first to
// write the response.
type MiddlewareHandler interface {
ServeHTTP ( http . ResponseWriter , * http . Request , Handler ) error
}
// emptyHandler is used as a no-op handler.
var emptyHandler HandlerFunc = func ( http . ResponseWriter , * http . Request ) error { return nil }
2019-04-12 04:42:55 +02:00
2019-08-09 20:05:47 +02:00
// WeakString is a type that unmarshals any JSON value
// as a string literal, with the following exceptions:
2019-12-10 21:36:46 +01:00
//
// 1. actual string values are decoded as strings; and
// 2. null is decoded as empty string;
//
2019-08-09 20:05:47 +02:00
// and provides methods for getting the value as various
// primitive types. However, using this type removes any
// type safety as far as deserializing JSON is concerned.
type WeakString string
// UnmarshalJSON satisfies json.Unmarshaler according to
// this type's documentation.
func ( ws * WeakString ) UnmarshalJSON ( b [ ] byte ) error {
if len ( b ) == 0 {
return io . EOF
}
if b [ 0 ] == byte ( '"' ) && b [ len ( b ) - 1 ] == byte ( '"' ) {
var s string
err := json . Unmarshal ( b , & s )
if err != nil {
return err
}
* ws = WeakString ( s )
return nil
}
if bytes . Equal ( b , [ ] byte ( "null" ) ) {
return nil
}
* ws = WeakString ( b )
return nil
}
// MarshalJSON marshals was a boolean if true or false,
// a number if an integer, or a string otherwise.
func ( ws WeakString ) MarshalJSON ( ) ( [ ] byte , error ) {
if ws == "true" {
return [ ] byte ( "true" ) , nil
}
if ws == "false" {
return [ ] byte ( "false" ) , nil
}
if num , err := strconv . Atoi ( string ( ws ) ) ; err == nil {
return json . Marshal ( num )
}
return json . Marshal ( string ( ws ) )
}
// Int returns ws as an integer. If ws is not an
// integer, 0 is returned.
func ( ws WeakString ) Int ( ) int {
num , _ := strconv . Atoi ( string ( ws ) )
return num
}
// Float64 returns ws as a float64. If ws is not a
// float value, the zero value is returned.
func ( ws WeakString ) Float64 ( ) float64 {
num , _ := strconv . ParseFloat ( string ( ws ) , 64 )
return num
}
// Bool returns ws as a boolean. If ws is not a
// boolean, false is returned.
func ( ws WeakString ) Bool ( ) bool {
return string ( ws ) == "true"
}
// String returns ws as a string.
func ( ws WeakString ) String ( ) string {
return string ( ws )
}
2019-10-15 22:07:10 +02:00
// CopyHeader copies HTTP headers by completely
// replacing dest with src. (This allows deletions
// to be propagated, assuming src started as a
// consistent copy of dest.)
func CopyHeader ( dest , src http . Header ) {
for field := range dest {
delete ( dest , field )
}
for field , val := range src {
dest [ field ] = val
}
}
2019-09-03 06:01:02 +02:00
// StatusCodeMatches returns true if a real HTTP status code matches
// the configured status code, which may be either a real HTTP status
// code or an integer representing a class of codes (e.g. 4 for all
// 4xx statuses).
func StatusCodeMatches ( actual , configured int ) bool {
if actual == configured {
return true
}
if configured < 100 && actual >= configured * 100 && actual < ( configured + 1 ) * 100 {
return true
}
return false
}
2019-05-07 17:56:13 +02:00
const (
// DefaultHTTPPort is the default port for HTTP.
DefaultHTTPPort = 80
// DefaultHTTPSPort is the default port for HTTPS.
DefaultHTTPSPort = 443
)
2019-07-12 06:02:47 +02:00
// DefaultMaxRehandles is the maximum number of rehandles to
// allow, if not specified explicitly.
var DefaultMaxRehandles = 3
2019-07-07 22:12:22 +02:00
// Interface guards
var (
_ caddy . App = ( * App ) ( nil )
_ caddy . Provisioner = ( * App ) ( nil )
_ caddy . Validator = ( * App ) ( nil )
)