From 1bae36ef29aea6fd3b604ed1de5009ab0c074705 Mon Sep 17 00:00:00 2001
From: Francis Lavoie <lavofr@gmail.com>
Date: Wed, 26 Apr 2017 14:00:49 -0400
Subject: [PATCH] Fix 1592: Allow insecure CA URL on internal networks (#1607)

* Strip brackets in IsInternal if no port, allow loopback for CA URLs

* Fix a mistake

* Improve the trim

* Fix comment
---
 caddy.go      | 5 ++++-
 caddy_test.go | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/caddy.go b/caddy.go
index 3d8a6139b..7e07a5dc3 100644
--- a/caddy.go
+++ b/caddy.go
@@ -777,7 +777,10 @@ func IsInternal(addr string) bool {
 
 	host, _, err := net.SplitHostPort(addr)
 	if err != nil {
-		host = addr // happens if the addr is just a hostname
+		host = addr // happens if the addr is just a hostname, missing port
+		// if we encounter an error, the brackets need to be stripped
+		// because SplitHostPort didn't do it for us
+		host = strings.Trim(host, "[]")
 	}
 	ip := net.ParseIP(host)
 	if ip == nil {
diff --git a/caddy_test.go b/caddy_test.go
index 2f86105b0..51765d77d 100644
--- a/caddy_test.go
+++ b/caddy_test.go
@@ -94,6 +94,8 @@ func TestIsInternal(t *testing.T) {
 		{"fbff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false},
 		{"fc00::", true},
 		{"fc00::1", true},
+		{"[fc00::1]", true},
+		{"[fc00::1]:8888", true},
 		{"fdff:ffff:ffff:ffff:ffff:ffff:ffff:fffe", true},
 		{"fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", true},
 		{"fe00::", false},