mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-22 16:46:53 +01:00
http: Enable TLS for servers listening only on HTTPS port
It seems silly to have to add a single, empty TLS connection policy to a server to enable TLS when it's only listening on the HTTPS port. We now do this for the user as part of automatic HTTPS (thus, it can be disabled / overridden). See https://caddy.community/t/v2-catch-all-server-with-automatic-tls/6692/2?u=matt
This commit is contained in:
parent
5c8b502964
commit
2b33d9a5e5
2 changed files with 13 additions and 0 deletions
|
@ -326,6 +326,18 @@ func (app *App) automaticHTTPS() error {
|
|||
continue
|
||||
}
|
||||
|
||||
// if all listeners are on the HTTPS port, make sure
|
||||
// there is at least one TLS connection policy; it
|
||||
// should be obvious that they want to use TLS without
|
||||
// needing to specify one empty policy to enable it
|
||||
if !srv.listenersUseAnyPortOtherThan(app.httpsPort()) && len(srv.TLSConnPolicies) == 0 {
|
||||
app.logger.Info("server is only listening on the HTTPS port but has no TLS connection policies; adding one to enable TLS",
|
||||
zap.String("server_name", srvName),
|
||||
zap.Int("https_port", app.httpsPort()),
|
||||
)
|
||||
srv.TLSConnPolicies = append(srv.TLSConnPolicies, new(caddytls.ConnectionPolicy))
|
||||
}
|
||||
|
||||
// find all qualifying domain names, de-duplicated
|
||||
domainSet := make(map[string]struct{})
|
||||
for routeIdx, route := range srv.Routes {
|
||||
|
|
|
@ -106,6 +106,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) (*tls.Config, error) {
|
|||
}
|
||||
|
||||
// ConnectionPolicy specifies the logic for handling a TLS handshake.
|
||||
// An empty policy is valid; safe and sensible defaults will be used.
|
||||
type ConnectionPolicy struct {
|
||||
// How to match this policy with a TLS ClientHello. If
|
||||
// this policy is the first to match, it will be used.
|
||||
|
|
Loading…
Reference in a new issue