mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-23 17:16:40 +01:00
tls: Allow opening block without specifying cert+key args
This commit is contained in:
parent
946ff5e87b
commit
bb80f99190
2 changed files with 42 additions and 11 deletions
|
@ -11,12 +11,12 @@ import (
|
|||
|
||||
// TLS sets up the TLS configuration (but does not activate Let's Encrypt; that is handled elsewhere).
|
||||
func TLS(c *Controller) (middleware.Middleware, error) {
|
||||
if c.Port == "http" {
|
||||
if c.Scheme == "http" {
|
||||
c.TLS.Enabled = false
|
||||
log.Printf("[WARNING] TLS disabled for %s://%s. To force TLS over the plaintext HTTP port, "+
|
||||
"specify port 80 explicitly (https://%s:80).", c.Port, c.Host, c.Host)
|
||||
"specify port 80 explicitly (https://%s:80).", c.Scheme, c.Address(), c.Host)
|
||||
} else {
|
||||
c.TLS.Enabled = true // they had a tls directive, so assume it's on unless we confirm otherwise later
|
||||
c.TLS.Enabled = true // assume this for now
|
||||
}
|
||||
|
||||
for c.Next() {
|
||||
|
@ -37,13 +37,11 @@ func TLS(c *Controller) (middleware.Middleware, error) {
|
|||
// served on the HTTPS port; that is what user would expect, and
|
||||
// makes it consistent with how the letsencrypt package works.
|
||||
if c.Port == "" {
|
||||
c.Port = "https"
|
||||
c.Port = "443"
|
||||
}
|
||||
default:
|
||||
return nil, c.ArgErr()
|
||||
}
|
||||
|
||||
// Optional block
|
||||
// Optional block with extra parameters
|
||||
for c.NextBlock() {
|
||||
switch c.Val() {
|
||||
case "protocols":
|
||||
|
@ -74,6 +72,9 @@ func TLS(c *Controller) (middleware.Middleware, error) {
|
|||
if len(c.TLS.ClientCerts) == 0 {
|
||||
return nil, c.ArgErr()
|
||||
}
|
||||
// TODO: Allow this? It's a bad idea to allow HTTP. If we do this, make sure invoking tls at all (even manually) also sets up a redirect if possible?
|
||||
// case "allow_http":
|
||||
// c.TLS.DisableHTTPRedir = true
|
||||
default:
|
||||
return nil, c.Errf("Unknown keyword '%s'", c.Val())
|
||||
}
|
||||
|
|
|
@ -66,11 +66,12 @@ func TestTLSParseBasic(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestTLSParseIncompleteParams(t *testing.T) {
|
||||
// This doesn't do anything useful but is allowed in case the user wants to be explicit
|
||||
// about TLS being enabled...
|
||||
c := NewTestController(`tls`)
|
||||
|
||||
_, err := TLS(c)
|
||||
if err == nil {
|
||||
t.Errorf("Expected errors (first check), but no error returned")
|
||||
if err != nil {
|
||||
t.Errorf("Expected no error, but got %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -95,10 +96,39 @@ func TestTLSParseWithOptionalParams(t *testing.T) {
|
|||
}
|
||||
|
||||
if len(c.TLS.Ciphers)-1 != 3 {
|
||||
t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers))
|
||||
t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers)-1)
|
||||
}
|
||||
}
|
||||
|
||||
func TestTLSDefaultWithOptionalParams(t *testing.T) {
|
||||
params := `tls {
|
||||
ciphers RSA-3DES-EDE-CBC-SHA
|
||||
}`
|
||||
c := NewTestController(params)
|
||||
|
||||
_, err := TLS(c)
|
||||
if err != nil {
|
||||
t.Errorf("Expected no errors, got: %v", err)
|
||||
}
|
||||
if len(c.TLS.Ciphers)-1 != 1 {
|
||||
t.Errorf("Expected 1 ciphers (not including TLS_FALLBACK_SCSV), got %v", len(c.TLS.Ciphers)-1)
|
||||
}
|
||||
}
|
||||
|
||||
// TODO: If we allow this... but probably not a good idea.
|
||||
// func TestTLSDisableHTTPRedirect(t *testing.T) {
|
||||
// c := NewTestController(`tls {
|
||||
// allow_http
|
||||
// }`)
|
||||
// _, err := TLS(c)
|
||||
// if err != nil {
|
||||
// t.Errorf("Expected no error, but got %v", err)
|
||||
// }
|
||||
// if !c.TLS.DisableHTTPRedir {
|
||||
// t.Error("Expected HTTP redirect to be disabled, but it wasn't")
|
||||
// }
|
||||
// }
|
||||
|
||||
func TestTLSParseWithWrongOptionalParams(t *testing.T) {
|
||||
// Test protocols wrong params
|
||||
params := `tls cert.crt cert.key {
|
||||
|
|
Loading…
Reference in a new issue