Mirrors/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-02-08 17:16:36 +01:00
Code Issues Projects Releases Packages Wiki Activity

caddytls: Relax the warning for on-demand (#5384)

Browse source
This commit is contained in:
Francis Lavoie 2023-02-22 13:41:01 -05:00 committed by GitHub
parent 79de6df93d
commit be53e432fc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
modules/caddytls/tls.go
View file

@ -22,6 +22,7 @@ import (
"log" "log"
"net/http" "net/http"
"runtime/debug" "runtime/debug"
"strings"
"sync" "sync"
"time" "time"
@ -259,7 +260,17 @@ func (t *TLS) Start() error {
if t.Automation.OnDemand == nil || if t.Automation.OnDemand == nil ||
(t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) { (t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.RateLimit == nil) {
for _, ap := range t.Automation.Policies { for _, ap := range t.Automation.Policies {
if ap.OnDemand { isWildcardOrDefault := false
if len(ap.Subjects) == 0 {
isWildcardOrDefault = true
}
for _, sub := range ap.Subjects {
if strings.HasPrefix(sub, "*") {
isWildcardOrDefault = true
break
}
}
if ap.OnDemand && isWildcardOrDefault {
t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place", t.logger.Warn("YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place",
zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls")) zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls"))
break break