mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-22 16:46:53 +01:00
caddytls: Configurable fallback SNI (#5527)
* Initial implementation of fallback_sni * Apply upstream patch
This commit is contained in:
Matt Holt
GitHub
parent
808b05c3b4
commit
faf0399e80
5 changed files with 26 additions and 5 deletions
|
|
@ -413,6 +413,7 @@ func (st *ServerType) serversFromPairings(
|
||||||
) (map[string]*caddyhttp.Server, error) {
|
) (map[string]*caddyhttp.Server, error) {
|
||||||
servers := make(map[string]*caddyhttp.Server)
|
servers := make(map[string]*caddyhttp.Server)
|
||||||
defaultSNI := tryString(options["default_sni"], warnings)
|
defaultSNI := tryString(options["default_sni"], warnings)
|
||||||
|
fallbackSNI := tryString(options["fallback_sni"], warnings)
|
||||||
|
|
||||||
httpPort := strconv.Itoa(caddyhttp.DefaultHTTPPort)
|
httpPort := strconv.Itoa(caddyhttp.DefaultHTTPPort)
|
||||||
if hp, ok := options["http_port"].(int); ok {
|
if hp, ok := options["http_port"].(int); ok {
|
||||||
|
|
@ -570,6 +571,11 @@ func (st *ServerType) serversFromPairings(
|
||||||
cp.DefaultSNI = defaultSNI
|
cp.DefaultSNI = defaultSNI
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
if h == fallbackSNI {
|
||||||
|
hosts = append(hosts, "")
|
||||||
|
cp.FallbackSNI = fallbackSNI
|
||||||
|
break
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(hosts) > 0 {
|
if len(hosts) > 0 {
|
||||||
|
|
@ -578,6 +584,7 @@ func (st *ServerType) serversFromPairings(
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
cp.DefaultSNI = defaultSNI
|
cp.DefaultSNI = defaultSNI
|
||||||
|
cp.FallbackSNI = fallbackSNI
|
||||||
}
|
}
|
||||||
|
|
||||||
// only append this policy if it actually changes something
|
// only append this policy if it actually changes something
|
||||||
|
|
@ -703,8 +710,8 @@ func (st *ServerType) serversFromPairings(
|
||||||
// policy missing for any HTTPS-enabled hosts, if so, add it... maybe?
|
// policy missing for any HTTPS-enabled hosts, if so, add it... maybe?
|
||||||
if addressQualifiesForTLS &&
|
if addressQualifiesForTLS &&
|
||||||
!hasCatchAllTLSConnPolicy &&
|
!hasCatchAllTLSConnPolicy &&
|
||||||
(len(srv.TLSConnPolicies) > 0 || !autoHTTPSWillAddConnPolicy || defaultSNI != "") {
|
(len(srv.TLSConnPolicies) > 0 || !autoHTTPSWillAddConnPolicy || defaultSNI != "" || fallbackSNI != "") {
|
||||||
srv.TLSConnPolicies = append(srv.TLSConnPolicies, &caddytls.ConnectionPolicy{DefaultSNI: defaultSNI})
|
srv.TLSConnPolicies = append(srv.TLSConnPolicies, &caddytls.ConnectionPolicy{DefaultSNI: defaultSNI, FallbackSNI: fallbackSNI})
|
||||||
}
|
}
|
||||||
|
|
||||||
// tidy things up a bit
|
// tidy things up a bit
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,7 @@ func init() {
|
||||||
RegisterGlobalOption("grace_period", parseOptDuration)
|
RegisterGlobalOption("grace_period", parseOptDuration)
|
||||||
RegisterGlobalOption("shutdown_delay", parseOptDuration)
|
RegisterGlobalOption("shutdown_delay", parseOptDuration)
|
||||||
RegisterGlobalOption("default_sni", parseOptSingleString)
|
RegisterGlobalOption("default_sni", parseOptSingleString)
|
||||||
|
RegisterGlobalOption("fallback_sni", parseOptSingleString)
|
||||||
RegisterGlobalOption("order", parseOptOrder)
|
RegisterGlobalOption("order", parseOptOrder)
|
||||||
RegisterGlobalOption("storage", parseOptStorage)
|
RegisterGlobalOption("storage", parseOptStorage)
|
||||||
RegisterGlobalOption("storage_clean_interval", parseOptDuration)
|
RegisterGlobalOption("storage_clean_interval", parseOptDuration)
|
||||||
|
|
|
||||||
2
go.mod
2
go.mod
|
|
@ -7,7 +7,7 @@ require (
|
||||||
github.com/Masterminds/sprig/v3 v3.2.3
|
github.com/Masterminds/sprig/v3 v3.2.3
|
||||||
github.com/alecthomas/chroma/v2 v2.7.0
|
github.com/alecthomas/chroma/v2 v2.7.0
|
||||||
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
|
github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b
|
||||||
github.com/caddyserver/certmagic v0.17.3-0.20230507010158-25b55042e516
|
github.com/caddyserver/certmagic v0.17.3-0.20230510193943-53140d52202c
|
||||||
github.com/dustin/go-humanize v1.0.1
|
github.com/dustin/go-humanize v1.0.1
|
||||||
github.com/go-chi/chi v4.1.2+incompatible
|
github.com/go-chi/chi v4.1.2+incompatible
|
||||||
github.com/google/cel-go v0.14.0
|
github.com/google/cel-go v0.14.0
|
||||||
|
|
|
||||||
4
go.sum
4
go.sum
|
|
@ -97,8 +97,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
|
||||||
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
|
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
|
||||||
github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
|
github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
|
||||||
github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
|
github.com/boltdb/bolt v1.3.1/go.mod h1:clJnj/oiGkjum5o1McbSZDSLxVThjynRyGBgiAx27Ps=
|
||||||
github.com/caddyserver/certmagic v0.17.3-0.20230507010158-25b55042e516 h1:D+jLysrPbU0EN+IbLvPuGIpvCi6wgoPmQiKxAQCh+gI=
|
github.com/caddyserver/certmagic v0.17.3-0.20230510193943-53140d52202c h1:pEMS0l8kE/5xxrncv+Qq81fzr29R+zk++E7KAYiyBe4=
|
||||||
github.com/caddyserver/certmagic v0.17.3-0.20230507010158-25b55042e516/go.mod h1:e0YLTnXIopZ05bBWCLzpIf1Yvk27Q90FGUmGowFRDY8=
|
github.com/caddyserver/certmagic v0.17.3-0.20230510193943-53140d52202c/go.mod h1:e0YLTnXIopZ05bBWCLzpIf1Yvk27Q90FGUmGowFRDY8=
|
||||||
github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
|
github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
|
||||||
github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
|
github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
|
||||||
github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
|
github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
|
||||||
|
|
|
||||||
|
|
@ -159,6 +159,18 @@ type ConnectionPolicy struct {
|
||||||
// is no policy configured for the empty SNI value.
|
// is no policy configured for the empty SNI value.
|
||||||
DefaultSNI string `json:"default_sni,omitempty"`
|
DefaultSNI string `json:"default_sni,omitempty"`
|
||||||
|
|
||||||
|
// FallbackSNI becomes the ServerName in a ClientHello if
|
||||||
|
// the original ServerName doesn't match any certificates
|
||||||
|
// in the cache. The use cases for this are very niche;
|
||||||
|
// typically if a client is a CDN and passes through the
|
||||||
|
// ServerName of the downstream handshake but can accept
|
||||||
|
// a certificate with the origin's hostname instead, then
|
||||||
|
// you would set this to your origin's hostname. Note that
|
||||||
|
// Caddy must be managing a certificate for this name.
|
||||||
|
//
|
||||||
|
// This feature is EXPERIMENTAL and subject to change or removal.
|
||||||
|
FallbackSNI string `json:"fallback_sni,omitempty"`
|
||||||
|
|
||||||
// Also known as "SSLKEYLOGFILE", TLS secrets will be written to
|
// Also known as "SSLKEYLOGFILE", TLS secrets will be written to
|
||||||
// this file in NSS key log format which can then be parsed by
|
// this file in NSS key log format which can then be parsed by
|
||||||
// Wireshark and other tools. This is INSECURE as it allows other
|
// Wireshark and other tools. This is INSECURE as it allows other
|
||||||
|
|
@ -216,6 +228,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
|
||||||
cfg.CertSelection = p.CertSelection
|
cfg.CertSelection = p.CertSelection
|
||||||
}
|
}
|
||||||
cfg.DefaultServerName = p.DefaultSNI
|
cfg.DefaultServerName = p.DefaultSNI
|
||||||
|
cfg.FallbackServerName = p.FallbackSNI
|
||||||
return cfg.GetCertificate(hello)
|
return cfg.GetCertificate(hello)
|
||||||
},
|
},
|
||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue