diff options
author | Matt Holt <mholt@users.noreply.github.com> | 2023-03-20 12:06:00 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-03-20 12:06:00 -0600 |
commit | 0cc49c053f77bf6efa8107fa50d2e256a91d0ff8 (patch) | |
tree | 63fca86ccbc9c231acc644b78f9d704601d14135 /modules/caddytls/automation.go | |
parent | a7db0cfe55b524a34a310e852af6c9520134db10 (diff) |
caddytls: Zero out throttle window first (#5443)
* caddytls: Zero out throttle window first
* Don't error for on-demand
Fixes https://github.com/caddyserver/caddy/commit/b97c76fb4789b8da0b80f5a2c1c1c5bebba163b5
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Diffstat (limited to 'modules/caddytls/automation.go')
-rw-r--r-- | modules/caddytls/automation.go | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index fffc0a36..1cfb28c3 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -19,6 +19,7 @@ import ( "errors" "fmt" "net/http" + "strings" "time" "github.com/caddyserver/caddy/v2" @@ -224,8 +225,10 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { // on-demand TLS var ond *certmagic.OnDemandConfig if ap.OnDemand { - // ask endpoint is now required after a number of negligence cases causing abuse - if !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") { + // ask endpoint is now required after a number of negligence cases causing abuse; + // but is still allowed for explicit subjects (non-wildcard, non-unbounded), + // and for the internal issuer since it doesn't cause ACME issuer pressure + if ap.isWildcardOrDefault() && !ap.onlyInternalIssuer() && (tlsApp.Automation == nil || tlsApp.Automation.OnDemand == nil || tlsApp.Automation.OnDemand.Ask == "") { return fmt.Errorf("on-demand TLS cannot be enabled without an 'ask' endpoint to prevent abuse; please refer to documentation for details") } ond = &certmagic.OnDemandConfig{ @@ -294,6 +297,22 @@ func (ap *AutomationPolicy) onlyInternalIssuer() bool { return ok } +// isWildcardOrDefault determines if the subjects include any wildcard domains, +// or is the "default" policy (i.e. no subjects) which is unbounded. +func (ap *AutomationPolicy) isWildcardOrDefault() bool { + isWildcardOrDefault := false + if len(ap.Subjects) == 0 { + isWildcardOrDefault = true + } + for _, sub := range ap.Subjects { + if strings.HasPrefix(sub, "*") { + isWildcardOrDefault = true + break + } + } + return isWildcardOrDefault +} + // DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults. // This function is experimental and has no compatibility promises. func DefaultIssuers() []certmagic.Issuer { |