Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optionally pass the context argument down to the OnDemand decision func #255

Merged

Conversation

ankon
Copy link
Contributor

@ankon ankon commented Oct 27, 2023

For further instrumenting our code base we would like to be able to pass the context we have when getting a certificate down into the "decision func" that checks whether a certificate should be obtained.

This PR is a bit of a "let's talk": I think this could just work, and wouldn't produce problems for existing code that only configures a DecisionFunc, but it can possibly be done nicer?

@ankon
Copy link
Contributor Author

ankon commented Oct 27, 2023

Quick update: We tested this, and it does what it should do -- we can now use this code inside our configuration:

	certmagicConfig.OnDemand = &certmagic.OnDemandConfig{
		DecisionContextFunc: func(ctx context.Context, name string) error {
			segment := newrelic.FromContext(ctx).StartSegment("TLS/OnDemandDecisionFunc")
			defer segment.End()
			// ...
		},
		// ...
	}

	tlsConfig.GetCertificate = func(clientHelloInfo *tls.ClientHelloInfo) (*tls.Certificate, error) {
		txn := newrelicApp.StartTransaction("TLS/GetCertificate")
		defer txn.End()
		// Add attributes related to the request
		txn.AddAttribute("hostname", clientHelloInfo.ServerName)

		// Get a certificate
		ctx := newrelic.NewContext(clientHelloInfo.Context(), txn)
		cert, err := certmagicConfig.GetCertificateWithContext(ctx, clientHelloInfo)
		// ...
	}

@francislavoie
Copy link
Member

FWIW I do agree this is a good idea.

On the Caddy forums, someone recently inquired about getting the client IP as part of the ask request, which was impossible to add without having some kind of context in which we could pull from. Hopefully we can get at the current TLS handshake info (for the Conn/RemoteAddr) via context? That would be handy to have. (More of a reminder for @mholt since this is in the same ballpark)

@ankon
Copy link
Contributor Author

ankon commented Oct 27, 2023

The "ask" request is a caddy thing, right? As much as you can get all that data from the ClientHelloInfo, I guess you would need to change caddy then to pass it along as request parameters?

(Not to side-track this too much: This PR is just a tiny thing inside certmagic, so quite a step away from the "ask" I would assume)

@mholt
Copy link
Member

mholt commented Oct 27, 2023

Oh man my heart sank when I saw this notification come in because I thought I forgot about an open PR from Framer from like, months ago... but it's only from an hour ago 😅 So that's a relief.

Ok, yeah, this is a good change.

Technically, CertMagic isn't 1.0 yet so I've been OK with making breaking changes even recently, especially those which are very easy to work around (by adding an empty parameter for example). So I'd be OK with just changing DecisionFunc. I'd almost rather do that than have to deal with the removal and make people change their code twice, because I know I won't want both when we tag 1.0. Which I should look into doing in 2024. I think it'll be time soon...

Anyway, how do you feel about just changing DecisionFunc directly then?

EDIT: Just saw the reply above.

The "ask" request is a caddy thing, right? As much as you can get all that data from the ClientHelloInfo, I guess you would need to change caddy then to pass it along as request parameters?

Yeah, it's a Caddy thing that sets up a DecisionFunc. We would modify Caddy for that. I'll talk to Francis about it.

@ankon
Copy link
Contributor Author

ankon commented Oct 27, 2023

Anyway, how do you feel about just changing DecisionFunc directly then?

If we don't need compatibility here, then yes, absolutely: There is really no reason to have the non-context variant except for that compatibility/ease-of-upgrading. If you don't care about the context an implementor could easily ignore it, and it should be trivial to update.

@mholt
Copy link
Member

mholt commented Oct 27, 2023

Yeah, let's just replace DecisionFunc with the new signature. It's an easy change and to be expected before 1.0. Much better now than later.

This "breaks" the API here, but the change should be trivially obvious to an implementor
and it gives a lot less headache later.
Copy link
Member

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you!! We might actually use this for something in Caddy.

@mholt mholt merged commit f0038ff into caddyserver:master Oct 30, 2023
6 checks passed
ankon added a commit to framer/caddy that referenced this pull request Oct 31, 2023
ankon added a commit to framer/caddy that referenced this pull request Nov 9, 2023
mholt pushed a commit to caddyserver/caddy that referenced this pull request Dec 7, 2023
mholt pushed a commit to caddyserver/caddy that referenced this pull request Dec 7, 2023
renovate bot referenced this pull request in woodpecker-ci/woodpecker Dec 17, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[github.com/caddyserver/certmagic](https://togithub.com/caddyserver/certmagic)
| require | minor | `v0.19.2` -> `v0.20.0` |
| [github.com/expr-lang/expr](https://togithub.com/expr-lang/expr) |
require | patch | `v1.15.6` -> `v1.15.7` |
| [github.com/google/uuid](https://togithub.com/google/uuid) | require |
minor | `v1.4.0` -> `v1.5.0` |
|
[github.com/jellydator/ttlcache/v3](https://togithub.com/jellydator/ttlcache)
| require | patch | `v3.1.0` -> `v3.1.1` |
| [github.com/mattn/go-sqlite3](https://togithub.com/mattn/go-sqlite3) |
require | patch | `v1.14.18` -> `v1.14.19` |
| [github.com/xanzy/go-gitlab](https://togithub.com/xanzy/go-gitlab) |
require | minor | `v0.94.0` -> `v0.95.2` |
| [google.golang.org/grpc](https://togithub.com/grpc/grpc-go) | require
| minor | `v1.59.0` -> `v1.60.0` |
| [k8s.io/api](https://togithub.com/kubernetes/api) | require | minor |
`v0.28.4` -> `v0.29.0` |
| [k8s.io/apimachinery](https://togithub.com/kubernetes/apimachinery) |
require | minor | `v0.28.4` -> `v0.29.0` |
| [k8s.io/client-go](https://togithub.com/kubernetes/client-go) |
require | minor | `v0.28.4` -> `v0.29.0` |

---

### Release Notes

<details>
<summary>caddyserver/certmagic
(github.com/caddyserver/certmagic)</summary>

###
[`v0.20.0`](https://togithub.com/caddyserver/certmagic/releases/tag/v0.20.0)

[Compare
Source](https://togithub.com/caddyserver/certmagic/compare/v0.19.2...v0.20.0)

This release vastly improves storage cleaning as well improving a few
smaller things. There is a minor breaking change as we get ever closer
to v1.0.

- ⚠️ The `DecisionFunc` for On-Demand TLS now takes a
`context.Context` value as its first argument. The context carries the
`ClientHelloInfo` value (keyed by `ClientHelloInfoCtxKey`) for logging
purposes.
- Storage cleaning is now synchronized across the cluster, including
process restarts. The state of cleaning expired certificates and OCSP
staples is written to storage, and distributed locking is used to ensure
that only 1 instance does it at a time. This greatly reduces costs for
expensive storage backends! Cleaning is also done less often when the
process is frequently restarted because the state is written to storage,
so it is not forgotten after shutting down.
-   `.home.arpa` is now considered an internal suffix.
-   Backoff timings have been tuned based on real-world experience.

#### What's Changed

- README: Add hint about NextProtos for certmagic.TLS by
[@&#8203;oliverpool](https://togithub.com/oliverpool) in
[https://github.com/caddyserver/certmagic/pull/251](https://togithub.com/caddyserver/certmagic/pull/251)
- Bump golang.org/x/net from 0.11.0 to 0.17.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/caddyserver/certmagic/pull/253](https://togithub.com/caddyserver/certmagic/pull/253)
- Optionally pass the context argument down to the OnDemand decision
func by [@&#8203;ankon](https://togithub.com/ankon) in
[https://github.com/caddyserver/certmagic/pull/255](https://togithub.com/caddyserver/certmagic/pull/255)
- Retain the error stack if `checkIfCertShouldBeObtained` returns an
error by [@&#8203;ankon](https://togithub.com/ankon) in
[https://github.com/caddyserver/certmagic/pull/256](https://togithub.com/caddyserver/certmagic/pull/256)
- Add OCSP stapling unit tests by
[@&#8203;kenjenkins](https://togithub.com/kenjenkins) in
[https://github.com/caddyserver/certmagic/pull/259](https://togithub.com/caddyserver/certmagic/pull/259)

#### New Contributors

- [@&#8203;oliverpool](https://togithub.com/oliverpool) made their first
contribution in
[https://github.com/caddyserver/certmagic/pull/251](https://togithub.com/caddyserver/certmagic/pull/251)

**Full Changelog**:
caddyserver/certmagic@v0.19.2...v0.20.0

</details>

<details>
<summary>expr-lang/expr (github.com/expr-lang/expr)</summary>

###
[`v1.15.7`](https://togithub.com/expr-lang/expr/releases/tag/v1.15.7)

[Compare
Source](https://togithub.com/expr-lang/expr/compare/v1.15.6...v1.15.7)

**Expr** is a Go-centric expression language designed to deliver dynamic
configurations with unparalleled accuracy, safety, and speed.

##### In this release:

- Fixed commutative property for comparison between a value and a
pointer. ([#&#8203;490](https://togithub.com/expr-lang/expr/issues/490))
- Checker: forbid accessing built-ins and custom functions from `$env`.
([#&#8203;495](https://togithub.com/expr-lang/expr/issues/495))
- Enhanced the number parser to include support for parsing hexadecimal,
binary, and octal literals.
([#&#8203;483](https://togithub.com/expr-lang/expr/issues/483))
- Added `GetSource()` method to `vm.Program`.
([#&#8203;491](https://togithub.com/expr-lang/expr/issues/491))

</details>

<details>
<summary>google/uuid (github.com/google/uuid)</summary>

### [`v1.5.0`](https://togithub.com/google/uuid/releases/tag/v1.5.0)

[Compare
Source](https://togithub.com/google/uuid/compare/v1.4.0...v1.5.0)

##### Features

- Validate UUID without creating new UUID
([#&#8203;141](https://togithub.com/google/uuid/issues/141))
([9ee7366](https://togithub.com/google/uuid/commit/9ee7366e66c9ad96bab89139418a713dc584ae29))

</details>

<details>
<summary>jellydator/ttlcache
(github.com/jellydator/ttlcache/v3)</summary>

###
[`v3.1.1`](https://togithub.com/jellydator/ttlcache/releases/tag/v3.1.1)

[Compare
Source](https://togithub.com/jellydator/ttlcache/compare/v3.1.0...v3.1.1)

Fix a bug in the `Range` method that causes a panic when the cache is
empty

</details>

<details>
<summary>mattn/go-sqlite3 (github.com/mattn/go-sqlite3)</summary>

###
[`v1.14.19`](https://togithub.com/mattn/go-sqlite3/compare/v1.14.18...v1.14.19)

[Compare
Source](https://togithub.com/mattn/go-sqlite3/compare/v1.14.18...v1.14.19)

</details>

<details>
<summary>xanzy/go-gitlab (github.com/xanzy/go-gitlab)</summary>

###
[`v0.95.2`](https://togithub.com/xanzy/go-gitlab/compare/v0.95.1...v0.95.2)

[Compare
Source](https://togithub.com/xanzy/go-gitlab/compare/v0.95.1...v0.95.2)

###
[`v0.95.1`](https://togithub.com/xanzy/go-gitlab/compare/v0.95.0...v0.95.1)

[Compare
Source](https://togithub.com/xanzy/go-gitlab/compare/v0.95.0...v0.95.1)

###
[`v0.95.0`](https://togithub.com/xanzy/go-gitlab/compare/v0.94.0...v0.95.0)

[Compare
Source](https://togithub.com/xanzy/go-gitlab/compare/v0.94.0...v0.95.0)

</details>

<details>
<summary>grpc/grpc-go (google.golang.org/grpc)</summary>

### [`v1.60.0`](https://togithub.com/grpc/grpc-go/releases/tag/v1.60.0):
Release 1.60.0

[Compare
Source](https://togithub.com/grpc/grpc-go/compare/v1.59.0...v1.60.0)

### Security

- credentials/tls: if not set, set TLS MinVersion to 1.2 and
CipherSuites according to supported suites not forbidden by RFC7540.
- This is a behavior change to bring us into better alignment with RFC
7540.

### API Changes

- resolver: remove deprecated and experimental
`ClientConn.NewServiceConfig`
([#&#8203;6784](https://togithub.com/grpc/grpc-go/issues/6784))
- client: remove deprecated `grpc.WithServiceConfig` `DialOption`
([#&#8203;6800](https://togithub.com/grpc/grpc-go/issues/6800))

### Bug Fixes

- client: fix race that could cause a deadlock while entering idle mode
and receiving a name resolver update
([#&#8203;6804](https://togithub.com/grpc/grpc-go/issues/6804))
- client: always enable TCP keepalives with OS defaults
([#&#8203;6834](https://togithub.com/grpc/grpc-go/issues/6834))
- credentials/alts: fix a bug preventing ALTS from connecting to the
metadata server if the default scheme is overridden
([#&#8203;6686](https://togithub.com/grpc/grpc-go/issues/6686))
- Special Thanks: [@&#8203;mjamaloney](https://togithub.com/mjamaloney)

### Behavior Changes

- server: Do not return from Stop() or GracefulStop() until all
resources are released
([#&#8203;6489](https://togithub.com/grpc/grpc-go/issues/6489))
    -   Special Thanks: [@&#8203;fho](https://togithub.com/fho)

### Documentation

- codes: clarify that only codes defined by this package are valid and
that users should not cast other values to `codes.Code`
([#&#8203;6701](https://togithub.com/grpc/grpc-go/issues/6701))

</details>

<details>
<summary>kubernetes/api (k8s.io/api)</summary>

###
[`v0.29.0`](https://togithub.com/kubernetes/api/compare/v0.28.4...v0.29.0)

[Compare
Source](https://togithub.com/kubernetes/api/compare/v0.28.4...v0.29.0)

</details>

<details>
<summary>kubernetes/apimachinery (k8s.io/apimachinery)</summary>

###
[`v0.29.0`](https://togithub.com/kubernetes/apimachinery/compare/v0.28.4...v0.29.0)

[Compare
Source](https://togithub.com/kubernetes/apimachinery/compare/v0.28.4...v0.29.0)

</details>

<details>
<summary>kubernetes/client-go (k8s.io/client-go)</summary>

###
[`v0.29.0`](https://togithub.com/kubernetes/client-go/compare/v0.28.4...v0.29.0)

[Compare
Source](https://togithub.com/kubernetes/client-go/compare/v0.28.4...v0.29.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am" (UTC), Automerge -
"before 4am" (UTC).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/woodpecker-ci/woodpecker).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy45My4xIiwidXBkYXRlZEluVmVyIjoiMzcuOTMuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Robert Kaussow <[email protected]>
tianze0926 added a commit to tianze0926/caddy that referenced this pull request Dec 20, 2023
* templates: Fix httpInclude (fix caddyserver#5698)

Allowable during feature freeze because this is a simple, non-invasive
bug fix only.

* ci: Use gofumpt to format code (caddyserver#5707)

* go.mod: Upgrade golang.org/x/net to 0.14.0 (caddyserver#5718)

* ci: Add riscv64 (64-bit RISC-V) to goreleaser (caddyserver#5720)

This will add 64-bit RISC-V Linux prebuilts for Caddy.

* ci: Update to Go 1.21 (caddyserver#5719)

* ci: Update to Go 1.21

* Bump quic-go to v0.37.4

* Check EnableFullDuplex err

* Linter bug suppression

See timakin/bodyclose#52

---------

Co-authored-by: Francis Lavoie <[email protected]>

* fileserver: Don't repeat error for invalid method inside error context (caddyserver#5705)

* caddytls: Update docs for on-demand config

* Fix tests

I thought Go ordered JSON objects when marshaling, but I guess not.

* cmd: Require config for caddy validate (fix caddyserver#5612) (caddyserver#5614)

* Require config for caddy validate - fixes caddyserver#5612

Signed-off-by: Pistasj <[email protected]>

* Try making adjacent Caddyfile check its own function

Signed-off-by: Pistasj <[email protected]>

* add Francis' suggestion

Co-authored-by: Francis Lavoie <[email protected]>

* Refactor

* Fix borked commit, sigh

---------

Signed-off-by: Pistasj <[email protected]>
Co-authored-by: Francis Lavoie <[email protected]>
Co-authored-by: Matthew Holt <[email protected]>

* fileserver: Slightly more fitting icons

* ci: use gci linter (caddyserver#5708)

* use gofmput to format code

* use gci to format imports

* reconfigure gci

* linter autofixes

* rearrange imports a little

* export GOOS=windows golangci-lint run ./... --fix

* reverseproxy: Always return new upstreams (fix caddyserver#5736) (caddyserver#5752)

* reverseproxy: Always return new upstreams (fix caddyserver#5736)

* Fix healthcheck logger race

* go.mod: Upgrade CertMagic and quic-go

* fix package typo (caddyserver#5764)

Signed-off-by: guoguangwu <[email protected]>

* fileserver: docs: clarify the ability to produce JSON array with `browse` (caddyserver#5751)

* caddyfile: Loosen heredoc parsing (caddyserver#5761)

* httpcaddyfile: Stricter errors for site and upstream address schemes (caddyserver#5757)

Co-authored-by: Mohammed Al Sahaf <[email protected]>
Co-authored-by: Francis Lavoie <[email protected]>

* update quic-go to v0.37.6 (caddyserver#5767)

* caddyfile: Adjust error formatting (caddyserver#5765)

* replacer: change timezone to UTC for "time.now.http" placeholders (caddyserver#5774)

* chore: Appease gosec linter (caddyserver#5777)

These happen to be harmless memory aliasing
but I guess the linter can't know that and we
can't really prove it in general.

* go.mod: Update quic-go to v0.38.0 (caddyserver#5772)

* go.mod: Update quic-go to v0.38.0

* run "go mod tidy"

---------

Co-authored-by: Matt Holt <[email protected]>

* caddyfile: Fix case where heredoc marker is empty after newline (caddyserver#5769)

Fixes `panic: runtime error: slice bounds out of range [:3] with capacity 2`

Co-authored-by: Matt Holt <[email protected]>

* ci: ensure short-sha is exported correctly on all platforms (caddyserver#5781)

* fileserver: Export BrowseTemplate

This allows programs embedding Caddy to customize the browse template.

* logging: Clone array on log filters, prevent side-effects (caddyserver#5786)

Fixes https://caddy.community/t/is-caddy-mutating-header-content-from-logging-settings/20947

* logging: query filter for array of strings (caddyserver#5779)

Co-authored-by: Matt Holt <[email protected]>
Co-authored-by: Francis Lavoie <[email protected]>

* ci: Run govulncheck (caddyserver#5790)

* feat(ci): check vuln Go mods in CI

* fix(ci): correct directive for govulncheck

* refactor(ci): move govulncheck to lint.yml

* refactor(lint): move govulncheck to different job

* cmd: Prevent overwriting existing env vars with `--envfile` (caddyserver#5803)

Co-authored-by: Francis Lavoie <[email protected]>

* httpcaddyfile: fix placeholder shorthands in named routes (caddyserver#5791)

Co-authored-by: Francis Lavoie <[email protected]>

* reverseproxy: fix nil pointer dereference in AUpstreams.GetUpstreams (caddyserver#5811)

fix a nil pointer dereference in AUpstreams.GetUpstreams when AUpstreams.Versions is not set (fixes caddyserver#5809)

Signed-off-by: Pascal Vorwerk <[email protected]>

* fileserver: browse template SVG icons and UI tweaks (caddyserver#5812)

* fileserver browse.html UI tweaks: folder-symlink icon, search

fileserver browse.html UI tweaks: folder-symlink icon, search

- ui - add folder-symlink SVG icon
- search: use `<input type="search">` instead of `text`
- fix npe with `sizebar.style.width` = null in grid mode

* tabify whitespace

Co-authored-by: Francis Lavoie <[email protected]>

---------

Co-authored-by: Francis Lavoie <[email protected]>

* caddyhttp: Use LimitedReader for HTTPRedirectListener

* build(deps): bump actions/checkout from 3 to 4 (caddyserver#5846)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* build(deps): bump goreleaser/goreleaser-action from 4 to 5 (caddyserver#5847)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* fix: caddytest.AssertResponseCode error message (caddyserver#5853)

* reverseproxy: Allow fallthrough for response handlers without routes (caddyserver#5780)

* templates: Add dummy `RemoteAddr` to `httpInclude` request, proxy compatibility (caddyserver#5845)

* Enhancement: Allow X-Forwarded-For Header in httpInclude Virtual Requests

The goal of this enhancement is to modify the funcHTTPInclude function in the Caddy codebase to include the X-Forwarded-For header in the virtual request. This change will enable reverse proxies to set the X-Forwarded-For header, ensuring that the client's IP address is correctly provided to the target endpoint. This modification is essential for applications that depend on the X-Forwarded-For header for various functionalities, such as authentication, logging, or content customization.

* Updated tplcontext.go - set `virtReq.RemoteAddr = "127.0.0.1"`

i have made the suggested changes

* Apply suggestions from code review

* Update modules/caddyhttp/templates/tplcontext.go

---------

Co-authored-by: Francis Lavoie <[email protected]>

* go.mod: Upgrade dependencies incl. x/net/http

Possibly important for the HTTP/2 Rapid Reset issue.

* fileserver: Add command shortcuts `-l` and `-a` (caddyserver#5854)

* encode: Add `application/wasm*` to the default content types (caddyserver#5869)

* httpcaddyfile: Enable TLS for catch-all site if `tls` directive is specified (caddyserver#5808)

* reverseproxy: Fix retries on "upstreams unavailable" error (caddyserver#5841)

* reverseproxy: fix parsing Caddyfile fails for unlimited request/response buffers (caddyserver#5828)

* cmd: Fix exiting with custom status code, add `caddy -v` (caddyserver#5874)

* Simplify variables for commands

* Add --envfile support for adapt command

* Carry custom status code for commands to os.Exit()

* cmd: add `-v` and `--version` to root caddy command

* Add `--envfile` to `caddy environ`, extract flag parsing to func

---------

Co-authored-by: Mohammed Al Sahaf <[email protected]>

* httpcaddyfile: Sort TLS SNI matcher for deterministic JSON output (caddyserver#5860)

* httpcaddyfile: Sort TLS SNI matcher, for deterministic adapt output

* Update caddyconfig/httpcaddyfile/httptype.go

---------

Co-authored-by: Matt Holt <[email protected]>

* reverseproxy: Replace health header placeholders (caddyserver#5861)

* reverseproxy: Add logging for dynamic A upstreams (caddyserver#5857)

* reverseproxy: Fix `least_conn` policy regression (caddyserver#5862)

* reverseproxy: Add more debug logs (caddyserver#5793)

* reverseproxy: Add more debug logs

This makes debug logging very noisy when reverse proxying, but I guess
that's the point.

This has shown to be useful in troubleshooting infrastructure issues.

* Update modules/caddyhttp/reverseproxy/streaming.go

Co-authored-by: Francis Lavoie <[email protected]>

* Update modules/caddyhttp/reverseproxy/streaming.go

Co-authored-by: Francis Lavoie <[email protected]>

* Add opt-in `trace_logs` option

* Rename to VerboseLogs

---------

Co-authored-by: Francis Lavoie <[email protected]>

* tls: Add X25519Kyber768Draft00 PQ "curve" behind build tag (caddyserver#5852)

… when compiled with cfgo (https://github.com/cloudflare/go).

* fileserver: Set canonical URL on browse template (caddyserver#5867)

* Browse.html: Add canonical URL and home-link

When contents are equal, but maybe just a sort order is different, it is good to add `<link rel="canonical" href="base-path/" />`. This helps search engines propeely index the page.

I also added a link to the home page with the name of `{{.Host}}` just above the bread crumbs to make the page clearer.

https://paste.tnonline.net/files/28Wun5CQZiqA_Screenshot_20231007_134435_Opera.png

* Update browse.html

* ci: Force the Go version for govulncheck (caddyserver#5879)

* admin: Respond with 4xx on non-existing config path (caddyserver#5870)

Co-authored-by: Matt Holt <[email protected]>

* caddyfile: Fix variadic placeholder false positive when token contains `:` (caddyserver#5883)

* cmd: upgrade: resolve symlink of the executable (caddyserver#5891)

* httpcaddyfile: Fix TLS automation policy merging with get_certificate (caddyserver#5896)

* templates: Clarify `include` args docs, add `.ClientIP` (caddyserver#5898)

* core: quic listener will manage the underlying socket by itself (caddyserver#5749)

* core: quic listener will manage the underlying socket by itself.

* format code

* rename sharedQUICTLSConfig to sharedQUICState, and it will now manage the number of active requests

* add comment

* strict unwrap type

* fix unwrap

* remove comment

* cmd: Add newline character to version string in CLI output (caddyserver#5895)

* caddyhttp: Use sync.Pool to reduce lengthReader allocations (caddyserver#5848)

* Use sync.Pool to reduce lengthReader allocations

Signed-off-by: Harish Shan <[email protected]>

* Add defer putLengthReader to prevent leak

Signed-off-by: Harish Shan <[email protected]>

* Cleanup in putLengthReader

Co-authored-by: Francis Lavoie <[email protected]>

---------

Signed-off-by: Harish Shan <[email protected]>
Co-authored-by: Francis Lavoie <[email protected]>

* core: Apply SO_REUSEPORT to UDP sockets (caddyserver#5725)

* core: Apply SO_REUSEPORT to UDP sockets

For some reason, 10 months ago when I implemented SO_REUSEPORT
for TCP, I didn't realize, or forgot, that it can be used for UDP too. It is a
much better solution than using deadline hacks to reuse a socket, at
least for TCP.

Then mholt/caddy-l4#132 was posted,
in which we see that UDP servers never actually stopped when the
L4 app was stopped. I verified this using this command:

    $ nc -u 127.0.0.1 55353

combined with POSTing configs to the /load admin endpoint (which
alternated between an echo server and a proxy server so I could tell
which config was being used).

I refactored the code to use SO_REUSEPORT for UDP, but of course
we still need graceful reloads on all platforms, not just Unix, so I
also implemented a deadline hack similar to what we used for
TCP before. That implementation for TCP was not perfect, possibly
having a logical (not data) race condition; but for UDP so far it
seems to be working. Verified the same way I verified that SO_REUSEPORT
works.

I think this code is slightly cleaner and I'm fairly confident this code
is effective.

* Check error

* Fix return

* Fix var name

* implement Unwrap interface and clean up

* move unix packet conn to platform specific file

* implement Unwrap for unix packet conn

* Move sharedPacketConn into proper file

* Fix Windows

* move sharedPacketConn and fakeClosePacketConn to proper file

---------

Co-authored-by: Weidi Deng <[email protected]>

* httpcaddyfile: Remove port from logger names (caddyserver#5881)

Co-authored-by: Matt Holt <[email protected]>

* templates: Delete headers on `httpError` to reset to clean slate (caddyserver#5905)

* go.mod: CVE-2023-45142 Update opentelemetry (caddyserver#5908)

* go.mod: Upgrade quic-go to v0.39.1

* caddyhttp: Adjust `scheme` placeholder docs (caddyserver#5910)

* Upgrade acmeserver to github.com/go-chi/chi/v5 (caddyserver#5913)

This commit upgrades the router used in the acmeserver to
github.com/go-chi/chi/v5. In the latest release of step-ca, the router
used by certificates was upgraded to that version.

Fixes caddyserver#5911

Signed-off-by: Mariano Cano <[email protected]>

* test: acmeserver: add smoke test for the ACME server directory (caddyserver#5914)

* chore: Fix usage pool comment (caddyserver#5916)

* update quic-go to v0.39.3 (caddyserver#5918)

* go.mod: update quic-go version to v0.40.0 (caddyserver#5922)

* Revert "caddyhttp: Use sync.Pool to reduce lengthReader allocations (caddyserver#5848)" (caddyserver#5924)

* fileserver: Add .m4v for browse template icon

* httpredirectlistener: Only set read limit for when request is HTTP (caddyserver#5917)

* chore: Bump otel to v1.21.0. (caddyserver#5949)

Signed-off-by: Dan Lorenc <[email protected]>

* panic when reading from backend failed to propagate stream error (caddyserver#5952)

* http2 uses new round-robin scheduler (caddyserver#5946)

* templates: Offically make templates extensible (caddyserver#5939)

* templates: Offically make templates extensible

This supercedes caddyserver#4757 (and caddyserver#4568) by making template extensions
configurable.

The previous implementation was never documented AFAIK and had only
1 consumer, which I'll notify as a courtesy.

* templates: Add 'maybe' function for optional components

* Try to fix lint error

* tls: accept placeholders in string values of certificate loaders (caddyserver#5963)

* tls: loader: accept placeholders in string values

* appease the linter

* caddytls: Context to DecisionFunc (caddyserver#5923)

See caddyserver/certmagic#255

* caddytls: Sync distributed storage cleaning (caddyserver#5940)

* caddytls: Log out remote addr to detect abuse

* caddytls: Sync distributed storage cleaning

* Handle errors

* Update certmagic to fix tiny bug

* Split off port when logging remote IP

* Upgrade CertMagic

* chore: cross-build for AIX (caddyserver#5971)

* core: Always make AppDataDir for InstanceID (caddyserver#5976)

* cmd: Preserve LastModified date when exporting storage (caddyserver#5968)

* proxyprotocol: use github.com/pires/go-proxyproto (caddyserver#5915)

* proxyprotocol: use github.com/pires/go-proxyproto

* Fix typo: r/generelly/generally

Co-authored-by: Francis Lavoie <[email protected]>

* add config options for `Deny` CIDR and fallback policy

* use `netip` package & trust unix sockets

---------

Co-authored-by: Francis Lavoie <[email protected]>

* caddyhttp: Add `uuid` to access logs when used (caddyserver#5859)

* fileserver: New --precompressed flag (caddyserver#5880)

exposes the file_server precompressed functionality to be used with the
file-server command

Co-authored-by: Matt Holt <[email protected]>

* fileserver: Enable compression for command by default (caddyserver#5855)

* feat: enable compression for file-server

* refactor

* const

* Update help text

* Update modules/caddyhttp/fileserver/command.go

---------

Co-authored-by: Francis Lavoie <[email protected]>
Co-authored-by: Matt Holt <[email protected]>

* go.mod: Updated quic-go to v0.40.1 (caddyserver#5983)

* metrics: Record request metrics on HTTP errors (caddyserver#5979)

* httpcaddyfile: Sort skip_hosts for deterministic JSON (caddyserver#5990)

* httpcaddyfile: Sort skip_hosts for deterministic JSON

* Update caddyconfig/httpcaddyfile/httptype.go

Co-authored-by: Mohammed Al Sahaf <[email protected]>

* Fix test

* Bah

---------

Co-authored-by: Mohammed Al Sahaf <[email protected]>

* logging: Add `zap.Option` support (caddyserver#5944)

* cmd: use automaxprocs for better perf in containers (caddyserver#5711)

* feat: use automaxprocs for better perf in containers

* better logs

* cs

* build(deps): bump golang.org/x/crypto from 0.16.0 to 0.17.0 (caddyserver#5994)

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.16.0 to 0.17.0.
- [Commits](golang/crypto@v0.16.0...v0.17.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: Pistasj <[email protected]>
Signed-off-by: guoguangwu <[email protected]>
Signed-off-by: Pascal Vorwerk <[email protected]>
Signed-off-by: Harish Shan <[email protected]>
Signed-off-by: Mariano Cano <[email protected]>
Signed-off-by: Dan Lorenc <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Matthew Holt <[email protected]>
Co-authored-by: Jacob Gadikian <[email protected]>
Co-authored-by: Shyim <[email protected]>
Co-authored-by: Aaron Dewes <[email protected]>
Co-authored-by: Francis Lavoie <[email protected]>
Co-authored-by: pistasjis <[email protected]>
Co-authored-by: guangwu <[email protected]>
Co-authored-by: Mohammed Al Sahaf <[email protected]>
Co-authored-by: Karun Agarwal <[email protected]>
Co-authored-by: Marten Seemann <[email protected]>
Co-authored-by: WeidiDeng <[email protected]>
Co-authored-by: Paul Jeannot <[email protected]>
Co-authored-by: Đỗ Trọng Hải <[email protected]>
Co-authored-by: Evan Van Dam <[email protected]>
Co-authored-by: Pascal Vorwerk <[email protected]>
Co-authored-by: glowinthedark <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Kévin Dunglas <[email protected]>
Co-authored-by: Patrick Koenig <[email protected]>
Co-authored-by: Thanmay Nath <[email protected]>
Co-authored-by: Christoph <[email protected]>
Co-authored-by: Fred Cox <[email protected]>
Co-authored-by: Bas Westerbaan <[email protected]>
Co-authored-by: Forza <[email protected]>
Co-authored-by: Norman Soetbeer <[email protected]>
Co-authored-by: Harish Shan <[email protected]>
Co-authored-by: Ethan Brown (Domino) <[email protected]>
Co-authored-by: Mariano Cano <[email protected]>
Co-authored-by: dlorenc <[email protected]>
Co-authored-by: Andreas Kohn <[email protected]>
Co-authored-by: Benjamin Marwell <[email protected]>
Co-authored-by: Aziz Rmadi <[email protected]>
Co-authored-by: Jens-Uwe Mager <[email protected]>
Co-authored-by: David DeMoss <[email protected]>
Co-authored-by: Tim Geoghegan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants