Rename resolvers to tls_resolvers and limit scope to TLS/ACME operations only

2025-12-08 06:09:53 +00:00 · 2025-11-21 18:55:17 +01:00 · 2025-11-21 18:55:17 +01:00 · 1f47357e62
commit 1f47357e62
parent 83175d6d59
10 changed files with 11 additions and 95 deletions
--- a/caddyconfig/httpcaddyfile/options.go
+++ b/caddyconfig/httpcaddyfile/options.go
@ -64,7 +64,7 @@ func init() {
 	RegisterGlobalOption("preferred_chains", parseOptPreferredChains)
 	RegisterGlobalOption("persist_config", parseOptPersistConfig)
 	RegisterGlobalOption("dns", parseOptDNS)
-	RegisterGlobalOption("resolvers", parseOptResolvers)
+	RegisterGlobalOption("tls_resolvers", parseOptTLSResolvers)
 	RegisterGlobalOption("ech", parseOptECH)
 }

@ -306,7 +306,7 @@ func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) {
 	return val, nil
 }

-func parseOptResolvers(d *caddyfile.Dispenser, _ any) (any, error) {
+func parseOptTLSResolvers(d *caddyfile.Dispenser, _ any) (any, error) {
 	d.Next() // consume option name
 	resolvers := d.RemainingArgs()
 	if len(resolvers) == 0 {
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@ -363,7 +363,7 @@ func (st ServerType) buildTLSApp(
 	}

 	// set up "global" (to the TLS app) DNS resolvers config
-	if globalResolvers, ok := options["resolvers"]; ok && globalResolvers != nil {
+	if globalResolvers, ok := options["tls_resolvers"]; ok && globalResolvers != nil {
 		tlsApp.Resolvers = globalResolvers.([]string)
 	}

@ -630,7 +630,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e
 		acmeIssuer.CertificateLifetime = globalCertLifetime.(caddy.Duration)
 	}
 	// apply global resolvers if DNS challenge is configured and resolvers are not already set
-	globalResolvers := options["resolvers"]
+	globalResolvers := options["tls_resolvers"]
 	if globalResolvers != nil && acmeIssuer.Challenges != nil && acmeIssuer.Challenges.DNS != nil {
 		// Check if DNS challenge is actually configured
 		hasDNSChallenge := globalACMEDNSok || acmeIssuer.Challenges.DNS.ProviderRaw != nil
--- a/caddytest/integration/caddyfile_adapt/global_options_resolvers.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/global_options_resolvers.caddyfiletest
@ -1,7 +1,7 @@
 {
 	email test@example.com
 	dns mock
-	resolvers 1.1.1.1 8.8.8.8
+	tls_resolvers 1.1.1.1 8.8.8.8
 	acme_dns
 }

--- a/caddytest/integration/caddyfile_adapt/global_options_resolvers_http_challenge.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/global_options_resolvers_http_challenge.caddyfiletest
@ -1,5 +1,5 @@
 {
-	resolvers 1.1.1.1 8.8.8.8
+	tls_resolvers 1.1.1.1 8.8.8.8
 }

 example.com {
--- a/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_dns_inherit.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_dns_inherit.caddyfiletest
@ -1,7 +1,7 @@
 {
 	email test@example.com
 	dns mock
-	resolvers 1.1.1.1 8.8.8.8
+	tls_resolvers 1.1.1.1 8.8.8.8
 }

 example.com {
--- a/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_override.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_override.caddyfiletest
@ -1,7 +1,7 @@
 {
 	email test@example.com
 	dns mock
-	resolvers 1.1.1.1 8.8.8.8
+	tls_resolvers 1.1.1.1 8.8.8.8
 	acme_dns
 }

--- a/caddytest/integration/caddyfile_adapt/global_options_resolvers_mixed.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/global_options_resolvers_mixed.caddyfiletest
@ -1,7 +1,7 @@
 {
 	email test@example.com
 	dns mock
-	resolvers 1.1.1.1 8.8.8.8
+	tls_resolvers 1.1.1.1 8.8.8.8
 	acme_dns
 }

--- a/modules/caddyhttp/reverseproxy/httptransport.go
+++ b/modules/caddyhttp/reverseproxy/httptransport.go
@ -269,34 +269,6 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 				return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
 			},
 		}
-	} else {
-		// If no local resolver is configured, check for global resolvers from TLS app
-		tlsAppIface, err := caddyCtx.App("tls")
-		if err == nil {
-			tlsApp := tlsAppIface.(*caddytls.TLS)
-			if len(tlsApp.Resolvers) > 0 {
-				// Create UpstreamResolver from global resolvers
-				h.Resolver = &UpstreamResolver{
-					Addresses: tlsApp.Resolvers,
-				}
-				err := h.Resolver.ParseAddresses()
-				if err != nil {
-					return nil, err
-				}
-				d := &net.Dialer{
-					Timeout:       time.Duration(h.DialTimeout),
-					FallbackDelay: time.Duration(h.FallbackDelay),
-				}
-				dialer.Resolver = &net.Resolver{
-					PreferGo: true,
-					Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
-						//nolint:gosec
-						addr := h.Resolver.netAddrs[weakrand.Intn(len(h.Resolver.netAddrs))]
-						return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
-					},
-				}
-			}
-		}
 	}

 	dialContext := func(ctx context.Context, network, address string) (net.Conn, error) {
--- a/modules/caddyhttp/reverseproxy/upstreams.go
+++ b/modules/caddyhttp/reverseproxy/upstreams.go
@ -15,7 +15,6 @@ import (
 	"go.uber.org/zap/zapcore"

 	"github.com/caddyserver/caddy/v2"
-	"github.com/caddyserver/caddy/v2/modules/caddytls"
 )

 func init() {
@ -107,34 +106,6 @@ func (su *SRVUpstreams) Provision(ctx caddy.Context) error {
 				return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
 			},
 		}
-	} else {
-		// If no local resolver is configured, check for global resolvers from TLS app
-		tlsAppIface, err := ctx.App("tls")
-		if err == nil {
-			tlsApp := tlsAppIface.(*caddytls.TLS)
-			if len(tlsApp.Resolvers) > 0 {
-				// Create UpstreamResolver from global resolvers
-				su.Resolver = &UpstreamResolver{
-					Addresses: tlsApp.Resolvers,
-				}
-				err := su.Resolver.ParseAddresses()
-				if err != nil {
-					return err
-				}
-				d := &net.Dialer{
-					Timeout:       time.Duration(su.DialTimeout),
-					FallbackDelay: time.Duration(su.FallbackDelay),
-				}
-				su.resolver = &net.Resolver{
-					PreferGo: true,
-					Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
-						//nolint:gosec
-						addr := su.Resolver.netAddrs[weakrand.Intn(len(su.Resolver.netAddrs))]
-						return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
-					},
-				}
-			}
-		}
 	}
 	if su.resolver == nil {
 		su.resolver = net.DefaultResolver
@ -355,34 +326,6 @@ func (au *AUpstreams) Provision(ctx caddy.Context) error {
 				return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
 			},
 		}
-	} else {
-		// If no local resolver is configured, check for global resolvers from TLS app
-		tlsAppIface, err := ctx.App("tls")
-		if err == nil {
-			tlsApp := tlsAppIface.(*caddytls.TLS)
-			if len(tlsApp.Resolvers) > 0 {
-				// Create UpstreamResolver from global resolvers
-				au.Resolver = &UpstreamResolver{
-					Addresses: tlsApp.Resolvers,
-				}
-				err := au.Resolver.ParseAddresses()
-				if err != nil {
-					return err
-				}
-				d := &net.Dialer{
-					Timeout:       time.Duration(au.DialTimeout),
-					FallbackDelay: time.Duration(au.FallbackDelay),
-				}
-				au.resolver = &net.Resolver{
-					PreferGo: true,
-					Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
-						//nolint:gosec
-						addr := au.Resolver.netAddrs[weakrand.Intn(len(au.Resolver.netAddrs))]
-						return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
-					},
-				}
-			}
-		}
 	}
 	if au.resolver == nil {
 		au.resolver = net.DefaultResolver
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@ -125,7 +125,8 @@ type TLS struct {
 	DNSRaw json.RawMessage `json:"dns,omitempty" caddy:"namespace=dns.providers inline_key=name"`
 	dns    any             // technically, it should be any/all of the libdns interfaces (RecordSetter, RecordAppender, etc.)

-	// The default DNS resolvers to use when performing DNS queries for ACME DNS challenges.
+	// The default DNS resolvers to use for TLS-related DNS operations, specifically
+	// for ACME DNS challenges and ACME server DNS validations.
 	// If not specified, the system default resolvers will be used.
 	//
 	// EXPERIMENTAL: Subject to change.