From 1f47357e622dbe235fa60e8e9b14c124198e8369 Mon Sep 17 00:00:00 2001 From: Pavel Siomachkin Date: Fri, 21 Nov 2025 18:55:17 +0100 Subject: [PATCH] Rename resolvers to tls_resolvers and limit scope to TLS/ACME operations only --- caddyconfig/httpcaddyfile/options.go | 4 +- caddyconfig/httpcaddyfile/tlsapp.go | 4 +- .../global_options_resolvers.caddyfiletest | 2 +- ...ons_resolvers_http_challenge.caddyfiletest | 2 +- ..._resolvers_local_dns_inherit.caddyfiletest | 2 +- ...ons_resolvers_local_override.caddyfiletest | 2 +- ...obal_options_resolvers_mixed.caddyfiletest | 2 +- .../caddyhttp/reverseproxy/httptransport.go | 28 --------- modules/caddyhttp/reverseproxy/upstreams.go | 57 ------------------- modules/caddytls/tls.go | 3 +- 10 files changed, 11 insertions(+), 95 deletions(-) diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go index a68d54dc4..2262864ac 100644 --- a/caddyconfig/httpcaddyfile/options.go +++ b/caddyconfig/httpcaddyfile/options.go @@ -64,7 +64,7 @@ func init() { RegisterGlobalOption("preferred_chains", parseOptPreferredChains) RegisterGlobalOption("persist_config", parseOptPersistConfig) RegisterGlobalOption("dns", parseOptDNS) - RegisterGlobalOption("resolvers", parseOptResolvers) + RegisterGlobalOption("tls_resolvers", parseOptTLSResolvers) RegisterGlobalOption("ech", parseOptECH) } @@ -306,7 +306,7 @@ func parseOptSingleString(d *caddyfile.Dispenser, _ any) (any, error) { return val, nil } -func parseOptResolvers(d *caddyfile.Dispenser, _ any) (any, error) { +func parseOptTLSResolvers(d *caddyfile.Dispenser, _ any) (any, error) { d.Next() // consume option name resolvers := d.RemainingArgs() if len(resolvers) == 0 { diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index a126d7d10..6682aedf7 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -363,7 +363,7 @@ func (st ServerType) buildTLSApp( } // set up "global" (to the TLS app) DNS resolvers config - if globalResolvers, ok := options["resolvers"]; ok && globalResolvers != nil { + if globalResolvers, ok := options["tls_resolvers"]; ok && globalResolvers != nil { tlsApp.Resolvers = globalResolvers.([]string) } @@ -630,7 +630,7 @@ func fillInGlobalACMEDefaults(issuer certmagic.Issuer, options map[string]any) e acmeIssuer.CertificateLifetime = globalCertLifetime.(caddy.Duration) } // apply global resolvers if DNS challenge is configured and resolvers are not already set - globalResolvers := options["resolvers"] + globalResolvers := options["tls_resolvers"] if globalResolvers != nil && acmeIssuer.Challenges != nil && acmeIssuer.Challenges.DNS != nil { // Check if DNS challenge is actually configured hasDNSChallenge := globalACMEDNSok || acmeIssuer.Challenges.DNS.ProviderRaw != nil diff --git a/caddytest/integration/caddyfile_adapt/global_options_resolvers.caddyfiletest b/caddytest/integration/caddyfile_adapt/global_options_resolvers.caddyfiletest index 7ab0fb4a4..7043b5da3 100644 --- a/caddytest/integration/caddyfile_adapt/global_options_resolvers.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/global_options_resolvers.caddyfiletest @@ -1,7 +1,7 @@ { email test@example.com dns mock - resolvers 1.1.1.1 8.8.8.8 + tls_resolvers 1.1.1.1 8.8.8.8 acme_dns } diff --git a/caddytest/integration/caddyfile_adapt/global_options_resolvers_http_challenge.caddyfiletest b/caddytest/integration/caddyfile_adapt/global_options_resolvers_http_challenge.caddyfiletest index 7b6c9de42..d375dc711 100644 --- a/caddytest/integration/caddyfile_adapt/global_options_resolvers_http_challenge.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/global_options_resolvers_http_challenge.caddyfiletest @@ -1,5 +1,5 @@ { - resolvers 1.1.1.1 8.8.8.8 + tls_resolvers 1.1.1.1 8.8.8.8 } example.com { diff --git a/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_dns_inherit.caddyfiletest b/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_dns_inherit.caddyfiletest index e715a2894..20385f84b 100644 --- a/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_dns_inherit.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_dns_inherit.caddyfiletest @@ -1,7 +1,7 @@ { email test@example.com dns mock - resolvers 1.1.1.1 8.8.8.8 + tls_resolvers 1.1.1.1 8.8.8.8 } example.com { diff --git a/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_override.caddyfiletest b/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_override.caddyfiletest index f78301c4d..27f7d09d3 100644 --- a/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_override.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/global_options_resolvers_local_override.caddyfiletest @@ -1,7 +1,7 @@ { email test@example.com dns mock - resolvers 1.1.1.1 8.8.8.8 + tls_resolvers 1.1.1.1 8.8.8.8 acme_dns } diff --git a/caddytest/integration/caddyfile_adapt/global_options_resolvers_mixed.caddyfiletest b/caddytest/integration/caddyfile_adapt/global_options_resolvers_mixed.caddyfiletest index 96996a437..3a4b5571c 100644 --- a/caddytest/integration/caddyfile_adapt/global_options_resolvers_mixed.caddyfiletest +++ b/caddytest/integration/caddyfile_adapt/global_options_resolvers_mixed.caddyfiletest @@ -1,7 +1,7 @@ { email test@example.com dns mock - resolvers 1.1.1.1 8.8.8.8 + tls_resolvers 1.1.1.1 8.8.8.8 acme_dns } diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go index 18d4f02b6..1e4cfa743 100644 --- a/modules/caddyhttp/reverseproxy/httptransport.go +++ b/modules/caddyhttp/reverseproxy/httptransport.go @@ -269,34 +269,6 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0)) }, } - } else { - // If no local resolver is configured, check for global resolvers from TLS app - tlsAppIface, err := caddyCtx.App("tls") - if err == nil { - tlsApp := tlsAppIface.(*caddytls.TLS) - if len(tlsApp.Resolvers) > 0 { - // Create UpstreamResolver from global resolvers - h.Resolver = &UpstreamResolver{ - Addresses: tlsApp.Resolvers, - } - err := h.Resolver.ParseAddresses() - if err != nil { - return nil, err - } - d := &net.Dialer{ - Timeout: time.Duration(h.DialTimeout), - FallbackDelay: time.Duration(h.FallbackDelay), - } - dialer.Resolver = &net.Resolver{ - PreferGo: true, - Dial: func(ctx context.Context, _, _ string) (net.Conn, error) { - //nolint:gosec - addr := h.Resolver.netAddrs[weakrand.Intn(len(h.Resolver.netAddrs))] - return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0)) - }, - } - } - } } dialContext := func(ctx context.Context, network, address string) (net.Conn, error) { diff --git a/modules/caddyhttp/reverseproxy/upstreams.go b/modules/caddyhttp/reverseproxy/upstreams.go index d9eb1e9f7..e9eb7e60a 100644 --- a/modules/caddyhttp/reverseproxy/upstreams.go +++ b/modules/caddyhttp/reverseproxy/upstreams.go @@ -15,7 +15,6 @@ import ( "go.uber.org/zap/zapcore" "github.com/caddyserver/caddy/v2" - "github.com/caddyserver/caddy/v2/modules/caddytls" ) func init() { @@ -107,34 +106,6 @@ func (su *SRVUpstreams) Provision(ctx caddy.Context) error { return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0)) }, } - } else { - // If no local resolver is configured, check for global resolvers from TLS app - tlsAppIface, err := ctx.App("tls") - if err == nil { - tlsApp := tlsAppIface.(*caddytls.TLS) - if len(tlsApp.Resolvers) > 0 { - // Create UpstreamResolver from global resolvers - su.Resolver = &UpstreamResolver{ - Addresses: tlsApp.Resolvers, - } - err := su.Resolver.ParseAddresses() - if err != nil { - return err - } - d := &net.Dialer{ - Timeout: time.Duration(su.DialTimeout), - FallbackDelay: time.Duration(su.FallbackDelay), - } - su.resolver = &net.Resolver{ - PreferGo: true, - Dial: func(ctx context.Context, _, _ string) (net.Conn, error) { - //nolint:gosec - addr := su.Resolver.netAddrs[weakrand.Intn(len(su.Resolver.netAddrs))] - return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0)) - }, - } - } - } } if su.resolver == nil { su.resolver = net.DefaultResolver @@ -355,34 +326,6 @@ func (au *AUpstreams) Provision(ctx caddy.Context) error { return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0)) }, } - } else { - // If no local resolver is configured, check for global resolvers from TLS app - tlsAppIface, err := ctx.App("tls") - if err == nil { - tlsApp := tlsAppIface.(*caddytls.TLS) - if len(tlsApp.Resolvers) > 0 { - // Create UpstreamResolver from global resolvers - au.Resolver = &UpstreamResolver{ - Addresses: tlsApp.Resolvers, - } - err := au.Resolver.ParseAddresses() - if err != nil { - return err - } - d := &net.Dialer{ - Timeout: time.Duration(au.DialTimeout), - FallbackDelay: time.Duration(au.FallbackDelay), - } - au.resolver = &net.Resolver{ - PreferGo: true, - Dial: func(ctx context.Context, _, _ string) (net.Conn, error) { - //nolint:gosec - addr := au.Resolver.netAddrs[weakrand.Intn(len(au.Resolver.netAddrs))] - return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0)) - }, - } - } - } } if au.resolver == nil { au.resolver = net.DefaultResolver diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index b2b811631..c64753a85 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -125,7 +125,8 @@ type TLS struct { DNSRaw json.RawMessage `json:"dns,omitempty" caddy:"namespace=dns.providers inline_key=name"` dns any // technically, it should be any/all of the libdns interfaces (RecordSetter, RecordAppender, etc.) - // The default DNS resolvers to use when performing DNS queries for ACME DNS challenges. + // The default DNS resolvers to use for TLS-related DNS operations, specifically + // for ACME DNS challenges and ACME server DNS validations. // If not specified, the system default resolvers will be used. // // EXPERIMENTAL: Subject to change.