Stowage/caddy
2
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-10-19 07:43:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

caddypki: Disable internal auto-CA when auto_https is disabled (fix #7211) (#7238)

Browse source 
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
This commit is contained in:
Pavel 2025-09-05 17:41:06 +02:00 committed by GitHub
parent 38848f7f25
commit d9cc24f3df
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 29 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

14
caddyconfig/httpcaddyfile/pkiapp.go
View file

@ -15,6 +15,8 @@
package httpcaddyfile
import (
"slices"
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig"
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
@ -178,6 +180,15 @@ func (st ServerType) buildPKIApp(
if _, ok := options["skip_install_trust"]; ok {
skipInstallTrust = true
}
// check if auto_https is off - in that case we should not create
// any PKI infrastructure even with skip_install_trust directive
autoHTTPS := []string{}
if ah, ok := options["auto_https"].([]string); ok {
autoHTTPS = ah
}
autoHTTPSOff := slices.Contains(autoHTTPS, "off")
falseBool := false
// Load the PKI app configured via global options
@ -218,7 +229,8 @@ func (st ServerType) buildPKIApp(
// if there was no CAs defined in any of the servers,
// and we were requested to not install trust, then
// add one for the default/local CA to do so
if len(pkiApp.CAs) == 0 && skipInstallTrust {
// only if auto_https is not completely disabled
if len(pkiApp.CAs) == 0 && skipInstallTrust && !autoHTTPSOff {
ca := new(caddypki.CA)
ca.ID = caddypki.DefaultCAID
ca.InstallTrust = &falseBool

16
modules/caddyhttp/autohttps.go
View file

@ -265,6 +265,22 @@ func (app *App) automaticHTTPSPhase1(ctx caddy.Context, repl *caddy.Replacer) er
}
}
// if all servers have auto_https disabled and no domains need certs,
// skip the rest of the TLS automation setup to avoid creating
// unnecessary PKI infrastructure and automation policies
allServersDisabled := true
for _, srv := range app.Servers {
if srv.AutoHTTPS == nil || !srv.AutoHTTPS.Disabled {
allServersDisabled = false
break
}
}
if allServersDisabled && len(uniqueDomainsForCerts) == 0 {
logger.Debug("all servers have automatic HTTPS disabled and no domains need certificates, skipping TLS automation setup")
return nil
}
// we now have a list of all the unique names for which we need certs
var internal, tailscale []string
uniqueDomainsLoop: