* caddytls: Prefer managed wildcard certs over individual subdomain certs
* Repurpose force_automate as no_wildcard
* Fix a couple bugs
* Restore force_automate and use automate loader as wildcard override
* caddyauth: Set authentication provider error in placeholder for handle_errors directive
* caddyauth: Simplify error placeholder setting for authentication provider
Currently if we extract the DialInfo from a Request Context during an active health check, then the Upstream in the DialInfo is nil.
This PR attempts to set the Upstream to a sensible value, based on wether or not the Upstream has been overriden in the active health check's config.
* events: Refactor; move Event into core, so core can emit events
Requires some slight trickery to invert dependencies. We can't have the caddy package import the caddyevents package, because caddyevents imports caddy. Interface to the rescue!
Also add two new events, experimentally: started, and stopping. At the request of a sponsor.
Also rename "Filesystems" to "FileSystems" to match Go convention (unrelated to events, was just bugging me when I noticed it).
* Coupla bug fixes
* lol whoops
* core: add modular `network_proxy` support
Co-authored-by: @ImpostorKeanu
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* move modules around
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* add caddyfile implementation
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* address feedbcak
* Apply suggestions from code review
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* adapt ForwardProxyURL to use the NetworkProxyRaw
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* remove redundant `url` in log
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* code review
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* remove `.source` from the module ID
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Publishing a DNS record for a name that doesn't have any could make wildcards ineffective, which would be surprising for site owners and could lead to downtime.
* caddytls: Initial commit of Encrypted ClientHello (ECH)
* WIP Caddyfile
* Fill out Caddyfile support
* Enhance godoc comments
* Augment, don't overwrite, HTTPS records
* WIP
* WIP: publication history
* Fix republication logic
* Apply global DNS module to ACME challenges
This allows DNS challenges to be enabled without locally-configured DNS modules
* Ignore false positive from prealloc linter
* ci: Use only latest Go version (1.24 currently)
We no longer support older Go versions, for security benefits.
* Remove old commented code
Static ECH keys for now
* Implement SendAsRetry
* use UTC timezone for modified time
* use http.ParseTime to handle If-Modified-Since
* use time.Compare to simplify comparison
* take the directory's modtime into consideration when calculating lastModified
* update comments about If-Modified-Since's handling
This reverts commit 932dac157a.
Somehow the code I was looking at changed when I committed, without realizing it. This has already been fixed in #6777.
* reverse_proxy: re-add healthy upstreams metric
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* lint
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* buffer requests for fastcgi by default
* fix import cycle
* fix the return value of bufferedBody
* more comments about fastcgi buffering
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* encode: write status immediate for success response for CONNECT requests
* fix compile
* fix test
* fix lint
* treat first write and flush for encode response writer to CONNECT request as success if status is not set explicitly
* reverse proxy: rewrite requests and responses for websocket over http2
* delete protocol pseudo-header
* modify cloned requests
* set request variable to track if it's a h2 websocket
* use request bodu
* rewrite request body
* use WebSocket instead of Websocket in the headers
* use logger check for zap loggers
* fix lint
* fix: handle "request body too large" error using type assertion
* fix: address overlooked nil check for MaxBytesError
* fix: replace type assertion with errors.As() for MaxBytesError
i.e. Revert commit f5dce84a70
Two years ago, the patch in #4952 was a seemingly necessary way to fix an issue (sort of an edge case), but it broke other more common use cases (see #6666).
Now, as of #6669, it seems like the original issue can no longer be replicated, so we are reverting that patch, because it was incorrect anyway.
If it turns out the original issue returns, a more proper patch may be in #6669 (even if used as a baseline for a future fix). A potential future fix could be an opt-in setting.
* Allow 0 as weights
Change positive to non-negative
* reverseproxy: allow 0 as weighted round robin value
* test: add more wrr select test
---------
Co-authored-by: peanutduck <peanutduck@yahoo.com>
* caddyhttp: Add `MatchWithError` to replace SetVar hack
* Error in IP matchers on TLS handshake not complete
* Use MatchWithError everywhere possible
* Move implementations to MatchWithError versions
* Looser interface checking to allow fallback
* CEL factories can return RequestMatcherWithError
* Clarifying comment since it's subtle that an err is returned
* Return 425 Too Early status in IP matchers
* Keep AnyMatch signature the same for now
* Apparently Deprecated can't be all-uppercase to get IDE linting
* Linter
