tls: Add support for the tls-alpn-01 challenge (#2201)

* tls: Add support for the tls-alpn-01 challenge Also updates lego/acme to latest on master. TODO: This implementation of the tls-alpn challenge is not yet solvable in a distributed Caddy cluster like the http challenge is. * build: Allow building with the race detector * tls: Support distributed solving of the TLS-ALPN-01 challenge * Update vendor and add a todo in MITM checker
2026-05-24 08:26:58 -04:00 · 2018-12-05 17:33:23 -07:00
parent ae5f013a48
commit 09188981c4
37 changed files with 822 additions and 319 deletions
--- a/caddyhttp/httpserver/https.go
+++ b/caddyhttp/httpserver/https.go
@@ -207,7 +207,7 @@ func redirPlaintextHost(cfg *SiteConfig) *SiteConfig {
 		Addr:       Address{Original: addr, Host: host, Port: port},
 		ListenHost: cfg.ListenHost,
 		middleware: []Middleware{redirMiddleware},
-		TLS:        &caddytls.Config{AltHTTPPort: cfg.TLS.AltHTTPPort, AltTLSSNIPort: cfg.TLS.AltTLSSNIPort},
+		TLS:        &caddytls.Config{AltHTTPPort: cfg.TLS.AltHTTPPort, AltTLSALPNPort: cfg.TLS.AltTLSALPNPort},
 		Timeouts:   cfg.Timeouts,
 	}
 }
--- a/caddyhttp/httpserver/mitm.go
+++ b/caddyhttp/httpserver/mitm.go
@@ -74,6 +74,7 @@ func (h *tlsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if r.Header.Get("X-BlueCoat-Via") != "" || // Blue Coat (masks User-Agent header to generic values)
 		r.Header.Get("X-FCCKV2") != "" || // Fortinet
 		info.advertisesHeartbeatSupport() { // no major browsers have ever implemented Heartbeat
+		// TODO: Move the heartbeat check into each "looksLike" function...
 		checked = true
 		mitm = true
 	} else if strings.Contains(ua, "Edge") || strings.Contains(ua, "MSIE") ||
--- a/caddyhttp/httpserver/plugin.go
+++ b/caddyhttp/httpserver/plugin.go
@@ -169,12 +169,12 @@ func (h *httpContext) InspectServerBlocks(sourceFile string, serverBlocks []cadd

 			// If default HTTP or HTTPS ports have been customized,
 			// make sure the ACME challenge ports match
-			var altHTTPPort, altTLSSNIPort string
+			var altHTTPPort, altTLSALPNPort string
 			if HTTPPort != DefaultHTTPPort {
 				altHTTPPort = HTTPPort
 			}
 			if HTTPSPort != DefaultHTTPSPort {
-				altTLSSNIPort = HTTPSPort
+				altTLSALPNPort = HTTPSPort
 			}

 			// Make our caddytls.Config, which has a pointer to the
@@ -183,7 +183,7 @@ func (h *httpContext) InspectServerBlocks(sourceFile string, serverBlocks []cadd
 			caddytlsConfig := caddytls.NewConfig(h.instance)
 			caddytlsConfig.Hostname = addr.Host
 			caddytlsConfig.AltHTTPPort = altHTTPPort
-			caddytlsConfig.AltTLSSNIPort = altTLSSNIPort
+			caddytlsConfig.AltTLSALPNPort = altTLSALPNPort

 			// Save the config to our master list, and key it for lookups
 			cfg := &SiteConfig{