tls: Per-site TLS configs using GetClientConfig, including http2 switch (#1389)

* Remove manual TLS clone method * WiP tls * Use GetClientConfig for tls.Config * gofmt -s -w * GetConfig * Handshake * Removed comment * Disable HTTP2 on demand * Remove junk * Remove http2 enable (no-op)
2026-05-24 00:19:53 -04:00 · 2017-02-18 23:26:23 +01:00
parent 977a3c3226
commit 286d8d1e89
8 changed files with 190 additions and 206 deletions
--- a/caddyhttp/httpserver/server.go
+++ b/caddyhttp/httpserver/server.go
@@ -31,6 +31,7 @@ type Server struct {
 	connTimeout time.Duration // max time to wait for a connection before force stop
 	tlsGovChan  chan struct{} // close to stop the TLS maintenance goroutine
 	vhosts      *vhostTrie
+	tlsConfig   caddytls.ConfigGroup
 }

 // ensure it satisfies the interface
@@ -72,16 +73,31 @@ func NewServer(addr string, group []*SiteConfig) (*Server, error) {
 	}

 	// Set up TLS configuration
-	var tlsConfigs []*caddytls.Config
+	tlsConfigs := make(caddytls.ConfigGroup)
+	var allConfigs []*caddytls.Config
+
 	for _, site := range group {
-		tlsConfigs = append(tlsConfigs, site.TLS)
+
+		if err := site.TLS.Build(tlsConfigs); err != nil {
+			return nil, err
+		}
+
+		tlsConfigs[site.TLS.Hostname] = site.TLS
+		allConfigs = append(allConfigs, site.TLS)
 	}
-	var err error
-	s.Server.TLSConfig, err = caddytls.MakeTLSConfig(tlsConfigs)
-	if err != nil {
+
+	// Check if configs are valid
+	if err := caddytls.CheckConfigs(allConfigs); err != nil {
 		return nil, err
 	}

+	s.tlsConfig = tlsConfigs
+
+	s.Server.TLSConfig = &tls.Config{
+		GetConfigForClient: s.tlsConfig.GetConfigForClient,
+		GetCertificate:     s.tlsConfig.GetCertificate,
+	}
+
 	// As of Go 1.7, HTTP/2 is enabled only if NextProtos includes the string "h2"
 	if HTTP2 && s.Server.TLSConfig != nil && len(s.Server.TLSConfig.NextProtos) == 0 {
 		s.Server.TLSConfig.NextProtos = []string{"h2"}