* add 'root' key to Helper.State for access in frankenphp's `php_server` directive
* clone state before passing it to child directives, but keep sharing it among sibling directives
* propagate named route state from children to parent
* use BlockState to set "root" instead
* gofmt -w .
* go fmt ./...
* here we go
* pki: add per-CA configurable maintenance_interval and renewal_window_ratio
- Add MaintenanceInterval and RenewalWindowRatio to CA struct (JSON + Caddyfile).
- Run one maintenance goroutine per CA using its own interval.
- needsRenewal uses per-CA RenewalWindowRatio; invalid/zero ratio falls back to defaults.
- Caddyfile: maintenance_interval duration, renewal_window_ratio <0-1>.
- Tests: TestCA_needsRenewal, TestParsePKIApp for new options.
Fixes#7475
* fix codestyle
* caddyfile: Add renewal_window_ratio global option
Adds support for configuring the TLS certificate renewal window ratio
directly in the Caddyfile global options block. This allows users to
customize when certificates should be renewed without needing to use
JSON configuration.
Example usage:
{
renewal_window_ratio 0.1666
}
Fixes#7467
* caddyfile: Add renewal_window_ratio to tls directive and tests
Adds support for renewal_window_ratio in the tls directive (not just
global options) and adds caddyfile adapt tests for both the global
option and tls directive.
* fix: inherit global renewal_window_ratio in site policies
* fix: correct test expected output for policy consolidation
* fix: properly inherit global renewal_window_ratio without removing other code
* caddyfile: add `observe_catchall_hosts` option
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* correct JSON field name and doc comment
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* packet_conn_wrappers: Initial changes
* packet_conn_wrappers: Unwrap a packet conn only if there are no wrappers
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
If global DNS provider is configured, it does not need to be repeated in the JSON.
If acme_* options are used, base automation policies should populate their issuers accordingly.
Global issuer settings like acme_* options don't need to specify subjects in the automation policy since they should apply as a global default.
* httpcaddyfile: Validates TLS DNS challenge options
Adds validation to the TLS Caddyfile adapter to ensure that when DNS challenge options (such as propagation_delay or dns_ttl) are specified, a DNS provider is also configured.
Adds new integration tests to verify this validation logic, and implements a new mechanism for adapt tests to assert a config adapt error.
* Add some more AI-generated tests asserting config errors
* Parallel doesn't work here, we use global variables
* Windows fix
* chore: upgrade .golangci.yml and workflow to v2
run `golangci-lint fmt`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* run `golangci-lint run --fix`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* more lint fixes
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* bring back comments to .golangci.yml
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* appease the linter some more
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* oops
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* use embedded structs
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* use embedded structs where they were used before
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* disable rule `-QF1006`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* missed a spot
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* caddytls: Prefer managed wildcard certs over individual subdomain certs
* Repurpose force_automate as no_wildcard
* Fix a couple bugs
* Restore force_automate and use automate loader as wildcard override
* caddytls: Initial commit of Encrypted ClientHello (ECH)
* WIP Caddyfile
* Fill out Caddyfile support
* Enhance godoc comments
* Augment, don't overwrite, HTTPS records
* WIP
* WIP: publication history
* Fix republication logic
* Apply global DNS module to ACME challenges
This allows DNS challenges to be enabled without locally-configured DNS modules
* Ignore false positive from prealloc linter
* ci: Use only latest Go version (1.24 currently)
We no longer support older Go versions, for security benefits.
* Remove old commented code
Static ECH keys for now
* Implement SendAsRetry
* caddyhttp: Add `MatchWithError` to replace SetVar hack
* Error in IP matchers on TLS handshake not complete
* Use MatchWithError everywhere possible
* Move implementations to MatchWithError versions
* Looser interface checking to allow fallback
* CEL factories can return RequestMatcherWithError
* Clarifying comment since it's subtle that an err is returned
* Return 425 Too Early status in IP matchers
* Keep AnyMatch signature the same for now
* Apparently Deprecated can't be all-uppercase to get IDE linting
* Linter
* httpcaddyfile: Fixes for prefer_wildcard mode
The wildcard hosts need to be collected first, then considered after, because there's no guarantee that all non-wildcards will appear after all wildcards when looping. Also we should not add a domain to Skip if it doesn't qualify for TLS anyway.
* Alternate solution by avoiding adding APs altogether if covered by wildcard
* right side in tls ln
* remove ParseNetworkAddressFromHostPort
* ignore placeholder port
* remove println
* update test cases (!!!)
* []
* comment
* Trim
* Update addresses.go
* metrics: move `metrics` up, outside `servers`
This change moves the metrics configuration from per-server level to a single config knob within the `http` app. Enabling `metrics` in any of the configured servers inside `http` enables metrics for all servers.
Fix#6604
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* normalize domain name
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* Add per host config
* Pass host label when option is enabled
* Test per host enabled
* metrics: scope metrics per loaded config
* doc and linter
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* inject the custom registry into the admin handler
Co-Authored-By: Dave Henderson <dhenderson@gmail.com>
* remove `TODO` comment
* fixes
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* refactor to delay metrics admin handler provision
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Hussam Almarzooq <me@hussam.io>
Co-authored-by: Dave Henderson <dhenderson@gmail.com>
* caddy adapt for listen_protocols
* adapt listen_socket
* allow multiple listen sockets for port ranges and readd socket fd listen logic
* readd logic to start servers according to listener protocols
* gofmt
* adapt caddytest
* gosec
* fmt and rename listen to listenWithSocket
* fmt and rename listen to listenWithSocket
* more consistent error msg
* non unix listenReusableWithSocketFile
* remove unused func
* doc comment typo
* nonosec
* commit
* doc comments
* more doc comments
* comment was misleading, cardinality did not change
* addressesWithProtocols
* update test
* fd/ and fdgram/
* rm addr
* actually write...
* i guess we doin' "skip": now
* wrong var in placeholder
* wrong var in placeholder II
* update param name in comment
* dont save nil file pointers
* windows
* key -> parsedKey
* osx
* multiple default_bind with protocols
* check for h1 and h2 listener netw
