* refactor: use strings.Builder to improve performance
Signed-off-by: zjumathcode <pai314159@2980.com>
* refactor: small builder improvements per review (WriteByte / split writes)
also revert builder change in client_test.go
refactor(logging): build IP mask output via join of parts (more efficient)
---------
Signed-off-by: zjumathcode <pai314159@2980.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* pki: add per-CA configurable maintenance_interval and renewal_window_ratio
- Add MaintenanceInterval and RenewalWindowRatio to CA struct (JSON + Caddyfile).
- Run one maintenance goroutine per CA using its own interval.
- needsRenewal uses per-CA RenewalWindowRatio; invalid/zero ratio falls back to defaults.
- Caddyfile: maintenance_interval duration, renewal_window_ratio <0-1>.
- Tests: TestCA_needsRenewal, TestParsePKIApp for new options.
Fixes#7475
* fix codestyle
Two error returns in ClientAuthentication.provision() were
returning nil instead of the actual error, silently swallowing
failures when converting PEM files to DER and when provisioning
the CA pool. This could cause mTLS client authentication to
silently fall back to the system trust store, accepting any
client certificate signed by a public CA instead of restricting
to the configured trust anchors.
2026-02-12 08:42:54 -07:00
Oleh Konko | trust infra security audit & contribution | deterministic ai-augmented pipeline · human-verified
When a request arrives via a Unix domain socket (RemoteAddr == "@"),
net.SplitHostPort fails, causing addForwardedHeaders to strip all
X-Forwarded-* headers even when the connection is trusted via
trusted_proxies_unix.
Handle Unix socket connections before parsing RemoteAddr: if untrusted,
strip headers for security; if trusted, let clientIP remain empty (no
peer IP for a Unix socket hop) and fall through to the shared header
logic, preserving the existing XFF chain without appending a spurious
entry.
Amp-Thread-ID: https://ampcode.com/threads/T-019c4225-a0ad-7283-ac56-e2c01eae1103
Co-authored-by: Amp <amp@ampcode.com>
* caddyfile: add `observe_catchall_hosts` option
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* correct JSON field name and doc comment
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* WIP tracing span attributes
* better test
* only write attributes after other middleware (and request)
* Fix test to use header response placeholders
* packet_conn_wrappers: Initial changes
* packet_conn_wrappers: Unwrap a packet conn only if there are no wrappers
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* caddypki: Add support for multiple intermediates in signing chain
* Move intermediate lifetime configuration check
In #7272 a check was changed to ensure that generated intermediate
certificates would always use a lifetime that falls within the
lifetime of the root. However, when a root and intermediate(s)
are supplied, the configuration value was being used instead of
the actual lifetimes of the certificates. The check was moved to
only be performed when an intermediate is generated; not when
loaded from disk.
* Add tests for `pemDecodeCertificateChain` and `pemDecodeCertificate`
* Use `crypto.Signer` instead of `any` in appropriate places
* Use latest Smallstep packages
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* capture the buffered body once, then reset clonedReq.Body before each retry
* no copy
* keep receiver name
* set the buf to nil after extraction and only return it to pool if not nil
---------
Co-authored-by: WeidiDeng <weidi_deng@icloud.com>
* caddytls: correct documentation of `LeafFolderLoader`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* fmt...
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
