Skip to content
This repository has been archived by the owner on Jun 18, 2024. It is now read-only.

Commit

Permalink
Patch 1.3.4 (#72)
Browse files Browse the repository at this point in the history 
* Update Caddyfile

Add abort statement to close all connections that don't match any handle.

* Update Caddy.xml

Add tls_server_name to model

* Update dialogHandle.xml

* Update ReverseProxyController.php

* Update reverse_proxy.volt

* Update general.xml

Make abort user configurable, useful for troubleshooting.

* Update Caddy.xml

* Update Caddyfile

- Added tls_server_name
- Added abort

* Update general.xml

Made Label of the abort functionality more clear.

* Update Caddy.xml

Since its a hardening rule, changed default of abort to 0.

* Update Caddyfile

Fixes DNS Challenge not adhering to the status of the DNS-01 Checkbox.

* Update README.md

* Build os-caddy-1.3.4. Added tls_server_name and Reject unmatched Connections option with abort directive. Small template bug fix in DNS Challenge.

* Update README.md

Added How To section for TLS with self-signed certificates.
  • Loading branch information
@Monviech
Monviech authored Jan 5, 2024
1 parent d423123 commit b74ec2d
Show file tree
Hide file tree
Showing 12 changed files with 96 additions and 34 deletions.
77 changes: 51 additions & 26 deletions README.md
View file

Large diffs are not rendered by default.

Binary file modified os-caddy-plugin/FreeBSD:13:amd64/meta.pkg
View file
Binary file not shown.
Binary file removed os-caddy-plugin/FreeBSD:13:amd64/os-caddy-1.3.3.pkg
View file
Binary file not shown.
Binary file added os-caddy-plugin/FreeBSD:13:amd64/os-caddy-1.3.4.pkg
View file
Binary file not shown.
Binary file modified os-caddy-plugin/FreeBSD:13:amd64/packagesite.pkg
View file
Binary file not shown.
2 changes: 1 addition & 1 deletion usr/plugins/devel/caddy/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
PLUGIN_NAME= caddy
PLUGIN_VERSION= 1.3.3
PLUGIN_VERSION= 1.3.4
PLUGIN_DEPENDS= caddy
PLUGIN_COMMENT= Easy to configure Reverse Proxy with Automatic HTTPS
PLUGIN_MAINTAINER= cedrik@pischem.com
Expand Down
2 changes: 1 addition & 1 deletion ...devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/Api/ReverseProxyController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ public function toggleSubdomainAction($uuid, $enabled = null)

public function searchHandleAction()
{
return $this->searchBase("reverseproxy.handle", ['enabled', 'reverse', 'subdomain', 'HandleType', 'HandlePath', 'ToDomain', 'ToPort', 'HttpTls', 'HttpTlsTrustedCaCerts', 'HttpNtlm', 'Description']);
return $this->searchBase("reverseproxy.handle", ['enabled', 'reverse', 'subdomain', 'HandleType', 'HandlePath', 'ToDomain', 'ToPort', 'HttpTls', 'HttpTlsTrustedCaCerts', 'HttpTlsServerName', 'HttpNtlm', 'Description']);
}

public function setHandleAction($uuid)
Expand Down
9 changes: 8 additions & 1 deletion ...plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/forms/dialogHandle.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,14 @@
<id>handle.HttpTlsTrustedCaCerts</id>
<label>TLS Trusted CA Certificate</label>
<type>dropdown</type>
<help>If TLS is enabled, and you are not using a globally trusted server certificate on your Backend Server, you can choose a CA certificate to trust from System Trust Authorities.</help>
<help>If TLS is enabled, and you are not using a globally trusted server certificate on your Backend Server, you can choose a CA certificate or self signed certificate to trust from "System - Trust - Authorities".</help>
<advanced>true</advanced>
</field>
<field>
<id>handle.HttpTlsServerName</id>
<label>TLS Server Name</label>
<type>text</type>
<help><![CDATA[Optionally, specify a hostname or IP address that matches the Common Name (CN) of the Trusted CA Certificate. Useful if a certificate has been chosen and the CN doesn't match with the "Backend Server Domain".]]></help>
<advanced>true</advanced>
</field>
<field>
Expand Down
6 changes: 6 additions & 0 deletions usr/plugins/devel/caddy/src/opnsense/mvc/app/controllers/Pischem/Caddy/forms/general.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,4 +39,10 @@
<help><![CDATA[Select an Access List of Trusted Proxies. If Caddy is not the first server being connected to by your clients (for example when a CDN is in front of Caddy), you may configure trusted_proxies with a list of IP ranges (CIDRs) from which incoming requests are trusted to have sent good values for these headers. Additionally, set the same Access List to the Domains your Trusted Proxy connects to.]]></help>
<advanced>true</advanced>
</field>
<field>
<id>caddy.general.abort</id>
<label>Reject Unmatched Connections</label>
<type>checkbox</type>
<help>Abort all connections that don't have a matching handle or access list. This option doesn't conflict with Let's Encrypt. Disable it for troubleshooting purposes, e.g. testing if the Reverse Proxy Domain works and the Certificate has been installed. For production use, enabling this option is recommended.</help>
</field>
</form>
12 changes: 11 additions & 1 deletion usr/plugins/devel/caddy/src/opnsense/mvc/app/models/Pischem/Caddy/Caddy.xml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
<model>
<mount>//Pischem/caddy</mount>
<description>A GUI model for configuring a basic reverse proxy in Caddy Web Server.</description>
<version>1.0.9</version>
<version>1.1.0</version>
<items>
<general>
<enabled type="BooleanField">
Expand Down Expand Up @@ -47,6 +47,9 @@
</reverseproxy>
</Model>
</accesslist>
<abort type="BooleanField">
<Default>0</Default>
</abort>
</general>
<reverseproxy>
<reverse type="ArrayField">
Expand Down Expand Up @@ -182,6 +185,13 @@
<HttpTlsTrustedCaCerts type="CertificateField">
<type>ca</type>
</HttpTlsTrustedCaCerts>
<HttpTlsServerName type="HostnameField">
<ValidationMessage>Please enter a valid hostname or IP address.</ValidationMessage>
<IpAllowed>Y</IpAllowed>
<HostWildcardAllowed>Y</HostWildcardAllowed>
<FqdnWildcardAllowed>Y</FqdnWildcardAllowed>
<ZoneRootAllowed>N</ZoneRootAllowed>
</HttpTlsServerName>
<Description type="TextField">
<mask>/^([\t\n\v\f\r 0-9a-zA-Z.,_-\x{00A0}-\x{FFFF}]){1,255}$/u</mask>
<ValidationMessage>Please provide a valid description.</ValidationMessage>
Expand Down
2 changes: 2 additions & 0 deletions usr/plugins/devel/caddy/src/opnsense/mvc/app/views/Pischem/Caddy/reverse_proxy.volt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,7 @@
<th data-column-id="ToPort" data-type="string">Backend Port</th>
<th data-column-id="HttpTls" data-type="boolean" data-formatter="boolean" data-visible="false">TLS</th>
<th data-column-id="HttpTlsTrustedCaCerts" data-type="string" data-visible="false">TLS CA</th>
<th data-column-id="HttpTlsServerName" data-type="string" data-visible="false">TLS Server Name</th>
<th data-column-id="HttpNtlm" data-type="boolean" data-formatter="boolean" data-visible="false">NTLM</th>
<th data-column-id="Description" data-type="string">Description</th>
<th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">Commands</th>
Expand All @@ -191,6 +192,7 @@
</div>
</div>
</div>

<!-- Access List Tab -->
<div id="accessListTab" class="tab-pane fade">
<div style="background-color: white; padding: 10px; border: 1px solid #ddd;">
Expand Down
20 changes: 16 additions & 4 deletions usr/plugins/devel/caddy/src/opnsense/service/templates/Pischem/Caddy/Caddyfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@
import /usr/local/etc/caddy/caddy.d/*.global
}

{% macro tls_configuration(dnsProvider, dnsApiKey, customCert) %}
{% if dnsProvider != "none" %}
{% macro tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge) %}
{% if dnsChallenge == "1" and dnsProvider != "none" and dnsApiKey %}
tls {
dns {{ dnsProvider }} {{ dnsApiKey }}
}
Expand All @@ -51,13 +51,19 @@
{% if handle.HttpTlsTrustedCaCerts %}
tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
{% endif %}
{% if handle.HttpTlsServerName %}
tls_server_name {{ handle.HttpTlsServerName }}
{% endif %}
}
{% else %}
transport http {
tls
{% if handle.HttpTlsTrustedCaCerts %}
tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/{{ handle.HttpTlsTrustedCaCerts }}.pem
{% endif %}
{% if handle.HttpTlsServerName %}
tls_server_name {{ handle.HttpTlsServerName }}
{% endif %}
}
{% endif %}
{% endif %}
Expand All @@ -80,7 +86,8 @@
{% set dnsProvider = helpers.toList('Pischem.caddy.general.TlsDnsProvider') | first %}
{% set dnsApiKey = helpers.toList('Pischem.caddy.general.TlsDnsApiKey') | first %}
{% set customCert = reverse.CustomCertificate|default("") %}
{{ tls_configuration(dnsProvider, dnsApiKey, customCert) }}
{% set dnsChallenge = reverse.DnsChallenge|default("0") %}
{{ tls_configuration(dnsProvider, dnsApiKey, customCert, dnsChallenge) }}

{% for subdomain in helpers.toList('Pischem.caddy.reverseproxy.subdomain') %}
{% if subdomain.enabled|default("0") == "1" and subdomain.reverse == reverse['@uuid'] %}
Expand Down Expand Up @@ -117,6 +124,9 @@
{% endif %}
{% endfor %}
{% endif %}
{% if Pischem.caddy.general.abort|default("0") == "1" %}
abort
{% endif %}
}
{% endif %}
{% endfor %}
Expand Down Expand Up @@ -150,7 +160,9 @@
{% endif %}
{% endfor %}
{% endif %}

{% if Pischem.caddy.general.abort|default("0") == "1" %}
abort
{% endif %}
}
{% endif %}
{% endfor %}
Expand Down

0 comments on commit b74ec2d

Please sign in to comment.