-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
httpcaddyfile: Add auto_https
global option
#3284
httpcaddyfile: Add auto_https
global option
#3284
Conversation
bafaefa
to
6d28332
Compare
@francislavoie Thanks for working on this!! The extra TLS conn policy is intentional as you discovered, but in this case I think it's because we don't look inside to see that the only connection policy is empty except for the ServerName filter. It's not really something I want to change right now but if we find out that it's safe to take out the extra policy, we can do so. (The extra one in this case might actually be the first policy, not the empty second one.) I might be wrong, but I think that logic of adding the empty one at the end is mostly for cases where the non-empty one actually sets something about the TLS connection that is different from the default. Anyway, I'll look at this more after 2.0, but one thing I'm not sure about already is whether HTTP redirects belong being configured in the In general, I suppose people would rather disable them because they don't have permission to bind to the HTTP port, or don't want an extra socket to be bound in the first place. For that case, a global option seems to be a better fit. I haven't yet seen a use case where people want to disable it per-site in a way where they can't use another server block (i.e. |
IMO I do concede that it's not ideal that to set I don't love the global option idea, it feels incongruent to the way site blocks work. |
The The HTTP->HTTPS redirects don't occur within the user's site block anyways, because they happen on a port different than what the user has configured in their Caddyfile. Global options were made for things that can't be cleanly configure inside site blocks. So a global option is a better solution because A) it's more useful for solving @sqs 's original request, and B) it changes something that doesn't occur in any of the site blocks in the Caddyfile. |
Don't put a lot of work into overhauling this PR yet though -- it needs more careful thought and consideration I think. |
As I fiddle with this more, I'm thinking this should be a global option on our first pass, at least, since the point of disabling auto-redirects is almost always to avoid even binding to the extra socket. With this implementation, you'd have to add this to all your server blocks. I think I'm envisioning this instead:
at least, for a first pass I think this would be useful. WDYT? |
Sounds okay to me. I think there would still be value in running the routine to collect the domains for redirects even if Does that make sense to you? |
I don't know yet - but that's totally separate, so I don't want to be concerned with it in this issue/PR. For now, a way to disable the redirects is enough. |
That's what I mean though, with Anyways, okay I'll rework this PR soon. |
6d28332
to
f949858
Compare
disable_redirects
option to tls
auto_https
global option
f949858
to
8336003
Compare
8336003
to
23a501c
Compare
@mholt okay this should do it 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, this is looking much better! Just one suggestion.
if autoHTTPS != "on" { | ||
srv.AutoHTTPS = new(caddyhttp.AutoHTTPSConfig) | ||
if autoHTTPS == "off" { | ||
srv.AutoHTTPS.Disabled = true | ||
} | ||
if autoHTTPS == "disable_redirects" { | ||
srv.AutoHTTPS.DisableRedir = true | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider using switch
here, and be sure to reject unrecognized values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Caddyfile parse step already rejects other values, but sure, doublechecking aint bad.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I hadn't noticed that. I guess that should be fine then...
I have tried this
... and the following error occur:
What is the correct configuration to disable the redirect from port 80? |
@averri this was only recently merged. v2.0 doesn't have this feature. It'll come in v2.1 For now you can compile from source or use the latest build from CI. |
Is there an option to disable it per subdomain yet? One of my clients does not support https, but on the same subdomain most others do. Therefore I would need to disable redirects for all my domains and subdomains and manually add them back for each one except that one subdomain which is kind of annoying. |
@psrcek just set up an Next time, please ask your usage questions on the Caddy community forums. We prefer to keep the GitHub issue board for bugs and feature requests. Don't forget to fill out the thread template so we can help you! |
Is there any news? v2.2.1 still "unrecognized directive" |
@solariz Please ask your usage questions on the Caddy community forums. We prefer to keep the GitHub issue board for bugs and feature requests. Don't forget to fill out the thread template so we can help you! |
Fixes #3219
Adds a new global option to the Caddyfile to configure Automatic HTTPS:
Disabling redirects from Caddyfile:
JSON:
Disabling Auto HTTPS completely from Caddyfile:
JSON: