httpcaddyfile: Add auto_https ignore_loaded_certs (#4077)

francislavoie · web-flow · commit ef7f15f3a424 · 2021-05-02T12:11:27.000-06:00
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
@@ -126,10 +126,10 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 			// must load each cert only once; otherwise, they each get a
 			// different tag... since a cert loaded twice has the same
 			// bytes, it will overwrite the first one in the cache, and
-			// only the last cert (and its tag) will survive, so a any conn
-			// policy that is looking for any tag but the last one to be
-			// loaded won't find it, and TLS handshakes will fail (see end)
-			// of issue #3004)
+			// only the last cert (and its tag) will survive, so any conn
+			// policy that is looking for any tag other than the last one
+			// to be loaded won't find it, and TLS handshakes will fail
+			// (see end of issue #3004)
 			//
 			// tlsCertTags maps certificate filenames to their tag.
 			// This is used to remember which tag is used for each
diff --git a/caddyconfig/httpcaddyfile/httptype.go b/caddyconfig/httpcaddyfile/httptype.go
@@ -451,6 +451,9 @@ func (st *ServerType) serversFromPairings(
 			if autoHTTPS == "disable_redirects" {
 				srv.AutoHTTPS.DisableRedir = true
 			}
+			if autoHTTPS == "ignore_loaded_certs" {
+				srv.AutoHTTPS.IgnoreLoadedCerts = true
+			}
 		}
 
 		// sort server blocks by their keys; this is important because
diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go
@@ -379,8 +379,8 @@ func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ interface{}) (interface{}, erro
 	if d.Next() {
 		return "", d.ArgErr()
 	}
-	if val != "off" && val != "disable_redirects" {
-		return "", d.Errf("auto_https must be either 'off' or 'disable_redirects'")
+	if val != "off" && val != "disable_redirects" && val != "ignore_loaded_certs" {
+		return "", d.Errf("auto_https must be one of 'off', 'disable_redirects' or 'ignore_loaded_certs'")
 	}
 	return val, nil
 }
diff --git a/caddytest/integration/caddyfile_adapt/auto_https_ignore_loaded_certs.txt b/caddytest/integration/caddyfile_adapt/auto_https_ignore_loaded_certs.txt
@@ -0,0 +1,34 @@
+{
+	auto_https ignore_loaded_certs
+}
+
+localhost
+----------
+{
+	"apps": {
+		"http": {
+			"servers": {
+				"srv0": {
+					"listen": [
+						":443"
+					],
+					"routes": [
+						{
+							"match": [
+								{
+									"host": [
+										"localhost"
+									]
+								}
+							],
+							"terminal": true
+						}
+					],
+					"automatic_https": {
+						"ignore_loaded_certificates": true
+					}
+				}
+			}
+		}
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -451,6 +451,9 @@ func (st *ServerType) serversFromPairings(`
`451`	`451`	`if autoHTTPS == "disable_redirects" {`
`452`	`452`	`srv.AutoHTTPS.DisableRedir = true`
`453`	`453`	`}`
	`454`	`+ if autoHTTPS == "ignore_loaded_certs" {`
	`455`	`+ srv.AutoHTTPS.IgnoreLoadedCerts = true`
	`456`	`+ }`
`454`	`457`	`}`
`455`	`458`
`456`	`459`	`// sort server blocks by their keys; this is important because`
Original file line number	Diff line number	Diff line change
`@@ -379,8 +379,8 @@ func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ interface{}) (interface{}, erro`
`379`	`379`	`if d.Next() {`
`380`	`380`	`return "", d.ArgErr()`
`381`	`381`	`}`
`382`		`- if val != "off" && val != "disable_redirects" {`
`383`		`- return "", d.Errf("auto_https must be either 'off' or 'disable_redirects'")`
	`382`	`+ if val != "off" && val != "disable_redirects" && val != "ignore_loaded_certs" {`
	`383`	`+ return "", d.Errf("auto_https must be one of 'off', 'disable_redirects' or 'ignore_loaded_certs'")`
`384`	`384`	`}`
`385`	`385`	`return val, nil`
`386`	`386`	`}`