When using copy_headers in a forward_auth block, client-supplied headers with
the same names were not being removed before being forwarded to the backend.
This happens because PR #6608 added a MatchNot guard that skips the Set
operation when the auth service does not return a given header. That guard
prevents setting headers to empty strings, which is the correct behavior,
but it also means a client can send X-User-Id: admin in their request and
if the auth service validates the token without returning X-User-Id, Caddy
skips the Set and the client value passes through unchanged to the backend.
The fix adds an unconditional delete route for each copy_headers entry,
placed just before the existing conditional set route. The delete always runs
regardless of what the auth service returns. The conditional set still only
runs when the auth service provides that header.
The end result is:
- Client-supplied headers are always removed
- When the auth service returns the header, the backend gets that value
- When the auth service does not return the header, the backend sees nothing
Existing behavior is unchanged for any deployment where the auth service
returns all of the configured copy_headers entries.
Fixes GHSA-7r4p-vjf4-gxv4
* admin: Fix tests locally, properly isolate storage
* Fix flaky pki_test
* Drop testdata dir logic
* Safer temp dir
* Test handlers without a full server
Start lightweight backend servers before starting Caddy so active health checks
probe a ready backend instead of the same Caddy instance during provisioning.
This removes the startup race without fixed sleeps or polling.
* caddyfile: Add renewal_window_ratio global option
Adds support for configuring the TLS certificate renewal window ratio
directly in the Caddyfile global options block. This allows users to
customize when certificates should be renewed without needing to use
JSON configuration.
Example usage:
{
renewal_window_ratio 0.1666
}
Fixes#7467
* caddyfile: Add renewal_window_ratio to tls directive and tests
Adds support for renewal_window_ratio in the tls directive (not just
global options) and adds caddyfile adapt tests for both the global
option and tls directive.
* fix: inherit global renewal_window_ratio in site policies
* fix: correct test expected output for policy consolidation
* fix: properly inherit global renewal_window_ratio without removing other code
* logging: fix multiple regexp filters on same field (fixes#7049)
* fix: add proper error handling in MultiRegexpFilter tests
* fix: resolve linter and test issues - Fix GCI import formatting issues - Fix MultiRegexpFilter input size limit test by ensuring output doesn't exceed max length after each operation - All tests now pass and linter issues resolved
* fix: update integration test for proper JSON encoding - Fix expected JSON output to use Unicode escape sequence for ampersand character - Integration tests now pass
If global DNS provider is configured, it does not need to be repeated in the JSON.
If acme_* options are used, base automation policies should populate their issuers accordingly.
Global issuer settings like acme_* options don't need to specify subjects in the automation policy since they should apply as a global default.
* fix: resolve http.request placeholders in header directive find operation
- Skip regex compilation during provision when placeholders are detected
- Compile regex at runtime after placeholder replacement
- Preserves performance for static regexes while enabling dynamic placeholders
- Fixes#7109
* test: add tests for placeholder detection in header replacements
- Test containsPlaceholders function edge cases
- Test provision skips compilation for dynamic regexes
- Test end-to-end placeholder replacement functionality
* httpcaddyfile: Validates TLS DNS challenge options
Adds validation to the TLS Caddyfile adapter to ensure that when DNS challenge options (such as propagation_delay or dns_ttl) are specified, a DNS provider is also configured.
Adds new integration tests to verify this validation logic, and implements a new mechanism for adapt tests to assert a config adapt error.
* Add some more AI-generated tests asserting config errors
* Parallel doesn't work here, we use global variables
* Windows fix
* client_auth: wire up leaf verifier Caddyfile
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* review feedback + tests
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* chore: upgrade .golangci.yml and workflow to v2
run `golangci-lint fmt`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* run `golangci-lint run --fix`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* more lint fixes
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* bring back comments to .golangci.yml
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* appease the linter some more
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* oops
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* use embedded structs
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* use embedded structs where they were used before
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* disable rule `-QF1006`
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* missed a spot
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* caddytls: Prefer managed wildcard certs over individual subdomain certs
* Repurpose force_automate as no_wildcard
* Fix a couple bugs
* Restore force_automate and use automate loader as wildcard override
* core: add modular `network_proxy` support
Co-authored-by: @ImpostorKeanu
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* move modules around
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* add caddyfile implementation
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* address feedbcak
* Apply suggestions from code review
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* adapt ForwardProxyURL to use the NetworkProxyRaw
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* remove redundant `url` in log
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* code review
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
* remove `.source` from the module ID
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
---------
Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* httpcaddyfile: Fixes for prefer_wildcard mode
The wildcard hosts need to be collected first, then considered after, because there's no guarantee that all non-wildcards will appear after all wildcards when looping. Also we should not add a domain to Skip if it doesn't qualify for TLS anyway.
* Alternate solution by avoiding adding APs altogether if covered by wildcard
