* caddytls: Initial commit of Encrypted ClientHello (ECH)
* WIP Caddyfile
* Fill out Caddyfile support
* Enhance godoc comments
* Augment, don't overwrite, HTTPS records
* WIP
* WIP: publication history
* Fix republication logic
* Apply global DNS module to ACME challenges
This allows DNS challenges to be enabled without locally-configured DNS modules
* Ignore false positive from prealloc linter
* ci: Use only latest Go version (1.24 currently)
We no longer support older Go versions, for security benefits.
* Remove old commented code
Static ECH keys for now
* Implement SendAsRetry
* caddyhttp: Escaping placeholders in CEL
* Simplify some of the test cases
* Implement vars and vars_regexp in CEL
* dupl lint is dumb
* Better consts for the placeholder CEL shortcut
* Bump CEL version, register a few extensions
* Refactor s390x test script for readability
* Add retries for s390x to smooth over flakiness
* Switch to `ph` for the CEL shortcut (match it in templates cause why not)
* proxyprotocol : Update WrapListener to use ConnPolicyFunc for PROXY protocol support
* proxyprotocol : Updated dependency pires/go-proxyproto to pseudo latest version
Set the requested server name in a context value for CertGetter
implementations to use. Pass ctx to tscert.GetCertificateWithContext.
Signed-off-by: Will Norris <will@tailscale.com>
* chore: downgrade minimum Go version in go.mod
* Upgrade certmagic and zerossl
---------
Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
* caddytls: Evict internal certs from cache based on issuer
During a config reload, we would keep certs in the cache fi they were used by the next config. If one config uses InternalIssuer and the other uses a public CA, this behavior is problematic / unintuitive, because there is a big difference between private/public CAs.
This change should ensure that internal issuers are considered when deciding whether to keep or evict from the cache during a reload, by making them distinct from each other and certs from public CAs.
* Make sure new TLS app manages configured certs
* Actually make it work
* Add option to configure certificate lifetime
* Bump CertMagic dep to latest master commit
* Apply suggestions and ran go mod tidy
* Update modules/caddytls/acmeissuer.go
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---------
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
* update quic-go to v0.42.0
* use a rate limiter to control QUIC source address verification
* Lint
* remove deprecated ListenQUIC
* remove number of requests tracking
* increase the number of handshakes before source address verification is needed
* remove references to request counters
* remove deprecated listen*
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: WeidiDeng <weidi_deng@icloud.com>
* upgrade to cel v0.20.0
* Attempt to address feedback and fix linter
* Let's try this
* Take that, you linter!
* Oh there's more
---------
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Co-authored-by: Tristan Swadell @TristonianJones
