github.com/caddyserver/caddy/v2/modules/caddytls
No package summary is available.
Package
Files: 22. Third party imports: 12. Imports from organisation: 2. Tests: 0. Benchmarks: 0.
Constants
Vars
ErrPermissionDenied is an error that should be wrapped or returned when the configured permission module does not allow a certificate to be issued, to distinguish that from other errors such as connection failure.
SupportedCurves is the unordered map of supported curves or key exchange mechanisms ("curves" traditionally). https://golang.org/pkg/crypto/tls/#CurveID
SupportedProtocols is a map of supported protocols.
defaultCipherSuites is the ordered list of all the cipher suites we want to support by default, assuming AES-NI (hardware acceleration for AES).
defaultCipherSuites is the ordered list of all the cipher suites we want to support by default, assuming lack of AES-NI (NO hardware acceleration for AES).
defaultCurves is the list of only the curves or key exchange mechanisms we want to use by default. The order is irrelevant.
This list should only include mechanisms which are fast by design (e.g. X25519) and those for which an optimized assembly implementation exists (e.g. P256). The latter ones can be found here: https://github.com/golang/go/tree/master/src/crypto/elliptic
These perpetual values are used for on-demand TLS.
publicKeyAlgorithms is the map of supported public key algorithms.
supportedCertKeyTypes is all the key types that are supported for certificates that are obtained through ACME.
unsupportedProtocols is a map of unsupported protocols. Used for logging only, not enforcement.
Types
ACMEIssuer
ACMEIssuer manages certificates using the ACME protocol (RFC 8555).
| Field name | Field type | Comment |
|---|---|---|
| CA |
|
The URL to the CA's ACME directory endpoint. Default: https://acme-v02.api.letsencrypt.org/directory |
| TestCA |
|
The URL to the test CA's ACME directory endpoint. This endpoint is only used during retries if there is a failure using the primary CA. Default: https://acme-staging-v02.api.letsencrypt.org/directory |
|
Your email address, so the CA can contact you if necessary. Not required, but strongly recommended to provide one so you can be reached if there is a problem. Your email is not sent to any Caddy mothership or used for any purpose other than ACME transactions. |
|
| Profile |
|
Optionally select an ACME profile to use for certificate orders. Must be a profile name offered by the ACME server, which are listed at its directory endpoint. EXPERIMENTAL: Subject to change. See https://datatracker.ietf.org/doc/draft-aaron-acme-profiles/ |
| AccountKey |
|
If you have an existing account with the ACME server, put the private key here in PEM format. The ACME client will look up your account information with this key first before trying to create a new one. You can use placeholders here, for example if you have it in an environment variable. |
| ExternalAccount |
|
If using an ACME CA that requires an external account binding, specify the CA-provided credentials here. |
| ACMETimeout |
|
Time to wait before timing out an ACME operation. Default: 0 (no timeout) |
| Challenges |
|
Configures the various ACME challenge types. |
| TrustedRootsPEMFiles |
|
An array of files of CA certificates to accept when connecting to the ACME CA. Generally, you should only use this if the ACME CA endpoint is internal or for development/testing purposes. |
| PreferredChains |
|
Preferences for selecting alternate certificate chains, if offered by the CA. By default, the first offered chain will be selected. If configured, the chains may be sorted and the first matching chain will be selected. |
| CertificateLifetime |
|
The validity period to ask the CA to issue a certificate for. Default: 0 (CA chooses lifetime). This value is used to compute the "notAfter" field of the ACME order; therefore the system must have a reasonably synchronized clock. NOTE: Not all CAs support this. Check with your CA's ACME documentation to see if this is allowed and what values may be used. EXPERIMENTAL: Subject to change. |
| NetworkProxyRaw |
|
Forward proxy module |
| rootPool |
|
No comment on field. |
| logger |
|
No comment on field. |
| template |
|
No comment on field. |
| magic |
|
No comment on field. |
| issuer |
|
No comment on field. |
AutomateLoader
AutomateLoader will automatically manage certificates for the names in the list, including obtaining and renewing certificates. Automated certificates are managed according to their matching automation policy, configured elsewhere in this app.
Technically, this is a no-op certificate loader module that is treated as a special case: it uses this app's automation features to load certificates for the list of hostnames, rather than loading certificates manually. But the end result is the same: certificates for these subject names will be loaded into the in-memory cache and may then be used.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
AutomationConfig
AutomationConfig governs the automated management of TLS certificates.
| Field name | Field type | Comment |
|---|---|---|
| Policies |
|
The list of automation policies. The first policy matching a certificate or subject name will be applied. |
| OnDemand |
|
On-Demand TLS defers certificate operations to the moment they are needed, e.g. during a TLS handshake. Useful when you don't know all the hostnames at config-time, or when you are not in control of the domain names you are managing certificates for. In 2015, Caddy became the first web server to implement this experimental technology. Note that this field does not enable on-demand TLS;
it only configures it for when it is used. To enable
it, create an automation policy with |
| OCSPCheckInterval |
|
Caddy staples OCSP (and caches the response) for all qualifying certificates by default. This setting changes how often it scans responses for freshness, and updates them if they are getting stale. Default: 1h |
| RenewCheckInterval |
|
Every so often, Caddy will scan all loaded, managed certificates for expiration. This setting changes how frequently the scan for expiring certificates is performed. Default: 10m |
| StorageCleanInterval |
|
How often to scan storage units for old or expired assets and remove them. These scans exert lots of reads (and list operations) on the storage module, so choose a longer interval for large deployments. Default: 24h Storage will always be cleaned when the process first starts. Then, a new cleaning will be started this duration after the previous cleaning started if the previous cleaning finished in less than half the time of this interval (otherwise next start will be skipped). |
| defaultPublicAutomationPolicy |
|
No comment on field. |
| defaultInternalAutomationPolicy |
|
No comment on field. |
AutomationPolicy
AutomationPolicy designates the policy for automating the management (obtaining, renewal, and revocation) of managed TLS certificates.
An AutomationPolicy value is not valid until it has been
provisioned; use the AddAutomationPolicy() method on the
TLS app to properly provision a new policy.
| Field name | Field type | Comment |
|---|---|---|
| SubjectsRaw |
|
Which subjects (hostnames or IP addresses) this policy applies to. This list is a filter, not a command. In other words, it is used only to filter whether this policy should apply to a subject that needs a certificate; it does NOT command the TLS app to manage a certificate for that subject. To have Caddy automate a certificate or specific subjects, use the "automate" certificate loader module of the TLS app. |
| IssuersRaw |
|
The modules that may issue certificates. Default: internal if all subjects do not qualify for public certificates; otherwise acme and zerossl. |
| ManagersRaw |
|
Modules that can get a custom certificate to use for any
given TLS handshake at handshake-time. Custom certificates
can be useful if another entity is managing certificates
and Caddy need only get it and serve it. Specifying a Manager
enables on-demand TLS, i.e. it has the side-effect of setting
the on_demand parameter to TODO: This is an EXPERIMENTAL feature. Subject to change or removal. |
| MustStaple |
|
If true, certificates will be requested with MustStaple. Not all CAs support this, and there are potentially serious consequences of enabling this feature without proper threat modeling. |
| RenewalWindowRatio |
|
How long before a certificate's expiration to try renewing it, as a function of its total lifetime. As a general and conservative rule, it is a good idea to renew a certificate when it has about 1/3 of its total lifetime remaining. This utilizes the majority of the certificate's lifetime while still saving time to troubleshoot problems. However, for extremely short-lived certs, you may wish to increase the ratio to ~1/2. |
| KeyType |
|
The type of key to generate for certificates.
Supported values: |
| StorageRaw |
|
Optionally configure a separate storage module associated with this manager, instead of using Caddy's global/default-configured storage. |
| OnDemand |
|
If true, certificates will be managed "on demand"; that is, during TLS handshakes or when needed, as opposed to at startup or config load. This enables On-Demand TLS for this policy. |
| ReusePrivateKeys |
|
If true, private keys already existing in storage will be reused. Otherwise, a new key will be created for every new certificate to mitigate pinning and reduce the scope of key compromise. TEMPORARY: Key pinning is against industry best practices. This property will likely be removed in the future. Do not rely on it forever; watch the release notes. |
| DisableOCSPStapling |
|
Disables OCSP stapling. Disabling OCSP stapling puts clients at greater risk, reduces their privacy, and usually lowers client performance. It is NOT recommended to disable this unless you are able to justify the costs. EXPERIMENTAL. Subject to change. |
| OCSPOverrides |
|
Overrides the URLs of OCSP responders embedded in certificates. Each key is a OCSP server URL to override, and its value is the replacement. An empty value will disable querying of that server. EXPERIMENTAL. Subject to change. |
| Issuers |
|
Issuers and Managers store the decoded issuer and manager modules; they are only used to populate an underlying certmagic.Config's fields during provisioning so that the modules can survive a re-provisioning. |
| Managers |
|
No comment on field. |
| subjects |
|
No comment on field. |
| magic |
|
No comment on field. |
| storage |
|
No comment on field. |
CA
The interface to be implemented by all guest modules part of the namespace 'tls.ca_pool.source.'
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
CertCacheOptions
CertCacheOptions configures the certificate cache.
| Field name | Field type | Comment |
|---|---|---|
| Capacity |
|
Maximum number of certificates to allow in the cache. If reached, certificates will be randomly evicted to make room for new ones. Default: 10,000 |
CertKeyFilePair
CertKeyFilePair pairs certificate and key file names along with their encoding format so that they can be loaded from disk.
| Field name | Field type | Comment |
|---|---|---|
| Certificate |
|
Path to the certificate (public key) file. |
| Key |
|
Path to the private key file. |
| Format |
|
The format of the cert and key. Can be "pem". Default: "pem" |
| Tags |
|
Arbitrary values to associate with this certificate. Can be useful when you want to select a particular certificate when there may be multiple valid candidates. |
CertKeyPEMPair
CertKeyPEMPair pairs certificate and key PEM blocks.
| Field name | Field type | Comment |
|---|---|---|
| CertificatePEM |
|
The certificate (public key) in PEM format. |
| KeyPEM |
|
The private key in PEM format. |
| Tags |
|
Arbitrary values to associate with this certificate. Can be useful when you want to select a particular certificate when there may be multiple valid candidates. |
Certificate
Certificate is a TLS certificate, optionally associated with arbitrary tags.
| Field name | Field type | Comment |
|---|---|---|
|
No comment on field. | |
| Tags |
|
No comment on field. |
CertificateLoader
CertificateLoader is a type that can load certificates. Certificates can optionally be associated with tags.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
ChainPreference
ChainPreference describes the client's preferred certificate chain, useful if the CA offers alternate chains. The first matching chain will be selected.
| Field name | Field type | Comment |
|---|---|---|
| Smallest |
|
Prefer chains with the fewest number of bytes. |
| RootCommonName |
|
Select first chain having a root with one of these common names. |
| AnyCommonName |
|
Select first chain that has any issuer with one of these common names. |
ChallengesConfig
ChallengesConfig configures the ACME challenges.
| Field name | Field type | Comment |
|---|---|---|
| HTTP |
|
HTTP configures the ACME HTTP challenge. This challenge is enabled and used automatically and by default. |
| TLSALPN |
|
TLSALPN configures the ACME TLS-ALPN challenge. This challenge is enabled and used automatically and by default. |
| DNS |
|
Configures the ACME DNS challenge. Because this challenge typically requires credentials for interfacing with a DNS provider, this challenge is not enabled by default. This is the only challenge type which does not require a direct connection to Caddy from an external server. NOTE: DNS providers are currently being upgraded, and this API is subject to change, but should be stabilized soon. |
| BindHost |
|
Optionally customize the host to which a listener is bound if required for solving a challenge. |
ClientAuthentication
ClientAuthentication configures TLS client auth.
| Field name | Field type | Comment |
|---|---|---|
| CARaw |
|
Certificate authority module which provides the certificate pool of trusted certificates |
| ca |
|
No comment on field. |
| TrustedCACerts |
|
Deprecated: Use the |
| TrustedCACertPEMFiles |
|
Deprecated: Use the |
| TrustedLeafCerts |
|
Deprecated: This field is deprecated and will be removed in
a future version. Please use the A list of base64 DER-encoded client leaf certs to accept. If this list is not empty, client certs which are not in this list will be rejected. |
| VerifiersRaw |
|
Client certificate verification modules. These can perform custom client authentication checks, such as ensuring the certificate is not revoked. |
| verifiers |
|
No comment on field. |
| Mode |
|
The mode for authenticating the client. Allowed values are: Mode | Description
-----|---------------
The default mode is |
| existingVerifyPeerCert |
|
No comment on field. |
ClientCertificateVerifier
ClientCertificateVerifier is a type which verifies client certificates. It is called during verifyPeerCertificate in the TLS handshake.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
ConfigSetter
ConfigSetter is implemented by certmagic.Issuers that need access to a parent certmagic.Config as part of their provisioning phase. For example, the ACMEIssuer requires a config so it can access storage and the cache to solve ACME challenges.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
ConnectionMatcher
ConnectionMatcher is a type which matches TLS handshakes.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
ConnectionPolicies
ConnectionPolicies govern the establishment of TLS connections. It is an ordered group of connection policies; the first matching policy will be used to configure TLS connections at handshake-time.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
ConnectionPolicy
ConnectionPolicy specifies the logic for handling a TLS handshake. An empty policy is valid; safe and sensible defaults will be used.
| Field name | Field type | Comment |
|---|---|---|
| MatchersRaw |
|
How to match this policy with a TLS ClientHello. If this policy is the first to match, it will be used. |
| matchers |
|
No comment on field. |
| CertSelection |
|
How to choose a certificate if more than one matched the given ServerName (SNI) value. |
| CipherSuites |
|
The list of cipher suites to support. Caddy's defaults are modern and secure. |
| Curves |
|
The list of elliptic curves to support. Caddy's defaults are modern and secure. |
| ALPN |
|
Protocols to use for Application-Layer Protocol Negotiation (ALPN) during the handshake. |
| ProtocolMin |
|
Minimum TLS protocol version to allow. Default: |
| ProtocolMax |
|
Maximum TLS protocol version to allow. Default: |
| Drop |
|
Reject TLS connections. EXPERIMENTAL: May change. |
| ClientAuthentication |
|
Enables and configures TLS client authentication. |
| DefaultSNI |
|
DefaultSNI becomes the ServerName in a ClientHello if there is no policy configured for the empty SNI value. |
| FallbackSNI |
|
FallbackSNI becomes the ServerName in a ClientHello if the original ServerName doesn't match any certificates in the cache. The use cases for this are very niche; typically if a client is a CDN and passes through the ServerName of the downstream handshake but can accept a certificate with the origin's hostname instead, then you would set this to your origin's hostname. Note that Caddy must be managing a certificate for this name. This feature is EXPERIMENTAL and subject to change or removal. |
| InsecureSecretsLog |
|
Also known as "SSLKEYLOGFILE", TLS secrets will be written to this file in NSS key log format which can then be parsed by Wireshark and other tools. This is INSECURE as it allows other programs or tools to decrypt TLS connections. However, this capability can be useful for debugging and troubleshooting. ENABLING THIS LOG COMPROMISES SECURITY! This feature is EXPERIMENTAL and subject to change or removal. |
| HandshakeContextRaw |
|
A module that can manipulate the context passed into CertMagic's certificate management functions during TLS handshakes. EXPERIMENTAL - subject to change or removal. |
| handshakeContext |
|
No comment on field. |
| TLSConfig |
|
TLSConfig is the fully-formed, standard lib TLS config used to serve TLS connections. Provision all ConnectionPolicies to populate this. It is exported only so it can be minimally adjusted after provisioning if necessary (like to adjust NextProtos to disable HTTP/2), and may be unexported in the future. |
CustomCertSelectionPolicy
CustomCertSelectionPolicy represents a policy for selecting the certificate used to complete a handshake when there may be multiple options. All fields specified must match the candidate certificate for it to be chosen. This was needed to solve https://github.com/caddyserver/caddy/issues/2588.
| Field name | Field type | Comment |
|---|---|---|
| SerialNumber |
|
The certificate must have one of these serial numbers. |
| SubjectOrganization |
|
The certificate must have one of these organization names. |
| PublicKeyAlgorithm |
|
The certificate must use this public key algorithm. |
| AnyTag |
|
The certificate must have at least one of the tags in the list. |
| AllTags |
|
The certificate must have all of the tags in the list. |
DNSChallengeConfig
DNSChallengeConfig configures the ACME DNS challenge.
NOTE: This API is still experimental and is subject to change.
| Field name | Field type | Comment |
|---|---|---|
| ProviderRaw |
|
The DNS provider module to use which will manage the DNS records relevant to the ACME challenge. Required. |
| TTL |
|
The TTL of the TXT record used for the DNS challenge. |
| PropagationDelay |
|
How long to wait before starting propagation checks. Default: 0 (no wait). |
| PropagationTimeout |
|
Maximum time to wait for temporary DNS record to appear. Set to -1 to disable propagation checks. Default: 2 minutes. |
| Resolvers |
|
Custom DNS resolvers to prefer over system/built-in defaults. Often necessary to configure when using split-horizon DNS. |
| OverrideDomain |
|
Override the domain to use for the DNS challenge. This is to delegate the challenge to a different domain, e.g. one that updates faster or one with a provider API. |
| solver |
|
No comment on field. |
ECH
ECH enables Encrypted ClientHello (ECH) and configures its management.
ECH helps protect site names (also called "server names" or "domain names" or "SNI"), which are normally sent over plaintext when establishing a TLS connection. With ECH, the true ClientHello is encrypted and wrapped by an "outer" ClientHello that uses a more generic, shared server name that is publicly known.
Clients need to know which public name (and other parameters) to use when connecting to a site with ECH, and the methods for this vary; however, major browsers support reading ECH configurations from DNS records (which is typically only secure when DNS-over-HTTPS or DNS-over-TLS is enabled in the client). Caddy has the ability to automatically publish ECH configs to DNS records if a DNS provider is configured either in the TLS app or with each individual publication config object. (Requires a custom build with a DNS provider module.)
ECH requires at least TLS 1.3, so any TLS connection policies with ECH applied will automatically upgrade the minimum TLS version to 1.3, even if configured to a lower version.
Note that, as of Caddy 2.10.0 (~March 2025), ECH keys are not automatically rotated due to a limitation in the Go standard library (see https://github.com/golang/go/issues/71920). This should be resolved when Go 1.25 is released (~Aug. 2025), and Caddy will be updated to automatically rotate ECH keys/configs at that point.
EXPERIMENTAL: Subject to change.
| Field name | Field type | Comment |
|---|---|---|
| Configs |
|
The list of ECH configurations for which to automatically generate and rotate keys. At least one is required to enable ECH. It is strongly recommended to use as few ECH configs as possible to maximize the size of your anonymity set (see the ECH specification for a definition). Typically, each server should have only one public name, i.e. one config in this list. |
| Publication |
|
Publication describes ways to publish ECH configs for clients to discover and use. Without publication, most clients will not use ECH at all, and those that do will suffer degraded performance. Most major browsers support ECH by way of publication to HTTPS DNS RRs. (This also typically requires that they use DoH or DoT.) |
| configs |
|
map of public_name to list of configs |
ECHConfiguration
ECH represents an Encrypted ClientHello configuration.
EXPERIMENTAL: Subject to change.
| Field name | Field type | Comment |
|---|---|---|
| PublicName |
|
The public server name (SNI) that will be used in the outer ClientHello. This should be a domain name for which this server is authoritative, because Caddy will try to provision a certificate for this name. As an outer SNI, it is never used for application data (HTTPS, etc.), but it is necessary for enabling clients to connect securely in some cases. If this field is empty or missing, or if Caddy cannot get a certificate for this domain (e.g. the domain's DNS records do not point to this server), client reliability becomes brittle, and you risk coercing clients to expose true server names in plaintext, which compromises both the privacy of the server and makes clients more vulnerable. |
ECHDNSProvider
ECHDNSProvider can service DNS entries for ECH purposes.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
ECHDNSPublisher
ECHDNSPublisher configures how to publish an ECH configuration to DNS records for the specified domains.
EXPERIMENTAL: Subject to change.
| Field name | Field type | Comment |
|---|---|---|
| ProviderRaw |
|
The DNS provider module which will establish the HTTPS record(s). |
| provider |
|
No comment on field. |
| logger |
|
No comment on field. |
ECHPublication
ECHPublication configures publication of ECH config(s). It pairs a list of ECH configs with the list of domains they are assigned to protect, and describes how to publish those configs for those domains.
Most servers will have only a single publication config, unless their domains are spread across multiple DNS providers or require different methods of publication.
EXPERIMENTAL: Subject to change.
| Field name | Field type | Comment |
|---|---|---|
| Configs |
|
The list of ECH configurations to publish, identified by public name. If not set, all configs will be included for publication by default. It is generally advised to maximize the size of your anonymity set, which implies using as few public names as possible for your sites. Usually, only a single public name is used to protect all the sites for a server EXPERIMENTAL: This field may be renamed or have its structure changed. |
| Domains |
|
The list of ("inner") domain names which are protected with the associated ECH configurations. If not set, all server names registered with the TLS module will be added to this list implicitly. (This registration is done automatically by other Caddy apps that use the TLS module. They should register their configured server names for this purpose. For example, the HTTP server registers the hostnames for which it applies automatic HTTPS. This is not something you, the user, have to do.) Most servers Names in this list should not appear in any other publication config object with the same publishers, since the publications will likely overwrite each other. NOTE: In order to publish ECH configs for domains configured for On-Demand TLS that are not explicitly enumerated elsewhere in the config, those domain names will have to be listed here. The only time Caddy knows which domains it is serving with On-Demand TLS is handshake-time, which is too late for publishing ECH configs; it means the first connections would not protect the server names, revealing that information to observers, and thus defeating the purpose of ECH. Hence the need to list them here so Caddy can proactively publish ECH configs before clients connect with those server names in plaintext. |
| PublishersRaw |
|
How to publish the ECH configurations so clients can know to use ECH to connect more securely to the server. |
| publishers |
|
No comment on field. |
ECHPublisher
ECHPublisher is an interface for publishing ECHConfigList values so that they can be used by clients.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
FileCAPool
FileCAPool generates trusted root certificates pool from the designated DER and PEM file
| Field name | Field type | Comment |
|---|---|---|
| TrustedCACertPEMFiles |
|
TrustedCACertPEMFiles is a list of PEM file names from which to load certificates of trusted CAs. Client certificates which are not signed by any of these CA certificates will be rejected. |
| pool |
|
No comment on field. |
FileLoader
FileLoader loads certificates and their associated keys from disk.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
FolderLoader
FolderLoader loads certificates and their associated keys from disk by recursively walking the specified directories, looking for PEM files which contain both a certificate and a key.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
HTTPCertGetter
HTTPCertGetter can get a certificate via HTTP(S) request.
| Field name | Field type | Comment |
|---|---|---|
| URL |
|
The URL from which to download the certificate. Required. The URL will be augmented with query string parameters taken from the TLS handshake:
To be valid, the response must be HTTP 200 with a PEM body consisting of blocks for the certificate chain and the private key. To indicate that this manager is not managing a certificate for the described handshake, the endpoint should return HTTP 204 (No Content). Error statuses will indicate that the manager is capable of providing a certificate but was unable to. |
| ctx |
|
No comment on field. |
HTTPCertPool
The HTTPCertPool fetches the trusted root certificates from HTTP(S) endpoints. The TLS connection properties can be customized, including custom trusted root certificate. One example usage of this module is to get the trusted certificates from another Caddy instance that is running the PKI app and ACME server.
| Field name | Field type | Comment |
|---|---|---|
| Endpoints |
|
the list of URLs that respond with PEM-encoded certificates to trust. |
| TLS |
|
Customize the TLS connection knobs to used during the HTTP call |
| pool |
|
No comment on field. |
HTTPChallengeConfig
HTTPChallengeConfig configures the ACME HTTP challenge.
| Field name | Field type | Comment |
|---|---|---|
| Disabled |
|
If true, the HTTP challenge will be disabled. |
| AlternatePort |
|
An alternate port on which to service this challenge. Note that the HTTP challenge port is hard-coded into the spec and cannot be changed, so you would have to forward packets from the standard HTTP challenge port to this one. |
HandshakeContext
This type doesn't have documentation.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
InlineCAPool
InlineCAPool is a certificate authority pool provider coming from a DER-encoded certificates in the config
| Field name | Field type | Comment |
|---|---|---|
| TrustedCACerts |
|
A list of base64 DER-encoded CA certificates against which to validate client certificates. Client certs which are not signed by any of these CAs will be rejected. |
| pool |
|
No comment on field. |
InternalIssuer
InternalIssuer is a certificate issuer that generates
certificates internally using a locally-configured
CA which can be customized using the pki app.
| Field name | Field type | Comment |
|---|---|---|
| CA |
|
The ID of the CA to use for signing. The default
CA ID is "local". The CA can be configured with the
|
| Lifetime |
|
The validity period of certificates. |
| SignWithRoot |
|
If true, the root will be the issuer instead of the intermediate. This is NOT recommended and should only be used when devices/clients do not properly validate certificate chains. |
| ca |
|
No comment on field. |
| logger |
|
No comment on field. |
LeafCertClientAuth
LeafCertClientAuth verifies the client's leaf certificate.
| Field name | Field type | Comment |
|---|---|---|
| LeafCertificateLoadersRaw |
|
No comment on field. |
| trustedLeafCerts |
|
No comment on field. |
LeafCertificateLoader
LeafCertificateLoader is a type that loads the trusted leaf certificates for the tls.leaf_cert_loader modules
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
LeafFileLoader
LeafFileLoader loads leaf certificates from disk.
| Field name | Field type | Comment |
|---|---|---|
| Files |
|
No comment on field. |
LeafFolderLoader
LeafFolderLoader loads certificates and their associated keys from disk by recursively walking the specified directories, looking for PEM files which contain both a certificate and a key.
| Field name | Field type | Comment |
|---|---|---|
| Folders |
|
No comment on field. |
LeafPEMLoader
LeafPEMLoader loads leaf certificates by decoding their PEM blocks directly. This has the advantage of not needing to store them on disk at all.
| Field name | Field type | Comment |
|---|---|---|
| Certificates |
|
No comment on field. |
LeafStorageLoader
LeafStorageLoader loads leaf certificates from the globally configured storage module.
| Field name | Field type | Comment |
|---|---|---|
| Certificates |
|
A list of certificate file names to be loaded from storage. |
| StorageRaw |
|
The storage module where the trusted leaf certificates are stored. Absent explicit storage implies the use of Caddy default storage. |
| storage |
|
Reference to the globally configured storage module. |
| ctx |
|
No comment on field. |
MatchLocalIP
MatchLocalIP matches based on the IP address of the interface receiving the connection. Specific IPs or CIDR ranges can be specified.
| Field name | Field type | Comment |
|---|---|---|
| Ranges |
|
The IPs or CIDR ranges to match. |
| cidrs |
|
No comment on field. |
| logger |
|
No comment on field. |
MatchRegexp
MatchRegexp is an embeddable type for matching using regular expressions. It adds placeholders to the request's replacer. In fact, it is a copy of caddyhttp.MatchRegexp with a local replacer prefix and placeholders support in a regular expression pattern.
| Field name | Field type | Comment |
|---|---|---|
| Name |
|
A unique name for this regular expression. Optional, but useful to prevent overwriting captures from other regexp matchers. |
| Pattern |
|
The regular expression to evaluate, in RE2 syntax, which is the same general syntax used by Go, Perl, and Python. For details, see Go's regexp package. Captures are accessible via placeholders. Unnamed capture groups are exposed as their numeric, 1-based index, while named capture groups are available by the capture group name. |
| compiled |
|
No comment on field. |
MatchRemoteIP
MatchRemoteIP matches based on the remote IP of the connection. Specific IPs or CIDR ranges can be specified.
Note that IPs can sometimes be spoofed, so do not rely on this as a replacement for actual authentication.
| Field name | Field type | Comment |
|---|---|---|
| Ranges |
|
The IPs or CIDR ranges to match. |
| NotRanges |
|
The IPs or CIDR ranges to NOT match. |
| cidrs |
|
No comment on field. |
| notCidrs |
|
No comment on field. |
| logger |
|
No comment on field. |
MatchServerName
MatchServerName matches based on SNI. Names in this list may use left-most-label wildcards, similar to wildcard certificates.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
MatchServerNameRE
MatchServerNameRE matches based on SNI using a regular expression.
| Field name | Field type | Comment |
|---|---|---|
|
No comment on field. |
OnDemandConfig
OnDemandConfig configures on-demand TLS, for obtaining needed certificates at handshake-time. Because this feature can easily be abused, Caddy must ask permission to your application whether a particular domain is allowed to have a certificate issued for it.
| Field name | Field type | Comment |
|---|---|---|
| Ask |
|
Deprecated. WILL BE REMOVED SOON. Use 'permission' instead with the |
| PermissionRaw |
|
REQUIRED. A module that will determine whether a certificate is allowed to be loaded from storage or obtained from an issuer on demand. |
| permission |
|
No comment on field. |
OnDemandPermission
OnDemandPermission is a type that can give permission for whether a certificate should be allowed to be obtained or loaded from storage on-demand. EXPERIMENTAL: This API is experimental and subject to change.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
PEMLoader
PEMLoader loads certificates and their associated keys by decoding their PEM blocks directly. This has the advantage of not needing to store them on disk at all.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
PKIIntermediateCAPool
PKIIntermediateCAPool extracts the trusted intermediate certificates from Caddy's native 'pki' app
| Field name | Field type | Comment |
|---|---|---|
| Authority |
|
List of the Authority names that are configured in the |
| ca |
|
No comment on field. |
| pool |
|
No comment on field. |
PKIRootCAPool
PKIRootCAPool extracts the trusted root certificates from Caddy's native 'pki' app
| Field name | Field type | Comment |
|---|---|---|
| Authority |
|
List of the Authority names that are configured in the |
| ca |
|
No comment on field. |
| pool |
|
No comment on field. |
PermissionByHTTP
PermissionByHTTP determines permission for a TLS certificate by making a request to an HTTP endpoint.
| Field name | Field type | Comment |
|---|---|---|
| Endpoint |
|
The endpoint to access. It should be a full URL.
A query string parameter "domain" will be added to it,
containing the domain (or IP) for the desired certificate,
like so: The endpoint must return a 200 OK status if a certificate is allowed; anything else will cause it to be denied. Redirects are not followed. |
| logger |
|
No comment on field. |
| replacer |
|
No comment on field. |
PublicKeyAlgorithm
PublicKeyAlgorithm is a JSON-unmarshalable wrapper type.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
STEKProvider
STEKProvider is a type that can provide session ticket ephemeral keys (STEKs).
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
SessionTicketService
SessionTicketService configures and manages TLS session tickets.
| Field name | Field type | Comment |
|---|---|---|
| KeySource |
|
KeySource is the method by which Caddy produces or obtains TLS session ticket keys (STEKs). By default, Caddy generates them internally using a secure pseudorandom source. |
| RotationInterval |
|
How often Caddy rotates STEKs. Default: 12h. |
| MaxKeys |
|
The maximum number of keys to keep in rotation. Default: 4. |
| DisableRotation |
|
Disables STEK rotation. |
| Disabled |
|
Disables TLS session resumption by tickets. |
| keySource |
|
No comment on field. |
| configs |
|
No comment on field. |
| stopChan |
|
No comment on field. |
| currentKeys |
|
No comment on field. |
| mu |
|
No comment on field. |
StorageLoader
StorageLoader loads certificates and their associated keys from the globally configured storage module.
| Field name | Field type | Comment |
|---|---|---|
| Pairs |
|
A list of pairs of certificate and key file names along with their encoding format so that they can be loaded from storage. |
| storage |
|
Reference to the globally configured storage module. |
| ctx |
|
No comment on field. |
StoragePool
StoragePool extracts the trusted certificates root from Caddy storage
| Field name | Field type | Comment |
|---|---|---|
| StorageRaw |
|
The storage module where the trusted root certificates are stored. Absent explicit storage implies the use of Caddy default storage. |
| PEMKeys |
|
The storage key/index to the location of the certificates |
| storage |
|
No comment on field. |
| pool |
|
No comment on field. |
TLS
TLS provides TLS facilities including certificate loading and management, client auth, and more.
| Field name | Field type | Comment |
|---|---|---|
| CertificatesRaw |
|
Certificates to load into memory for quick recall during TLS handshakes. Each key is the name of a certificate loader module. The "automate" certificate loader module can be used to specify a list of subjects that need certificates to be managed automatically, including subdomains that may already be covered by a managed wildcard certificate. The first matching automation policy will be used to manage automated certificate(s). All loaded certificates get pooled into the same cache and may be used to complete TLS handshakes for the relevant server names (SNI). Certificates loaded manually (anything other than "automate") are not automatically managed and will have to be refreshed manually before they expire. |
| Automation |
|
Configures certificate automation. |
| SessionTickets |
|
Configures session ticket ephemeral keys (STEKs). |
| Cache |
|
Configures the in-memory certificate cache. |
| DisableOCSPStapling |
|
Disables OCSP stapling for manually-managed certificates only. To configure OCSP stapling for automated certificates, use an automation policy instead. Disabling OCSP stapling puts clients at greater risk, reduces their privacy, and usually lowers client performance. It is NOT recommended to disable this unless you are able to justify the costs. EXPERIMENTAL. Subject to change. |
| DisableStorageCheck |
|
Disables checks in certmagic that the configured storage is ready and able to handle writing new content to it. These checks are intended to prevent information loss (newly issued certificates), but can be expensive on the storage. Disabling these checks should only be done when the storage can be trusted to have enough capacity and no other problems. EXPERIMENTAL. Subject to change. |
| DisableStorageClean |
|
Disables the automatic cleanup of the storage backend. This is useful when TLS is not being used to store certificates and the user wants run their server in a read-only mode. Storage cleaning creates two files: instance.uuid and last_clean.json. The instance.uuid file is used to identify the instance of Caddy in a cluster. The last_clean.json file is used to store the last time the storage was cleaned. EXPERIMENTAL. Subject to change. |
| EncryptedClientHello |
|
Enable Encrypted ClientHello (ECH). ECH protects the server name (SNI) and other sensitive parameters of a normally-plaintext TLS ClientHello during a handshake. EXPERIMENTAL: Subject to change. |
| DNSRaw |
|
The default DNS provider module to use when a DNS module is needed. EXPERIMENTAL: Subject to change. |
| dns |
|
No comment on field. |
| certificateLoaders |
|
No comment on field. |
| automateNames |
|
No comment on field. |
| ctx |
|
No comment on field. |
| storageCleanTicker |
|
No comment on field. |
| storageCleanStop |
|
No comment on field. |
| logger |
|
No comment on field. |
| events |
|
No comment on field. |
| serverNames |
|
No comment on field. |
| serverNamesMu |
|
No comment on field. |
| managing |
|
set of subjects with managed certificates, and hashes of manually-loaded certificates (managing's value is an optional issuer key, for distinction) |
TLSALPNChallengeConfig
TLSALPNChallengeConfig configures the ACME TLS-ALPN challenge.
| Field name | Field type | Comment |
|---|---|---|
| Disabled |
|
If true, the TLS-ALPN challenge will be disabled. |
| AlternatePort |
|
An alternate port on which to service this challenge. Note that the TLS-ALPN challenge port is hard-coded into the spec and cannot be changed, so you would have to forward packets from the standard TLS-ALPN challenge port to this one. |
TLSConfig
TLSConfig holds configuration related to the TLS configuration for the transport/client. copied from with minor modifications: modules/caddyhttp/reverseproxy/httptransport.go
| Field name | Field type | Comment |
|---|---|---|
| CARaw |
|
Provides the guest module that provides the trusted certificate authority (CA) certificates |
| InsecureSkipVerify |
|
If true, TLS verification of server certificates will be disabled. This is insecure and may be removed in the future. Do not use this option except in testing or local development environments. |
| HandshakeTimeout |
|
The duration to allow a TLS handshake to a server. Default: No timeout. |
| ServerName |
|
The server name used when verifying the certificate received in the TLS handshake. By default, this will use the upstream address' host part. You only need to override this if your upstream address does not match the certificate the upstream is likely to use. For example if the upstream address is an IP address, then you would need to configure this to the hostname being served by the upstream server. Currently, this does not support placeholders because the TLS config is not provisioned on each connection, so a static value must be used. |
| Renegotiation |
|
TLS renegotiation level. TLS renegotiation is the act of performing subsequent handshakes on a connection after the first. The level can be:
|
Tailscale
Tailscale is a module that can get certificates from the local Tailscale process.
| Field name | Field type | Comment |
|---|---|---|
| logger |
|
No comment on field. |
ZeroSSLIssuer
ZeroSSLIssuer uses the ZeroSSL API to get certificates. Note that this is distinct from ZeroSSL's ACME endpoint. To use ZeroSSL's ACME endpoint, use the ACMEIssuer configured with ZeroSSL's ACME directory endpoint.
| Field name | Field type | Comment |
|---|---|---|
| APIKey |
|
The API key (or "access key") for using the ZeroSSL API. REQUIRED. |
| ValidityDays |
|
How many days the certificate should be valid for. Only certain values are accepted; see ZeroSSL docs. |
| ListenHost |
|
The host to bind to when opening a listener for verifying domain names (or IPs). |
| AlternateHTTPPort |
|
If HTTP is forwarded from port 80, specify the forwarded port here. |
| CNAMEValidation |
|
Use CNAME validation instead of HTTP. ZeroSSL's API uses CNAME records for DNS validation, similar to how Let's Encrypt uses TXT records for the DNS challenge. |
| logger |
|
No comment on field. |
| storage |
|
No comment on field. |
| issuer |
|
No comment on field. |
bigInt
bigInt is a big.Int type that interops with JSON encodings as a string.
| Field name | Field type | Comment |
|---|---|---|
|
No comment on field. |
customCertLifetime
customCertLifetime allows us to customize certificates that are issued by Smallstep libs, particularly the NotBefore & NotAfter dates.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
destructableWriter
This type doesn't have documentation.
| Field name | Field type | Comment |
|---|---|---|
|
No comment on field. |
echConfig
echConfig represents an ECHConfig from the specification, draft-ietf-tls-esni-22.
| Field name | Field type | Comment |
|---|---|---|
| Version |
|
"The version of ECH for which this configuration is used. The version is the same as the code point for the encrypted_client_hello extension. Clients MUST ignore any ECHConfig structure with a version they do not support." |
| ConfigID |
|
HpkeKeyConfig fields: |
| KEMID |
|
No comment on field. |
| PublicKey |
|
No comment on field. |
| CipherSuites |
|
No comment on field. |
| MaxNameLength |
|
ECHConfigContents fields: |
| RawPublicName |
|
No comment on field. |
| RawExtensions |
|
No comment on field. |
| configBin |
|
these fields are not part of the spec, but are here for our use when setting up TLS servers or maintenance |
| privKeyBin |
|
No comment on field. |
| meta |
|
No comment on field. |
| sendAsRetry |
|
No comment on field. |
echConfigList
This type doesn't have documentation.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
echConfigMeta
This type doesn't have documentation.
| Field name | Field type | Comment |
|---|---|---|
| Created |
|
No comment on field. |
| Publications |
|
No comment on field. |
hpkeSymmetricCipherSuite
This type doesn't have documentation.
| Field name | Field type | Comment |
|---|---|---|
| KDFID |
|
No comment on field. |
| AEADID |
|
No comment on field. |
publicationHistory
publicationHistory is a map of publisher key to map of inner name to timestamp
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
Functions
func AllMatchingCertificates
AllMatchingCertificates returns the list of all certificates in the cache which could be used to satisfy the given SAN.
func CipherSuiteID
CipherSuiteID returns the ID of the cipher suite associated with the given name, or 0 if the name is not recognized/supported.
func CipherSuiteNameSupported
CipherSuiteNameSupported returns true if name is a supported cipher suite.
func DefaultIssuers
DefaultIssuers returns empty Issuers (not provisioned) to be used as defaults. This function is experimental and has no compatibility promises.
Uses: certmagic.Issuer, certmagic.ZeroSSLProductionCA, strings.TrimSpace.func DefaultIssuersProvisioned
DefaultIssuersProvisioned returns empty but provisioned default Issuers from DefaultIssuers(). This function is experimental and has no compatibility promises.
Uses: fmt.Errorf.func ParseCaddyfileNestedMatcherSet
ParseCaddyfileNestedMatcherSet parses the Caddyfile tokens for a nested matcher set, and returns its raw module map value.
Uses: caddyfile.NewDispenser, caddyfile.Token, caddyfile.UnmarshalModule, fmt.Errorf, json.Marshal.func ParseCaddyfilePreferredChainsOptions
func ProtocolName
ProtocolName returns the standard name for the passed protocol version ID (e.g. "TLS1.3") or a fallback representation of the ID value if the version is not supported.
Uses: fmt.Sprintf.func SupportedCipherSuites
SupportedCipherSuites returns a list of all the cipher suites Caddy supports. The list is NOT ordered by security preference.
Uses: tls.CipherSuites.func (*ACMEIssuer) GetACMEIssuer
GetACMEIssuer returns iss. This is useful when other types embed ACMEIssuer, because type-asserting them to *ACMEIssuer will fail, but type-asserting them to an interface with only this method will succeed, and will still allow the embedded ACMEIssuer to be accessed and manipulated.
func (*ACMEIssuer) GetRenewalInfo
GetRenewalInfo wraps the underlying GetRenewalInfo method and satisfies the CertMagic interface for ARI support.
func (*ACMEIssuer) Issue
Issue obtains a certificate for the given csr.
func (*ACMEIssuer) IssuerKey
IssuerKey returns the unique issuer key for the configured CA endpoint.
func (*ACMEIssuer) PreCheck
PreCheck implements the certmagic.PreChecker interface.
func (*ACMEIssuer) Provision
Provision sets up iss.
Uses: certmagic.DNS01Solver, certmagic.DNSManager, certmagic.DNSProvider, fmt.Errorf, os.ReadFile, time.Duration, x509.NewCertPool.func (*ACMEIssuer) Revoke
Revoke revokes the given certificate.
func (*ACMEIssuer) SetConfig
SetConfig sets the associated certmagic config for this issuer. This is required because ACME needs values from the config in order to solve the challenges during issuance. This implements the ConfigSetter interface.
Uses: certmagic.NewACMEIssuer.func (*ACMEIssuer) UnmarshalCaddyfile
UnmarshalCaddyfile deserializes Caddyfile tokens into iss.
... acme [<directory_url>] {
dir <directory_url>
test_dir <test_directory_url>
email <email>
profile <profile_name>
timeout <duration>
disable_http_challenge
disable_tlsalpn_challenge
alt_http_port <port>
alt_tlsalpn_port <port>
eab <key_id> <mac_key>
trusted_roots <pem_files...>
dns <provider_name> [<options>]
propagation_delay <duration>
propagation_timeout <duration>
resolvers <dns_servers...>
dns_ttl <duration>
dns_challenge_override_domain <domain>
preferred_chains [smallest] {
root_common_name <common_names...>
any_common_name <common_names...>
}
}
func (*AutomationPolicy) AllInternalSubjects
AllInternalSubjects returns true if all the subjects on this policy are internal.
Uses: certmagic.SubjectIsInternal, slices.ContainsFunc.func (*AutomationPolicy) Provision
Provision sets up ap and builds its underlying CertMagic config.
Uses: certmagic.ClientHelloInfoCtxKey, certmagic.Config, certmagic.Issuer, certmagic.Manager, certmagic.New, certmagic.OCSPConfig, certmagic.OnDemandConfig, certmagic.StandardKeyGenerator, context.Context, errors.Is, fmt.Errorf, idna.ToASCII, net.SplitHostPort, tls.ClientHelloInfo, zap.Error, zap.String, zapcore.DebugLevel, zapcore.ErrorLevel.func (*AutomationPolicy) Subjects
Subjects returns the list of subjects with all placeholders replaced.
func (*ClientAuthentication) ConfigureTLSConfig
ConfigureTLSConfig sets up cfg to enforce clientauth's configuration.
Uses: fmt.Errorf, tls.NoClientCert, tls.RequestClientCert, tls.RequireAndVerifyClientCert, tls.RequireAnyClientCert, tls.VerifyClientCertIfGiven, x509.Certificate.func (*ClientAuthentication) UnmarshalCaddyfile
UnmarshalCaddyfile parses the Caddyfile segment to set up the client authentication. Syntax:
client_auth {
mode [request|require|verify_if_given|require_and_verify]
trust_pool <module> {
...
}
verifier <module>
}
If mode is not provided, it defaults to require_and_verify if trust_pool is provided.
Otherwise, it defaults to require.
func (*ConnectionPolicy) UnmarshalCaddyfile
UnmarshalCaddyfile sets up the ConnectionPolicy from Caddyfile tokens. Syntax:
connection_policy {
alpn <values...>
cert_selection {
...
}
ciphers <cipher_suites...>
client_auth {
...
}
curves <curves...>
default_sni <server_name>
match {
...
}
protocols <min> [<max>]
# EXPERIMENTAL:
drop
fallback_sni <server_name>
insecure_secrets_log <log_file>
}
func (*CustomCertSelectionPolicy) UnmarshalCaddyfile
UnmarshalCaddyfile sets up the CustomCertSelectionPolicy from Caddyfile tokens. Syntax:
cert_selection {
all_tags <values...>
any_tag <values...>
public_key_algorithm <dsa|ecdsa|rsa>
serial_number <big_integers...>
subject_organization <values...>
}
func (*ECH) Provision
Provision loads or creates ECH configs and returns outer names (for certificate management), but does not publish any ECH configs. The DNS module is used as a default for later publishing if needed.
Uses: errors.Is, fmt.Errorf, fs.ErrNotExist, path.Base, strings.ToLower, strings.TrimSpace, time.Time, zap.Error, zap.String, zap.Uint8.func (*ECHDNSPublisher) Provision
func (*ECHDNSPublisher) PublishECHConfigList
PublishECHConfigList publishes the given ECH config list to the given DNS names.
Uses: base64.StdEncoding, certmagic.FindZoneByFQDN, certmagic.RecursiveNameservers, libdns.Record, libdns.RelativeName, libdns.ServiceBinding, libdns.SvcParams, time.Minute, zap.Error, zap.String.func (*FileCAPool) Provision
Loads and decodes the DER and pem files to generate the certificate pool
Uses: fmt.Errorf, os.ReadFile, x509.NewCertPool.func (*FileCAPool) UnmarshalCaddyfile
Syntax:
trust_pool file [<pem_file>...] {
pem_file <pem_file>...
}
The 'pem_file' directive can be specified multiple times.
func (*HTTPCertGetter) Provision
func (*HTTPCertGetter) UnmarshalCaddyfile
UnmarshalCaddyfile deserializes Caddyfile tokens into ts.
... http <url>
func (*HTTPCertPool) Provision
Provision implements caddy.Provisioner.
Uses: fmt.Errorf, http.DefaultClient, http.DefaultTransport, http.MethodGet, http.NewRequestWithContext, http.Transport, io.ReadAll, x509.NewCertPool.func (*HTTPCertPool) UnmarshalCaddyfile
Syntax:
trust_pool http [<endpoints...>] {
endpoints <endpoints...>
tls <tls_config>
}
tls_config:
ca <ca_module>
insecure_skip_verify
handshake_timeout <duration>
server_name <name>
renegotiation <never|once|freely>
<ca_module> is the name of the CA module to source the trust
certificate pool and follows the syntax of the named CA module.
func (*InlineCAPool) Provision
Provision implements caddy.Provisioner.
Uses: fmt.Errorf, x509.NewCertPool.func (*InlineCAPool) UnmarshalCaddyfile
Syntax:
trust_pool inline {
trust_der <base64_der_cert>...
}
The 'trust_der' directive can be specified multiple times.
func (*InternalIssuer) Provision
Provision sets up the issuer.
Uses: caddypki.DefaultCAID, caddypki.PKI.func (*InternalIssuer) UnmarshalCaddyfile
UnmarshalCaddyfile deserializes Caddyfile tokens into iss.
... internal {
ca <name>
lifetime <duration>
sign_with_root
}
func (*LeafCertClientAuth) Provision
func (*LeafFileLoader) Provision
Provision implements caddy.Provisioner.
func (*LeafFolderLoader) Provision
Provision implements caddy.Provisioner.
func (*LeafPEMLoader) Provision
Provision implements caddy.Provisioner.
func (*LeafStorageLoader) Provision
Provision loads the storage module for sl.
Uses: fmt.Errorf.func (*MatchLocalIP) Provision
Provision parses m's IP ranges, either from IP or CIDR expressions.
func (*MatchLocalIP) UnmarshalCaddyfile
UnmarshalCaddyfile sets up the MatchLocalIP from Caddyfile tokens. Syntax:
local_ip <ranges...>
func (*MatchRegexp) Match
Match returns true if input matches the compiled regular expression in m. It sets values on the replacer repl associated with capture groups, using the given scope (namespace).
Uses: strconv.Itoa.func (*MatchRegexp) Provision
Provision compiles the regular expression which may include placeholders.
Uses: fmt.Errorf, regexp.Compile.func (*MatchRegexp) UnmarshalCaddyfile
UnmarshalCaddyfile implements caddyfile.Unmarshaler.
Uses: caddyfile.MatcherNameCtxKey.func (*MatchRegexp) Validate
Validate ensures mre is set up correctly.
Uses: fmt.Errorf.func (*MatchRemoteIP) Provision
Provision parses m's IP ranges, either from IP or CIDR expressions.
func (*MatchRemoteIP) UnmarshalCaddyfile
UnmarshalCaddyfile sets up the MatchRemoteIP from Caddyfile tokens. Syntax:
remote_ip <ranges...>
Note: IPs and CIDRs prefixed with ! symbol are treated as not_ranges
func (*MatchServerName) UnmarshalCaddyfile
UnmarshalCaddyfile sets up the MatchServerName from Caddyfile tokens. Syntax:
sni <domains...>
func (*PKIIntermediateCAPool) Provision
Loads the PKI app and load the intermediate certificates into the certificate pool
Uses: caddypki.PKI, fmt.Errorf, x509.NewCertPool.func (*PKIIntermediateCAPool) UnmarshalCaddyfile
Syntax:
trust_pool pki_intermediate [<ca_name>...] {
authority <ca_name>...
}
The 'authority' directive can be specified multiple times.
func (*PKIRootCAPool) Provision
Loads the PKI app and load the root certificates into the certificate pool
Uses: caddypki.PKI, fmt.Errorf, x509.NewCertPool.func (*PKIRootCAPool) UnmarshalCaddyfile
Syntax:
trust_pool pki_root [<ca_name>...] {
authority <ca_name>...
}
The 'authority' directive can be specified multiple times.
func (*PermissionByHTTP) Provision
func (*PermissionByHTTP) UnmarshalCaddyfile
UnmarshalCaddyfile implements caddyfile.Unmarshaler.
func (*PublicKeyAlgorithm) UnmarshalJSON
UnmarshalJSON satisfies json.Unmarshaler.
Uses: fmt.Errorf, strings.ToLower, strings.Trim.func (*StorageLoader) Provision
Provision loads the storage module for sl.
func (*StoragePool) Provision
Provision implements caddy.Provisioner.
Uses: fmt.Errorf, x509.NewCertPool.func (*StoragePool) UnmarshalCaddyfile
Syntax:
trust_pool storage [<storage_keys>...] {
storage <storage_module>
keys <storage_keys>...
}
The 'keys' directive can be specified multiple times. The'storage' directive is optional and defaults to the default storage module.
Uses: caddyconfig.JSONModuleObject, caddyfile.UnmarshalModule.func (*TLS) AddAutomationPolicy
AddAutomationPolicy provisions and adds ap to the list of the app's automation policies. If an existing automation policy exists that has fewer hosts in its list than ap does, ap will be inserted before that other policy (this helps ensure that ap will be prioritized/chosen over, say, a catch-all policy).
Uses: certmagic.MatchWildcard.func (*TLS) Cleanup
Cleanup frees up resources allocated during Provision.
Uses: certmagic.SubjectIssuer, zap.Error, zap.Strings, zapcore.ErrorLevel.func (*TLS) HandleHTTPChallenge
HandleHTTPChallenge ensures that the ACME HTTP challenge or ZeroSSL HTTP validation request is handled for the certificate named by r.Host, if it is an HTTP challenge request. It requires that the automation policy for r.Host has an issuer that implements GetACMEIssuer() or is a *ZeroSSLIssuer.
Uses: certmagic.GetACMEChallenge, certmagic.LooksLikeHTTPChallenge, certmagic.LooksLikeZeroSSLHTTPValidation, certmagic.SolveHTTPChallenge.func (*TLS) HasCertificateForSubject
func (*TLS) Manage
Manage immediately begins managing subjects according to the matching automation policy. The subjects are given in a map to prevent duplication and also because quick lookups are needed to assess wildcard coverage, if any, depending on certain config parameters (with lots of subjects, computing wildcard coverage over a slice can be highly inefficient).
Uses: fmt.Errorf, fmt.Sprintf.func (*TLS) Provision
Provision sets up the configuration for the TLS app.
Uses: caddyevents.App, certmagic.CacheOptions, certmagic.Certificate, certmagic.Config, certmagic.New, certmagic.NewCache, certmagic.OCSPConfig, certmagic.SubjectQualifiesForPublicCert, fmt.Errorf, json.RawMessage, libdns.RecordAppender, libdns.RecordDeleter, libdns.RecordGetter, libdns.RecordSetter, sync.Mutex, time.Duration.func (*TLS) RegisterServerNames
RegisterServerNames registers the provided DNS names with the TLS app. This is currently used to auto-publish Encrypted ClientHello (ECH) configurations, if enabled. Use of this function by apps using the TLS app removes the need for the user to redundantly specify domain names in their configuration. This function separates hostname and port (keeping only the hotsname) and filters IP addresses, which can't be used with ECH.
EXPERIMENTAL: This function and its semantics/behavior are subject to change.
Uses: certmagic.SubjectIsIP, net.SplitHostPort, strings.ToLower, strings.TrimSpace.func (*TLS) Start
Start activates the TLS module.
Uses: fmt.Errorf, zap.Error, zap.String, zapcore.WarnLevel.func (*TLS) Stop
Stop stops the TLS module and cleans up any allocations.
func (*TLS) Validate
Validate validates t's configuration.
Uses: fmt.Errorf.func (*Tailscale) Provision
func (*ZeroSSLIssuer) CaddyModule
CaddyModule returns the Caddy module information.
func (*ZeroSSLIssuer) Issue
Issue obtains a certificate for the given csr.
func (*ZeroSSLIssuer) IssuerKey
IssuerKey returns the unique issuer key for the configured CA endpoint.
func (*ZeroSSLIssuer) Provision
Provision sets up the issuer.
Uses: certmagic.DNSManager, certmagic.DNSProvider, certmagic.ZeroSSLIssuer, fmt.Errorf, time.Duration.func (*ZeroSSLIssuer) Revoke
Revoke revokes the given certificate.
func (*ZeroSSLIssuer) UnmarshalCaddyfile
UnmarshalCaddyfile deserializes Caddyfile tokens into iss.
... zerossl <api_key> {
validity_days <days>
alt_http_port <port>
dns <provider_name> ...
propagation_delay <duration>
propagation_timeout <duration>
resolvers <list...>
dns_ttl <duration>
}
func (*bigInt) UnmarshalJSON
func (*echConfig) UnmarshalBinary
UnmarshalBinary decodes the data back into an ECH config.
Borrowed from github.com/OmarTariq612/goech with modifications. Original code: Copyright (c) 2023 Omar Tariq AbdEl-Raziq
Uses: cryptobyte.String, fmt.Errorf, hpke.AEAD, hpke.KDF.func (ACMEIssuer) CaddyModule
CaddyModule returns the Caddy module information.
func (AutomateLoader) CaddyModule
CaddyModule returns the Caddy module information.
func (ClientAuthentication) Active
Active returns true if clientauth has an actionable configuration.
func (ConnectionPolicies) Provision
Provision sets up each connection policy. It should be called during the Validate() phase, after the TLS app (if any) is already set up.
Uses: fmt.Errorf.func (ConnectionPolicies) TLSConfig
TLSConfig returns a standard-lib-compatible TLS configuration which selects the first matching policy based on the ClientHello.
Uses: fmt.Errorf, strings.ToLower, tls.ClientHelloInfo, tls.Config, tls.EncryptedClientHelloKey, tls.VersionTLS12.func (ConnectionPolicy) SettingsEmpty
SettingsEmpty returns true if p's settings (fields except the matchers) are all empty/unset.
func (ConnectionPolicy) SettingsEqual
SettingsEmpty returns true if p's settings (fields except the matchers) are the same as q.
Uses: reflect.DeepEqual.func (CustomCertSelectionPolicy) SelectCertificate
SelectCertificate implements certmagic.CertificateSelector. It only chooses a certificate that at least meets the criteria in p. It then chooses the first non-expired certificate that is compatible with the client. If none are valid, it chooses the first viable candidate anyway.
Uses: certmagic.Certificate, certmagic.DefaultCertificateSelector, fmt.Errorf, slices.Contains, slices.ContainsFunc, x509.UnknownPublicKeyAlgorithm.func (ECHDNSPublisher) CaddyModule
CaddyModule returns the Caddy module information.
func (ECHDNSPublisher) PublisherKey
PublisherKey returns the name of the DNS provider module. We intentionally omit specific provider configuration (or a hash thereof, since the config is likely sensitive, potentially containing an API key) because it is unlikely that specific configuration, such as an API key, is relevant to unique key use as an ECH config publisher.
func (FileCAPool) CaddyModule
CaddyModule implements caddy.Module.
func (FileCAPool) CertPool
func (FileLoader) CaddyModule
CaddyModule returns the Caddy module information.
func (FileLoader) LoadCertificates
LoadCertificates returns the certificates to be loaded by fl.
Uses: fmt.Errorf, os.ReadFile, strings.Contains, tls.Certificate, tls.X509KeyPair.func (FileLoader) Provision
Provision implements caddy.Provisioner.
func (FolderLoader) CaddyModule
CaddyModule returns the Caddy module information.
func (FolderLoader) LoadCertificates
LoadCertificates loads all the certificates+keys in the directories listed in fl from all files ending with .pem. This method of loading certificates expects the certificate and key to be bundled into the same file.
Uses: filepath.Walk, fmt.Errorf, os.FileInfo, os.ReadFile, strings.HasSuffix, strings.ToLower.func (FolderLoader) Provision
Provision implements caddy.Provisioner.
func (HTTPCertGetter) CaddyModule
CaddyModule returns the Caddy module information.
func (HTTPCertGetter) GetCertificate
func (HTTPCertPool) CaddyModule
CaddyModule implements caddy.Module.
func (HTTPCertPool) CertPool
CertPool return the certificate pool generated from the HTTP responses
func (HTTPCertPool) Validate
report error if the endpoints are not valid URLs
Uses: errors.Join, url.Parse.func (InlineCAPool) CaddyModule
CaddyModule implements caddy.Module.
func (InlineCAPool) CertPool
CertPool implements CA.
func (InternalIssuer) CaddyModule
CaddyModule returns the Caddy module information.
func (InternalIssuer) Issue
Issue issues a certificate to satisfy the CSR.
Uses: bytes.Buffer, caddypki.AuthorityConfig, certmagic.IssuedCertificate, pem.Block, pem.Encode, provisioner.SignOptions, time.Duration, time.Now, time.Until, x509.Certificate, zap.Duration, zap.Time.func (InternalIssuer) IssuerKey
IssuerKey returns the unique issuer key for the configured CA endpoint.
func (LeafCertClientAuth) CaddyModule
CaddyModule returns the Caddy module information.
func (LeafCertClientAuth) VerifyClientCertificate
func (LeafFileLoader) CaddyModule
CaddyModule returns the Caddy module information.
func (LeafFileLoader) LoadLeafCertificates
LoadLeafCertificates returns the certificates to be loaded by fl.
Uses: x509.Certificate, x509.ParseCertificates.func (LeafFolderLoader) CaddyModule
CaddyModule returns the Caddy module information.
func (LeafFolderLoader) LoadLeafCertificates
LoadLeafCertificates loads all the leaf certificates in the directories listed in fl from all files ending with .pem.
Uses: filepath.Walk, fmt.Errorf, os.FileInfo, strings.HasSuffix, strings.ToLower, x509.Certificate, x509.ParseCertificate.func (LeafPEMLoader) CaddyModule
CaddyModule returns the Caddy module information.
func (LeafPEMLoader) LoadLeafCertificates
LoadLeafCertificates returns the certificates contained in pl.
Uses: fmt.Errorf, x509.Certificate, x509.ParseCertificate.func (LeafStorageLoader) CaddyModule
CaddyModule returns the Caddy module information.
func (LeafStorageLoader) LoadLeafCertificates
LoadLeafCertificates returns the certificates to be loaded by sl.
Uses: x509.Certificate, x509.ParseCertificates.func (MatchLocalIP) CaddyModule
CaddyModule returns the Caddy module information.
func (MatchLocalIP) Match
Match matches hello based on the connection's remote IP.
Uses: net.SplitHostPort, netip.ParseAddr, zap.String, zapcore.ErrorLevel.func (MatchRemoteIP) CaddyModule
CaddyModule returns the Caddy module information.
func (MatchRemoteIP) Match
Match matches hello based on the connection's remote IP.
Uses: net.SplitHostPort, netip.ParseAddr, zap.String, zapcore.ErrorLevel.func (MatchServerName) CaddyModule
CaddyModule returns the Caddy module information.
func (MatchServerName) Match
Match matches hello based on SNI.
Uses: certmagic.MatchWildcard.func (MatchServerNameRE) CaddyModule
CaddyModule returns the Caddy module information.
func (MatchServerNameRE) Match
Match matches hello based on SNI using a regular expression.
Uses: context.Context.func (PEMLoader) CaddyModule
CaddyModule returns the Caddy module information.
func (PEMLoader) LoadCertificates
LoadCertificates returns the certificates contained in pl.
Uses: fmt.Errorf, tls.X509KeyPair.func (PEMLoader) Provision
Provision implements caddy.Provisioner.
func (PKIIntermediateCAPool) CaddyModule
CaddyModule implements caddy.Module.
func (PKIIntermediateCAPool) CertPool
return the certificate pool generated with intermediate certificates from the PKI app
func (PKIRootCAPool) CaddyModule
CaddyModule implements caddy.Module.
func (PKIRootCAPool) CertPool
return the certificate pool generated with root certificates from the PKI app
func (PermissionByHTTP) CaddyModule
CaddyModule returns the Caddy module information.
func (PermissionByHTTP) CertificateAllowed
func (SessionTicketService) RotateSTEKs
RotateSTEKs rotates the keys in keys by producing a new key and eliding the oldest one. The new slice of keys is returned.
Uses: fmt.Errorf.func (StorageLoader) CaddyModule
CaddyModule returns the Caddy module information.
func (StorageLoader) LoadCertificates
LoadCertificates returns the certificates to be loaded by sl.
Uses: fmt.Errorf, strings.Contains, tls.Certificate, tls.X509KeyPair.func (StoragePool) CaddyModule
CaddyModule implements caddy.Module.
func (StoragePool) CertPool
func (TLS) CaddyModule
CaddyModule returns the Caddy module information.
func (Tailscale) CaddyModule
CaddyModule returns the Caddy module information.
func (Tailscale) GetCertificate
func (Tailscale) UnmarshalCaddyfile
UnmarshalCaddyfile deserializes Caddyfile tokens into ts.
... tailscale
func (bigInt) MarshalJSON
func (customCertLifetime) Modify
func (destructableWriter) Destruct
func (echConfig) MarshalBinary
func (echConfigList) MarshalBinary
Private functions
func convertPEMFilesToDER
func convertPEMFilesToDERBytes
func convertPEMToDER
func decodeBase64DERCert
decodeBase64DERCert base64-decodes, then DER-decodes, certStr.
References: base64.StdEncoding, x509.ParseCertificate.func generateAndStoreECHConfig
func getOptimalDefaultCipherSuites
getOptimalDefaultCipherSuites returns an appropriate cipher suite to use depending on the hardware support for AES.
See https://github.com/caddyserver/caddy/issues/1674
func init
func loadECHConfig
loadECHConfig loads the config from storage with the given configID. An error is not actually returned in some cases the config fails to load because in some cases it just means the config ID folder has been cleaned up in storage, maybe due to an incomplete set of keys or corrupted contents; in any case, the only rectification is to delete it and make new keys (an error IS returned if deleting the corrupted keys fails, for example). Check the returned echConfig for non-nil privKeyBin and configBin values before using.
References: errors.Is, fmt.Errorf, fs.ErrNotExist, json.Unmarshal, path.Join, zap.Error, zap.String.func newECHConfigID
func setDefaultTLSParams
setDefaultTLSParams sets the default TLS cipher suites, protocol versions, and server preferences of cfg if they are not already set; it does not overwrite values, only fills in missing values.
References: tls.TLS_FALLBACK_SCSV, tls.VersionTLS13.func tlsCertFromCertAndKeyPEMBundle
func generateZeroSSLEABCredentials
generateZeroSSLEABCredentials generates ZeroSSL EAB credentials for the primary contact email on the issuer. It should only be usedif the CA endpoint is ZeroSSL. An email address is required.
References: acme.Account, acme.EAB, certmagic.UserAgent, fmt.Errorf, http.DefaultClient, http.MethodPost, http.NewRequestWithContext, http.StatusOK, json.NewDecoder, strings.NewReader, strings.TrimSpace, url.Values, zap.String, zapcore.InfoLevel, zerossl.BaseURL.func makeIssuerTemplate
func isWildcardOrDefault
isWildcardOrDefault determines if the subjects include any wildcard domains, or is the "default" policy (i.e. no subjects) which is unbounded.
References: strings.HasPrefix.func onlyInternalIssuer
func provision
func verifyPeerCertificate
verifyPeerCertificate is for use as a tls.Config.VerifyPeerCertificate callback to do custom client certificate verification. It is intended for installation only by clientauth.ConfigureTLSConfig().
func buildStandardTLSConfig
func generateSTEK
generateSTEK generates key material suitable for use as a session ticket ephemeral key.
References: io.ReadFull, rand.Reader.func provision
func register
register sets the session ticket keys on cfg and keeps them updated. Any values registered must be unregistered, or they will not be garbage-collected. s.start() must have been called first. If session tickets are disabled or if ticket key rotation is disabled, this function is a no-op.
func start
start loads the starting STEKs and spawns a goroutine which loops to rotate the STEKs, which continues until stop() is called. If start() was already called, this is a no-op.
References: fmt.Errorf.func stayUpdated
stayUpdated is a blocking function which rotates the keys whenever new ones are sent. It reads from keysChan until s.stop() is called.
References: debug.Stack, log.Printf.func stop
stop terminates the key rotation goroutine.
func unregister
unregister stops session key management on cfg and removes the internal stored reference to cfg. If session tickets are disabled or if ticket key rotation is disabled, this function is a no-op.
func cleanStorageUnits
func getAutomationPolicyForName
getAutomationPolicyForName returns the first matching automation policy for the given subject name. If no matching policy can be found, the default policy is used, depending on whether the name qualifies for a public certificate or not.
References: certmagic.MatchWildcard, certmagic.SubjectQualifiesForPublicCert.func getConfigForName
func keepStorageClean
keepStorageClean starts a goroutine that immediately cleans up all known storage units if it was not recently done, and then runs the operation at every tick from t.storageCleanTicker.
References: debug.Stack, log.Printf, time.NewTicker.func managingWildcardFor
managingWildcardFor returns true if the app is managing a certificate that covers that subject name (including consideration of wildcards), either from its internal list of names that it IS managing certs for, or from the otherSubjsToManage which includes names that WILL be managed.
References: net.ParseIP, strings.Join, strings.Split.func onEvent
onEvent translates CertMagic events into Caddy events then dispatches them.
func publishECHConfigs
func storageCleanInterval
func makeTLSClientConfig
MakeTLSClientConfig returns a tls.Config usable by a client to a backend. If there is no custom TLS configuration, a nil config may be returned. copied from with minor modifications: modules/caddyhttp/reverseproxy/httptransport.go
References: fmt.Errorf, reflect.DeepEqual, tls.Config, tls.RenegotiateFreelyAsClient, tls.RenegotiateNever, tls.RenegotiateOnceAsClient.func unmarshalCaddyfile
func matches
func parseIPRange
func matches
func parseIPRange
func canHazCertificate
canHazCertificate returns true if Tailscale reports it can get a certificate for the given ClientHello.
References: certmagic.MatchWildcard, strings.HasSuffix, strings.ToLower, tscert.GetStatus.func marshalBinary
marshalBinary writes this config to the cryptobyte builder. If there is an error, it will occur before any writes have happened.
References: cryptobyte.Builder, fmt.Errorf.Tests
Files: 6. Third party imports: 0. Imports from organisation: 0. Tests: 16. Benchmarks: 0.
Constants
Types
testAddr
This type doesn't have documentation.
| Field name | Field type | Comment |
|---|---|---|
| type |
|
No comment on field. |
testConn
This type doesn't have documentation.
| Field name | Field type | Comment |
|---|---|---|
|
No comment on field. | |
| addr |
|
No comment on field. |