Start activates the TLS module.
()
| 399 | |
| 400 | // Start activates the TLS module. |
| 401 | func (t *TLS) Start() error { |
| 402 | // warn if on-demand TLS is enabled but no restrictions are in place |
| 403 | if t.Automation.OnDemand == nil || (t.Automation.OnDemand.Ask == "" && t.Automation.OnDemand.permission == nil) { |
| 404 | for _, ap := range t.Automation.Policies { |
| 405 | if ap.OnDemand && ap.isWildcardOrDefault() { |
| 406 | if c := t.logger.Check(zapcore.WarnLevel, "YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place"); c != nil { |
| 407 | c.Write(zap.String("docs", "https://caddyserver.com/docs/automatic-https#on-demand-tls")) |
| 408 | } |
| 409 | break |
| 410 | } |
| 411 | } |
| 412 | } |
| 413 | |
| 414 | // now that we are running, and all manual certificates have |
| 415 | // been loaded, time to load the automated/managed certificates |
| 416 | err := t.Manage(t.automateNames) |
| 417 | if err != nil { |
| 418 | return fmt.Errorf("automate: managing %v: %v", t.automateNames, err) |
| 419 | } |
| 420 | |
| 421 | if t.EncryptedClientHello != nil { |
| 422 | echLogger := t.logger.Named("ech") |
| 423 | |
| 424 | // publish ECH configs in the background; does not need to block |
| 425 | // server startup, as it could take a while; then keep keys rotated |
| 426 | go func() { |
| 427 | // publish immediately first |
| 428 | if err := t.publishECHConfigs(echLogger); err != nil { |
| 429 | echLogger.Error("publication(s) failed", zap.Error(err)) |
| 430 | } |
| 431 | |
| 432 | // then every so often, rotate and publish if needed |
| 433 | // (both of these functions only do something if needed) |
| 434 | for { |
| 435 | select { |
| 436 | case <-time.After(1 * time.Hour): |
| 437 | // ensure old keys are rotated out |
| 438 | t.EncryptedClientHello.configsMu.Lock() |
| 439 | err = t.EncryptedClientHello.rotateECHKeys(t.ctx, echLogger, false) |
| 440 | t.EncryptedClientHello.configsMu.Unlock() |
| 441 | if err != nil { |
| 442 | echLogger.Error("rotating ECH configs failed", zap.Error(err)) |
| 443 | continue |
| 444 | } |
| 445 | err := t.publishECHConfigs(echLogger) |
| 446 | if err != nil { |
| 447 | echLogger.Error("publication(s) failed", zap.Error(err)) |
| 448 | } |
| 449 | case <-t.ctx.Done(): |
| 450 | return |
| 451 | } |
| 452 | } |
| 453 | }() |
| 454 | } |
| 455 | |
| 456 | if !t.DisableStorageClean { |
| 457 | // start the storage cleaner goroutine and ticker, |
| 458 | // which cleans out expired certificates and more |
nothing calls this directly
no test coverage detected