Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable on_demand cert provisioning for Caddy #1720

Merged
merged 1 commit into from
Jun 30, 2023
Merged

Disable on_demand cert provisioning for Caddy #1720

merged 1 commit into from
Jun 30, 2023

Conversation

jamilbk
Copy link
Member

@jamilbk jamilbk commented Jun 29, 2023
edited
Loading

As described in the Caddy documentation, on_demand must be restricted to prevent abuse. In our case, it was not, leading to DoS vector in which a malicious client could DoS the caddy service by repeatedly initiating TLS requests with invalid domains at a rate high enough for the ACME service to block the Firezone server.

Verified the new caddy configuration works as expected.

Credit to @icekom for responsibly disclosing this issue.

@jamilbk jamilbk added the kind/security Security-related issues label Jun 29, 2023
@jamilbk jamilbk self-assigned this Jun 29, 2023
@vercel
Copy link

vercel bot commented Jun 29, 2023

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Updated (UTC)
firezone ⬜️ Ignored (Inspect) Jun 29, 2023 10:32pm

@github-actions github-actions bot added the kind/bug Something isn't working label Jun 29, 2023
@jamilbk jamilbk changed the title Only provision cert for EXTERNAL_URL Disable "on_demand" cert provisioning for Caddy Jun 29, 2023
@jamilbk jamilbk changed the title Disable "on_demand" cert provisioning for Caddy Disable on_demand cert provisioning for Caddy Jun 29, 2023
@coveralls
Copy link

Pull Request Test Coverage Report for Build 3f85e5e6361a19b817d35d1c15d675680dc5ded4-PR-1720

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 70.679%
Totals Coverage Status
Change from base Build 2f33f1739e7cfbd4b984a55e1bc7d24e7699830d: 0.0%
Covered Lines: 1967
Relevant Lines: 2783
💛 - Coveralls

@jamilbk jamilbk added this pull request to the merge queue Jun 30, 2023
Merged via the queue into master with commit 1c5e60d Jun 30, 2023
4 checks passed
@jamilbk jamilbk deleted the fix/use-external-url-for-caddy-match branch June 30, 2023 03:30
@jamilbk jamilbk mentioned this pull request Aug 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndrewDryga AndrewDryga AndrewDryga approved these changes

@bmanifold bmanifold Awaiting requested review from bmanifold

Assignees

@jamilbk jamilbk

Labels
kind/bug Something isn't working kind/security Security-related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jamilbk @coveralls @AndrewDryga