caddytls: Ability to drop connections (close #6294)

mholt · mholt · commit 8d7ac1840221 · 2024-05-06T19:59:42.000-06:00
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
@@ -119,6 +119,9 @@ func (cp ConnectionPolicies) TLSConfig(_ caddy.Context) *tls.Config {
 						continue policyLoop
 					}
 				}
+				if pol.Drop {
+					return nil, fmt.Errorf("dropping connection")
+				}
 				return pol.TLSConfig, nil
 			}
 
@@ -156,6 +159,9 @@ type ConnectionPolicy struct {
 	// Maximum TLS protocol version to allow. Default: `tls1.3`
 	ProtocolMax string `json:"protocol_max,omitempty"`
 
+	// Reject TLS connections. EXPERIMENTAL: May change.
+	Drop bool `json:"drop,omitempty"`
+
 	// Enables and configures TLS client authentication.
 	ClientAuthentication *ClientAuthentication `json:"client_authentication,omitempty"`
 

Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,9 @@ func (cp ConnectionPolicies) TLSConfig(_ caddy.Context) *tls.Config {`
`119`	`119`	`continue policyLoop`
`120`	`120`	`}`
`121`	`121`	`}`
	`122`	`+ if pol.Drop {`
	`123`	`+ return nil, fmt.Errorf("dropping connection")`
	`124`	`+ }`
`122`	`125`	`return pol.TLSConfig, nil`
`123`	`126`	`}`
`124`	`127`
`@@ -156,6 +159,9 @@ type ConnectionPolicy struct {`
`156`	`159`	// Maximum TLS protocol version to allow. Default: `tls1.3`
`157`	`160`	ProtocolMax string `json:"protocol_max,omitempty"`
`158`	`161`
	`162`	`+ // Reject TLS connections. EXPERIMENTAL: May change.`
	`163`	+ Drop bool `json:"drop,omitempty"`
	`164`	`+`
`159`	`165`	`// Enables and configures TLS client authentication.`
`160`	`166`	ClientAuthentication *ClientAuthentication `json:"client_authentication,omitempty"`
`161`	`167`