Daniel Maksymilian Syrnicki
e68ed279cc
All checks were successful
Build ISO / build-iso (push) Successful in 17m23s
CI / lint (push) Successful in 27s
CI / test (push) Successful in 1m2s
CI / validate-json (push) Successful in 24s
CI / markdown-links (push) Successful in 15s
Release / release (push) Successful in 11m34s
Every Furtka since 26.5 shipped a Caddyfile with a
`__FURTKA_HOSTNAME__.local { tls internal }` site block, so every
first boot auto-generated a fresh self-signed CA + intermediate +
leaf. That worked for the first-ever Furtka user, but every reinstall
(or second box on the same LAN) produced a new CA whose intermediate
shared the fixed CN `Caddy Local Authority - ECC Intermediate` with
the previous one. Firefox caches intermediates by CN across profiles
— even private windows share cert9.db — so any visitor who had
trusted an older Furtka's CA got a cached intermediate with
mismatched keys when they hit the new box, producing
`SEC_ERROR_BAD_SIGNATURE`. Unlike UNKNOWN_ISSUER, Firefox has NO
"Advanced → Accept Risk" bypass for BAD_SIGNATURE, so fresh-install
boxes were effectively unreachable over HTTPS in any browser that
had ever seen a previous Furtka.
Validated live on the .46 test VM: fresh 26.14 ISO install → Firefox
hits BAD_SIGNATURE on https://furtka.local/ (even in private mode).
Chromium bypasses it via mDNS failure but the issue is the same.
openssl verify on the box confirms the chain is internally valid —
this is purely client-side cache pollution across boxes.
Fix:
- assets/Caddyfile: removed the hostname site block. Default install
serves :80 only — https://furtka.local connection-refuses, which is
a normal error every browser handles instead of the unbypassable
crypto fault. Added top-level import of
/etc/caddy/furtka-https.d/*.caddyfile so the /settings HTTPS toggle
can drop a listener snippet there when a user explicitly opts in.
- furtka/https.py: set_force_https now writes TWO snippets atomically
— the top-level hostname + tls internal block (enables :443) and
the :80-scoped redirect (forces HTTP→HTTPS). Disable removes both.
Reload failure rolls both back. Added _read_hostname + _https_snippet_content
helpers with `/etc/hostname` → 'furtka' fallback so a missing
hostname file doesn't produce an empty site block Caddy rejects.
- furtka/https.py::status: force_https now reads the listener
snippet (was reading the redirect snippet). A redirect without a
listener isn't actually HTTPS being served, so the listener is the
authoritative "HTTPS is on" signal.
- furtka/updater.py: new _maybe_migrate_preserve_https hook runs
inside _refresh_caddyfile on the 26.14 → 26.15 transition. If the
box had the redirect snippet on disk (user had opted into HTTPS
under the old regime), it writes the new listener snippet too so
HTTPS keeps working after the Caddyfile swap removes the hostname
block.
- webinstaller/app.py: post-install creates /etc/caddy/furtka-https.d/
alongside /etc/caddy/furtka.d/ so the glob import can't trip an
older Caddy on a missing path during the first reload.
Live-tested on .46: set_force_https(True) writes both snippets, Caddy
reloads, :443 listener comes up with fresh CA, curl -k returns 302,
HTTP 301-redirects. set_force_https(False) removes both snippets
atomically, :443 goes back to connection-refused.
Tests: test_https.py expanded from 13 to 15 cases. Toggle-on asserts
both snippets written + hostname substituted. Toggle-off asserts
both removed. Rollback cases verify BOTH snippets restore on reload
failure. New test_https_snippet_content_has_tls_internal_and_routes
locks the exact shape of the listener block.
test_webinstaller_assets.py: updated two old asserts that assumed
hostname block was in Caddyfile; new test_post_install_creates_https_snippet_dir
guards the new directory.
276 tests pass, ruff check + format clean.
Known remaining wart (documented in CHANGELOG): a browser that
trusted a prior Furtka CA still hits BAD_SIGNATURE on this box's
HTTPS after enabling it, because the fixed intermediate CN is a
Caddy-side limitation. Workaround: clear cert9.db or visit in a
fresh profile. Won't affect end users with one Furtka box ever.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
102 lines
3.7 KiB
Caddyfile
102 lines
3.7 KiB
Caddyfile
# Serves the Furtka landing page + live JSON on :80 (plain HTTP). HTTPS
|
|
# is **opt-in** — Caddy doesn't serve :443 until the user clicks the
|
|
# "Enable HTTPS" toggle on /settings, which drops an import snippet into
|
|
# /etc/caddy/furtka-https.d/. Default install has NO tls site block →
|
|
# Caddy never generates a self-signed CA / leaf cert → no
|
|
# SEC_ERROR_BAD_SIGNATURE when a user visits https://furtka.local before
|
|
# they've trusted anything. That was the 26.14-era regression this file
|
|
# exists to cure: the old Caddyfile always served :443 with a freshly-
|
|
# generated cert, and a browser that had ever trusted an older Furtka
|
|
# box's CA would reject the new one with an unbypassable bad-sig error.
|
|
#
|
|
# /apps, /api, /login, /logout, / (home), /settings are reverse-proxied
|
|
# to the resource-manager API (furtka serve, bound to 127.0.0.1:7000).
|
|
# Static pages are read from /opt/furtka/current/ — updates flip the
|
|
# symlink and everything picks up the new content without a Caddy
|
|
# restart (a `systemctl reload caddy` is still triggered post-swap to
|
|
# flush the file-server's handle cache).
|
|
#
|
|
# Two snippet dirs, both silently no-op when empty:
|
|
# - /etc/caddy/furtka.d/*.caddyfile → imported inside the :80 block.
|
|
# The HTTPS toggle's "force HTTP→HTTPS redirect" snippet lands here.
|
|
# - /etc/caddy/furtka-https.d/*.caddyfile → imported at TOP LEVEL, so
|
|
# the HTTPS hostname+tls-internal site block can drop in here when
|
|
# the toggle is on. Hostname is substituted at toggle-time.
|
|
{
|
|
# Named-hostname :443 blocks would otherwise make Caddy add its own
|
|
# HTTP→HTTPS redirect — but we already serve our own `:80` block and
|
|
# the opt-in /settings toggle owns the redirect. Disable the built-in
|
|
# to keep a single source of truth.
|
|
auto_https disable_redirects
|
|
}
|
|
|
|
(furtka_routes) {
|
|
handle /api/* {
|
|
reverse_proxy localhost:7000
|
|
}
|
|
handle /apps* {
|
|
reverse_proxy localhost:7000
|
|
}
|
|
handle /login* {
|
|
reverse_proxy localhost:7000
|
|
}
|
|
handle /logout* {
|
|
reverse_proxy localhost:7000
|
|
}
|
|
# /settings and / — these previously served as static HTML straight
|
|
# from the catch-all file_server, which meant the auth-guard was
|
|
# bypassed: a LAN visitor could see the box's version, IP, and
|
|
# reach the Update-now / Reboot buttons (the API calls behind them
|
|
# are auth-gated, but the page itself rendered without a redirect
|
|
# to /login). Route them through the Python handler which checks
|
|
# the session cookie and either serves the static HTML from
|
|
# assets/www/ or redirects to /login.
|
|
handle /settings* {
|
|
reverse_proxy localhost:7000
|
|
}
|
|
handle / {
|
|
reverse_proxy localhost:7000
|
|
}
|
|
# Runtime JSON lives under /var/lib/furtka/ so it survives self-updates
|
|
# (which only swap /opt/furtka/current).
|
|
handle /status.json {
|
|
root * /var/lib/furtka
|
|
file_server
|
|
}
|
|
handle /furtka.json {
|
|
root * /var/lib/furtka
|
|
file_server
|
|
}
|
|
handle /update-state.json {
|
|
root * /var/lib/furtka
|
|
file_server
|
|
}
|
|
# Download the local root CA cert Caddy generated for `tls internal`.
|
|
# Public because users need to grab it before they've trusted it.
|
|
# The private key next to it stays 0600 / caddy-owned.
|
|
handle /rootCA.crt {
|
|
root * /var/lib/caddy/pki/authorities/local
|
|
rewrite * /root.crt
|
|
file_server
|
|
header Content-Type "application/x-x509-ca-cert"
|
|
header Content-Disposition "attachment; filename=furtka-local-rootCA.crt"
|
|
}
|
|
handle {
|
|
root * /opt/furtka/current/assets/www
|
|
file_server
|
|
encode gzip
|
|
}
|
|
log {
|
|
output stdout
|
|
}
|
|
}
|
|
|
|
# HTTPS opt-in: when /settings toggles HTTPS on, a snippet gets written
|
|
# into /etc/caddy/furtka-https.d/ that adds the hostname+tls-internal
|
|
# site block. Empty directory = HTTP-only (default fresh install).
|
|
import /etc/caddy/furtka-https.d/*.caddyfile
|
|
|
|
:80 {
|
|
import /etc/caddy/furtka.d/*.caddyfile
|
|
import furtka_routes
|
|
}
|