francislavoie
commented
1 year ago We don't run this image ourselves, so if you have any suggestions to improve the Windows image we're all ears (PRs welcome).
Closed FLeven closed 1 year ago
francislavoie
commented
1 year ago We don't run this image ourselves, so if you have any suggestions to improve the Windows image we're all ears (PRs welcome).
FLeven
commented
1 year ago Have you at least tested if it runs at all ?
I have one, but it will need some cleanup before I can make it public:
francislavoie
commented
1 year ago Have you at least tested if it runs at all ?
I've not tried the Docker image personally, no. But I can personally confirm that Caddy does run just fine on Windows normally (outside of a Windows docker image).
Is a default caddyfile created, if we don't make one available ?
We download the default Caddyfile when the container is built:
Can caddy access the local windows cert store for certificates , like git client can ?
Caddy uses Go's networking stack and HTTP client to make requests, and it does use the system's trust store to verify TLS trust.
I'm not sure what part of Caddy's runtime you're concerned about specifically so best if you elaborate.
When caddy is running on windows, Is there a default folder where it expects the certificates used for TLS, or can we only reference files by filesystem path in the caddyfile ?
Do you mean to use as certs for your HTTP server served by Caddy? By default Caddy will automatically issue and manage its own TLS certs via ACME. If you need to provide your own for business reasons then you do need to explicitly tell it the path to the cert and key files. Where you put them doesn't really matter as long as the Caddy process can read them.
I can see the CONFIG folder is created at some point, the DATA folder is not, should we create it ?
We set up C:\data for Caddy's data storage.
hairyhenderson
commented
1 year ago We set up
C:\datafor Caddy's data storage.
I think the line you meant was:
hairyhenderson
commented
1 year ago Quote
# Apparently Windows Server 2016 disables TLS 1.2 by default - this enables it so we can talk to GitHubMicrosoft enforced this since 09/2022, if I remember correctly. Maybe we don't want to interfere with the already set defaults.
@FLeven can you clarify what Microsoft enforced? Do you mean they enable TLS 1.2 by default now?
We could also benefit from enabling HTTP/3, QUIC, TLS 1.3 in Windows Server 2022, if not also enabled by default, I am still searching for an answer here.
That sounds reasonable. I would review a PR for this, if you are willing to submit one, and test the result.
hairyhenderson
commented
1 year ago Have you at least tested if it runs at all ?
I did test it when I created it originally 🤷♂️
If you have specific bugs to report though, please do.
FLeven
commented
1 year ago Yes, TLS 1.2 is enforced by default.
Also the shell uses TLS1.2 by default, no need change that anymore.
I turned buildtag, version and filehash into arguments, this way I can use the dockerfile for any build OS/caddyversion configuration. I this something anyone else could use ?
hairyhenderson
commented
1 year ago I turned buildtag, version and filehash into arguments, this way I can use the dockerfile for any build OS/caddyversion configuration. I this something anyone else could use ?
No - we expressly don't use build args, because Docker Official images are not allowed to use those.
From what it sounds like, you think the command to enable TLS 1.2 should be removed? If so, please issue a PR.
hairyhenderson
commented
1 year ago Fixed in #286
Quote
# Apparently Windows Server 2016 disables TLS 1.2 by default - this enables it so we can talk to GitHubMicrosoft enforced this since 09/2022, if I remember correctly. Maybe we don't want to interfere with the already set defaults.
We could also benefit from enabling HTTP/3, QUIC, TLS 1.3 in Windows Server 2022, if not also enabled by default, I am still searching for an answer here.