httpcaddyfile: Fix missing TLS connection policies when auto_https is default (#7325)#7507
Merged
francislavoie merged 1 commit intocaddyserver:masterfrom Feb 22, 2026
Merged
Conversation
pauloappbr
force-pushed
the
fix/7325-default-sni
branch
from
95689d6 to
fb69178
Compare
francislavoie
approved these changes
Feb 21, 2026
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Assistance Disclosure
I consulted Gemini to help analyze the issue, locate the bug, and draft the fix and regression test. I have reviewed and verified that the code and logic are correct.
Fixes #7325.
What this PR does / why we need it:
In a previous PR (#5808), a nil pointer check was added for
srv.AutoHTTPSto prevent a panic when evaluatingsrv.AutoHTTPS.Skip. However, becausesrv.AutoHTTPSisnilby default (when Auto HTTPS is fully enabled), this accidentally causedhasTLSEnabledto evaluate tofalsefor site blocks without an explicithttps://scheme.As a result, global TLS options like
default_sniandfallback_sniwere not propagated totls_connection_policiesduring the adapter build phase, causing SNI-less clients to fail handshakes.This PR fixes the logic by properly handling the
nilstate ofsrv.AutoHTTPS(i.e., treatingnilas having no skip conditions):srv.AutoHTTPS == nil || !slices.Contains(...)I've also added a regression test to ensure
default_sniis always properly attached to the generated JSON configuration, even without an explicithttps://block.