www/caddy: Add option to disable QUIC protocol (#4238)

* www/caddy: Add option to disable QUIC protocol

* Resolve all -Enable to Disable something- options into clear selectpickers. Simplify template that generates server options.

* www/caddy: Make new option fields totally backwards compatible to prior checkboxes. Shift two options around in the ReverseProxy form for clarity.

www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogReverseProxy.xml

@@ -5,6 +5,12 @@
         <type>checkbox</type>
         <help><![CDATA[Enable this domain.]]></help>
     </field>
+    <field>
+        <id>reverse.DisableTls</id>
+        <label>Protocol</label>
+        <type>dropdown</type>
+        <help><![CDATA[When choosing HTTPS, the ACME HTTP-01, TLS-ALPN-01 or DNS-01 challenge will be used to get automatic Let's Encrypt or ZeroSSL certificates, without the need of any additional plugin. When choosing HTTP, it will disable HTTP over TLS (HTTPS) for this domain, automatic certificate management will be disabled and all traffic to and from this domain will be unencrypted.]]></help>
+    </field>
     <field>
         <id>reverse.FromDomain</id>
         <label>Domain</label>
@@ -41,30 +47,24 @@
         <label>Trust</label>
         <collapse>true</collapse>
     </field>
-    <field>
-        <id>reverse.DisableTls</id>
-        <label>Disable TLS</label>
-        <type>checkbox</type>
-        <help><![CDATA[Disable HTTP over TLS (HTTPS) for this domain. When disabling TLS, automatic certificate management will be disabled and all traffic to and from this domain will be unencrypted.]]></help>
-    </field>
     <field>
         <id>reverse.DnsChallenge</id>
         <label>DNS-01 Challenge</label>
         <type>checkbox</type>
         <help><![CDATA[Enable the DNS-01 challenge for this domain. Requires a "DNS Provider" in "General Settings". This is mostly only needed for wildcard domains, or when the HTTP-01 and TLS-ALPN-01 challenge can not be used due to restrictive firewall policies.]]></help>
     </field>
-    <field>
-        <id>reverse.AcmePassthrough</id>
-        <label>HTTP-01 Challenge Redirection</label>
-        <type>text</type>
-        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.]]></help>
-    </field>
     <field>
         <id>reverse.CustomCertificate</id>
         <label>Custom Certificate</label>
         <type>dropdown</type>
         <help><![CDATA[Choose a custom certificate from "System - Trust - Certificates" for this domain. Make sure the full chain has been imported.]]></help>
     </field>
+    <field>
+        <id>reverse.AcmePassthrough</id>
+        <label>HTTP-01 Challenge Redirection</label>
+        <type>text</type>
+        <help><![CDATA[Enter a domain name or IP address. The HTTP-01 challenge will be redirected to that destination. This enables an ACME Client behind Caddy to serve "/.well-known/acme-challenge/" on port 80. Caddy will reverse proxy the HTTP-01 challenge for this domain, and will still issue a certificate using the TLS-ALPN-01 challenge or DNS-01 challenge for itself. This option can be used for High Availability when using Caddy with a master and backup OPNsense.]]></help>
+    </field>
     <field>
         <type>header</type>
         <label>Access</label>

www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml

@@ -29,10 +29,16 @@
         </field>
         <field>
             <id>caddy.general.DisableSuperuser</id>
-            <label>Disable Superuser</label>
-            <type>checkbox</type>
+            <label>System User</label>
+            <type>dropdown</type>
             <help><![CDATA[Run this service as "www" user and group, instead of "root". This setting increases security, but comes with the hard restriction that the well-known port range can not be used anymore. After enabling and saving this setting, the service has to be totally restarted. For this, please disable Caddy and press Apply. Afterwards enable Caddy and press Apply. This setting is reversible by following the same steps.]]></help>
         </field>
+        <field>
+            <id>caddy.general.HttpVersion</id>
+            <label>HTTP Version</label>
+            <type>select_multiple</type>
+            <help><![CDATA[Select the HTTP Version for the frontend listeners. By default, QUIC (HTTP/3) is enabled. This means, UDP/443 will be used by Caddy. To free this protocol port combination for a different service, choose a different combination of protocols that does not include HTTP/3.]]></help>
+        </field>
         <field>
             <id>caddy.general.HttpPort</id>
             <label>HTTP Port</label>

www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml

@@ -1,7 +1,7 @@
 <model>
     <mount>//Pischem/caddy</mount>
     <description>Caddy Reverse Proxy</description>
-    <version>1.3.0</version>
+    <version>1.3.1</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -85,7 +85,14 @@
                 </Model>
             </accesslist>
             <abort type="BooleanField"/>
-            <DisableSuperuser type="BooleanField"/>
+            <DisableSuperuser type="OptionField">
+                <Required>Y</Required>
+                <Default>0</Default>
+                <OptionValues>
+                    <root value="0">root (default)</root>
+                    <www value="1">www</www>
+                </OptionValues>
+            </DisableSuperuser>
             <GracePeriod type="IntegerField">
                 <Default>10</Default>
                 <MinimumValue>1</MinimumValue>
@@ -93,6 +100,16 @@
                 <ValidationMessage>Please enter a valid Grace Period between 1 and 3600 seconds.</ValidationMessage>
                 <Required>Y</Required>
             </GracePeriod>
+            <HttpVersion type="OptionField">
+                <Required>Y</Required>
+                <Default>h1,h2,h3</Default>
+                <Multiple>Y</Multiple>
+                <OptionValues>
+                    <h1>HTTP/1.1</h1>
+                    <h2>HTTP/2</h2>
+                    <h3>HTTP/3</h3>
+                </OptionValues>
+            </HttpVersion>
             <LogCredentials type="BooleanField"/>
             <LogAccessPlain type="BooleanField"/>
             <LogAccessPlainKeep type="IntegerField">
@@ -186,7 +203,14 @@
                 <AccessLog type="BooleanField"/>
                 <DynDns type="BooleanField"/>
                 <AcmePassthrough type="HostnameField"/>
-                <DisableTls type="BooleanField"/>
+                <DisableTls type="OptionField">
+                    <Required>Y</Required>
+                    <Default>0</Default>
+                    <OptionValues>
+                        <https value="0">HTTPS (default)</https>
+                        <http value="1">HTTP</http>
+                    </OptionValues>
+                </DisableTls>
             </reverse>
             <subdomain type="ArrayField">
                 <enabled type="BooleanField">
@@ -312,7 +336,7 @@
                     </Constraints>
                 </HttpTls>
                 <HttpVersion type="OptionField">
-                    <BlankDesc>HTTP/1.1, HTTP/2</BlankDesc>
+                    <BlankDesc>HTTP/1.1, HTTP/2 (default)</BlankDesc>
                     <OptionValues>
                         <http1>HTTP/1.1</http1>
                         <http2>HTTP/2</http2>

www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile

@@ -76,38 +76,19 @@
     #   Purpose: The trusted proxy section is important when using CDNs so that headers are trusted.
     #            Credential logging is useful for troubleshooting basic auth.
     #}
-    {% set accessListUuid = generalSettings.accesslist %}
-    {% set logCredentials = generalSettings.LogCredentials %}
-    {% set enableLayer4 = generalSettings.EnableLayer4 %}
-
-    {% set hasAccessList = false %}
-    {% set hasLogCredentials = false %}
-    {% set hasEnableLayer4 = false %}
-
-    {% if accessListUuid %}
-        {% set accessList = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', accessListUuid) | first %}
-        {% if accessList %}
-            {% set hasAccessList = true %}
-        {% endif %}
+    {% if generalSettings.accesslist %}
+        {% set accessList = helpers.toList('Pischem.caddy.reverseproxy.accesslist') | selectattr('@uuid', 'equalto', generalSettings.accesslist) | first %}
     {% endif %}
 
-    {% if logCredentials == '1' %}
-        {% set hasLogCredentials = true %}
-    {% endif %}
-
-    {% if enableLayer4 == '1' %}
-        {% set hasEnableLayer4 = true %}
-    {% endif %}
-
-    {% if hasAccessList or hasLogCredentials or hasEnableLayer4 %}
     servers {
-        {% if hasAccessList %}
+        protocols {{ generalSettings.HttpVersion.split(',') | join(' ') }}
+        {% if accessList %}
             trusted_proxies static {{ accessList.clientIps.split(',') | join(' ') }}
         {% endif %}
-        {% if hasLogCredentials %}
+        {% if generalSettings.LogCredentials|default("0") == "1" %}
             log_credentials
         {% endif %}
-        {% if hasEnableLayer4 %}
+        {% if generalSettings.EnableLayer4|default("0") == "1" %}
             listener_wrappers {
                 {# Plug the Layer 4 template in #}
                 {% include "OPNsense/Caddy/includeLayer4" %}
@@ -115,7 +96,6 @@
             }
         {% endif %}
     }
-    {% endif %}
 
     {#
     #   Section: Dynamic DNS Global Configuration