caddytls: Configurable cache size limit

caddyserver · Jun 5, 2020 · 11a132d · 11a132d
1 parent 9dafa63
commit 11a132d
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
@@ -49,15 +49,13 @@ type AutomationConfig struct {
 	// Caddy staples OCSP (and caches the response) for all
 	// qualifying certificates by default. This setting
 	// changes how often it scans responses for freshness,
-	// and updates them if they are getting stale.
+	// and updates them if they are getting stale. Default: 1h
 	OCSPCheckInterval caddy.Duration `json:"ocsp_interval,omitempty"`
 
 	// Every so often, Caddy will scan all loaded, managed
 	// certificates for expiration. This setting changes how
 	// frequently the scan for expiring certificates is
-	// performed. If your certificate lifetimes are very
-	// short (less than ~24 hours), you should set this to
-	// a low value.
+	// performed. Default: 10m
 	RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"`
 
 	defaultPublicAutomationPolicy   *AutomationPolicy

diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
@@ -57,6 +57,9 @@ type TLS struct {
 	// Configures session ticket ephemeral keys (STEKs).
 	SessionTickets *SessionTicketService `json:"session_tickets,omitempty"`
 
+	// Configures the in-memory certificate cache.
+	Cache *CertCacheOptions `json:"cache,omitempty"`
+
 	certificateLoaders []CertificateLoader
 	automateNames      []string
 	certCache          *certmagic.Cache
@@ -89,6 +92,9 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		cacheOpts.OCSPCheckInterval = time.Duration(t.Automation.OCSPCheckInterval)
 		cacheOpts.RenewCheckInterval = time.Duration(t.Automation.RenewCheckInterval)
 	}
+	if t.Cache != nil {
+		cacheOpts.Capacity = t.Cache.Capacity
+	}
 	t.certCache = certmagic.NewCache(cacheOpts)
 
 	// certificate loaders
@@ -215,6 +221,11 @@ func (t *TLS) Validate() error {
 			}
 		}
 	}
+	if t.Cache != nil {
+		if t.Cache.Capacity < 0 {
+			return fmt.Errorf("cache capacity must be >= 0")
+		}
+	}
 	return nil
 }
 
@@ -445,6 +456,15 @@ func (AutomateLoader) CaddyModule() caddy.ModuleInfo {
 	}
 }
 
+// CertCacheOptions configures the certificate cache.
+type CertCacheOptions struct {
+	// Maximum number of certificates to allow in the
+	// cache. If reached, certificates will be randomly
+	// evicted to make room for new ones. Default: 0
+	// (no limit).
+	Capacity int `json:"capacity,omitempty"`
+}
+
 // Variables related to storage cleaning.
 var (
 	storageCleanInterval = 12 * time.Hour