From 11a132d48b574ef113e411aa22c0801a5a3190bd Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Fri, 5 Jun 2020 11:14:39 -0600 Subject: [PATCH] caddytls: Configurable cache size limit --- modules/caddytls/automation.go | 6 ++---- modules/caddytls/tls.go | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index bc095fffeb2..37d5010c5f4 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -49,15 +49,13 @@ type AutomationConfig struct { // Caddy staples OCSP (and caches the response) for all // qualifying certificates by default. This setting // changes how often it scans responses for freshness, - // and updates them if they are getting stale. + // and updates them if they are getting stale. Default: 1h OCSPCheckInterval caddy.Duration `json:"ocsp_interval,omitempty"` // Every so often, Caddy will scan all loaded, managed // certificates for expiration. This setting changes how // frequently the scan for expiring certificates is - // performed. If your certificate lifetimes are very - // short (less than ~24 hours), you should set this to - // a low value. + // performed. Default: 10m RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"` defaultPublicAutomationPolicy *AutomationPolicy diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 7f2d23e8e5f..cc89ef51b61 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -57,6 +57,9 @@ type TLS struct { // Configures session ticket ephemeral keys (STEKs). SessionTickets *SessionTicketService `json:"session_tickets,omitempty"` + // Configures the in-memory certificate cache. + Cache *CertCacheOptions `json:"cache,omitempty"` + certificateLoaders []CertificateLoader automateNames []string certCache *certmagic.Cache @@ -89,6 +92,9 @@ func (t *TLS) Provision(ctx caddy.Context) error { cacheOpts.OCSPCheckInterval = time.Duration(t.Automation.OCSPCheckInterval) cacheOpts.RenewCheckInterval = time.Duration(t.Automation.RenewCheckInterval) } + if t.Cache != nil { + cacheOpts.Capacity = t.Cache.Capacity + } t.certCache = certmagic.NewCache(cacheOpts) // certificate loaders @@ -215,6 +221,11 @@ func (t *TLS) Validate() error { } } } + if t.Cache != nil { + if t.Cache.Capacity < 0 { + return fmt.Errorf("cache capacity must be >= 0") + } + } return nil } @@ -445,6 +456,15 @@ func (AutomateLoader) CaddyModule() caddy.ModuleInfo { } } +// CertCacheOptions configures the certificate cache. +type CertCacheOptions struct { + // Maximum number of certificates to allow in the + // cache. If reached, certificates will be randomly + // evicted to make room for new ones. Default: 0 + // (no limit). + Capacity int `json:"capacity,omitempty"` +} + // Variables related to storage cleaning. var ( storageCleanInterval = 12 * time.Hour