aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorFrancis Lavoie <[email protected]>2024-10-07 17:39:47 -0400
committerGitHub <[email protected]>2024-10-07 17:39:47 -0400
commitd7564d632fbed209e81978c5c2c529a7bf1836f7 (patch)
tree7e5dbe719988faf268e9a68ba37e0198ef333f5b
parent88fd5f3491ab888f69f0be02cea68a49164298eb (diff)
downloadcaddy-d7564d632fbed209e81978c5c2c529a7bf1836f7.tar.gz
caddy-d7564d632fbed209e81978c5c2c529a7bf1836f7.zip
caddytls: Drop `rate_limit` and `burst`, has been deprecated (#6611)
-rw-r--r--caddyconfig/httpcaddyfile/options.go30
-rw-r--r--caddytest/integration/caddyfile_adapt/global_options.caddyfiletest6
-rw-r--r--caddytest/integration/caddyfile_adapt/global_options_acme.caddyfiletest6
-rw-r--r--caddytest/integration/caddyfile_adapt/global_options_admin.caddyfiletest6
-rw-r--r--modules/caddytls/automation.go6
-rw-r--r--modules/caddytls/ondemand.go31
-rw-r--r--modules/caddytls/tls.go11
7 files changed, 7 insertions, 89 deletions
diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go
index abbe8f418..9bae760c0 100644
--- a/caddyconfig/httpcaddyfile/options.go
+++ b/caddyconfig/httpcaddyfile/options.go
@@ -394,36 +394,10 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", modName, nil)
case "interval":
- if !d.NextArg() {
- return nil, d.ArgErr()
- }
- dur, err := caddy.ParseDuration(d.Val())
- if err != nil {
- return nil, err
- }
- if ond == nil {
- ond = new(caddytls.OnDemandConfig)
- }
- if ond.RateLimit == nil {
- ond.RateLimit = new(caddytls.RateLimit)
- }
- ond.RateLimit.Interval = caddy.Duration(dur)
+ return nil, d.Errf("the on_demand_tls 'interval' option is no longer supported, remove it from your config")
case "burst":
- if !d.NextArg() {
- return nil, d.ArgErr()
- }
- burst, err := strconv.Atoi(d.Val())
- if err != nil {
- return nil, err
- }
- if ond == nil {
- ond = new(caddytls.OnDemandConfig)
- }
- if ond.RateLimit == nil {
- ond.RateLimit = new(caddytls.RateLimit)
- }
- ond.RateLimit.Burst = burst
+ return nil, d.Errf("the on_demand_tls 'burst' option is no longer supported, remove it from your config")
default:
return nil, d.Errf("unrecognized parameter '%s'", d.Val())
diff --git a/caddytest/integration/caddyfile_adapt/global_options.caddyfiletest b/caddytest/integration/caddyfile_adapt/global_options.caddyfiletest
index 88729c512..af301615b 100644
--- a/caddytest/integration/caddyfile_adapt/global_options.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/global_options.caddyfiletest
@@ -17,8 +17,6 @@
admin off
on_demand_tls {
ask https://example.com
- interval 30s
- burst 20
}
local_certs
key_type ed25519
@@ -72,10 +70,6 @@
"permission": {
"endpoint": "https://example.com",
"module": "http"
- },
- "rate_limit": {
- "interval": 30000000000,
- "burst": 20
}
}
},
diff --git a/caddytest/integration/caddyfile_adapt/global_options_acme.caddyfiletest b/caddytest/integration/caddyfile_adapt/global_options_acme.caddyfiletest
index bc4b6dcaf..004a3a32e 100644
--- a/caddytest/integration/caddyfile_adapt/global_options_acme.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/global_options_acme.caddyfiletest
@@ -17,8 +17,6 @@
admin off
on_demand_tls {
ask https://example.com
- interval 30s
- burst 20
}
storage_clean_interval 7d
renew_interval 1d
@@ -89,10 +87,6 @@
"permission": {
"endpoint": "https://example.com",
"module": "http"
- },
- "rate_limit": {
- "interval": 30000000000,
- "burst": 20
}
},
"ocsp_interval": 172800000000000,
diff --git a/caddytest/integration/caddyfile_adapt/global_options_admin.caddyfiletest b/caddytest/integration/caddyfile_adapt/global_options_admin.caddyfiletest
index cfc578826..be309eaa3 100644
--- a/caddytest/integration/caddyfile_adapt/global_options_admin.caddyfiletest
+++ b/caddytest/integration/caddyfile_adapt/global_options_admin.caddyfiletest
@@ -16,8 +16,6 @@
}
on_demand_tls {
ask https://example.com
- interval 30s
- burst 20
}
local_certs
key_type ed25519
@@ -74,10 +72,6 @@
"permission": {
"endpoint": "https://example.com",
"module": "http"
- },
- "rate_limit": {
- "interval": 30000000000,
- "burst": 20
}
}
}
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index 1f1042ba0..f6a535077 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -322,12 +322,6 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
return err
}
- // check the rate limiter last because
- // doing so makes a reservation
- if !onDemandRateLimiter.Allow() {
- return fmt.Errorf("on-demand rate limit exceeded")
- }
-
return nil
},
Managers: ap.Managers,
diff --git a/modules/caddytls/ondemand.go b/modules/caddytls/ondemand.go
index 89abfe03f..066473cd9 100644
--- a/modules/caddytls/ondemand.go
+++ b/modules/caddytls/ondemand.go
@@ -38,12 +38,11 @@ func init() {
// OnDemandConfig configures on-demand TLS, for obtaining
// needed certificates at handshake-time. Because this
-// feature can easily be abused, you should use this to
-// establish rate limits and/or an internal endpoint that
-// Caddy can "ask" if it should be allowed to manage
-// certificates for a given hostname.
+// feature can easily be abused, Caddy must ask permission
+// to your application whether a particular domain is allowed
+// to have a certificate issued for it.
type OnDemandConfig struct {
- // DEPRECATED. WILL BE REMOVED SOON. Use 'permission' instead.
+ // DEPRECATED. WILL BE REMOVED SOON. Use 'permission' instead with the `http` module.
Ask string `json:"ask,omitempty"`
// REQUIRED. A module that will determine whether a
@@ -51,25 +50,6 @@ type OnDemandConfig struct {
// or obtained from an issuer on demand.
PermissionRaw json.RawMessage `json:"permission,omitempty" caddy:"namespace=tls.permission inline_key=module"`
permission OnDemandPermission
-
- // DEPRECATED. An optional rate limit to throttle
- // the checking of storage and the issuance of
- // certificates from handshakes if not already in
- // storage. WILL BE REMOVED IN A FUTURE RELEASE.
- RateLimit *RateLimit `json:"rate_limit,omitempty"`
-}
-
-// DEPRECATED. WILL LIKELY BE REMOVED SOON.
-// Instead of using this rate limiter, use a proper tool such as a
-// level 3 or 4 firewall and/or a permission module to apply rate limits.
-type RateLimit struct {
- // A duration value. Storage may be checked and a certificate may be
- // obtained 'burst' times during this interval.
- Interval caddy.Duration `json:"interval,omitempty"`
-
- // How many times during an interval storage can be checked or a
- // certificate can be obtained.
- Burst int `json:"burst,omitempty"`
}
// OnDemandPermission is a type that can give permission for
@@ -195,8 +175,7 @@ var ErrPermissionDenied = errors.New("certificate not allowed by permission modu
// These perpetual values are used for on-demand TLS.
var (
- onDemandRateLimiter = certmagic.NewRateLimiter(0, 0)
- onDemandAskClient = &http.Client{
+ onDemandAskClient = &http.Client{
Timeout: 10 * time.Second,
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return fmt.Errorf("following http redirects is not allowed")
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index f04beb2ee..6e660dea8 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -188,17 +188,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
t.Automation.OnDemand.permission = val.(OnDemandPermission)
}
- // on-demand rate limiting (TODO: deprecated, and should be removed later; rate limiting is ineffective now that permission modules are required)
- if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil {
- t.logger.Warn("DEPRECATED: on_demand.rate_limit will be removed in a future release; use permission modules or external certificate managers instead")
- onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst)
- onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
- } else {
- // remove any existing rate limiter
- onDemandRateLimiter.SetWindow(0)
- onDemandRateLimiter.SetMaxEvents(0)
- }
-
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)