diff options
author | Matthew Holt <[email protected]> | 2020-06-05 11:14:39 -0600 |
---|---|---|
committer | Matthew Holt <[email protected]> | 2020-06-05 11:14:39 -0600 |
commit | 11a132d48b574ef113e411aa22c0801a5a3190bd (patch) | |
tree | bbe6f4a0040824a4f639b27d9cb1b712d78f1741 | |
parent | 9dafa63933ea2b5e777c787069e579626d4330e6 (diff) | |
download | caddy-11a132d48b574ef113e411aa22c0801a5a3190bd.tar.gz caddy-11a132d48b574ef113e411aa22c0801a5a3190bd.zip |
caddytls: Configurable cache size limit
-rw-r--r-- | modules/caddytls/automation.go | 6 | ||||
-rw-r--r-- | modules/caddytls/tls.go | 20 |
2 files changed, 22 insertions, 4 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index bc095fffe..37d5010c5 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -49,15 +49,13 @@ type AutomationConfig struct { // Caddy staples OCSP (and caches the response) for all // qualifying certificates by default. This setting // changes how often it scans responses for freshness, - // and updates them if they are getting stale. + // and updates them if they are getting stale. Default: 1h OCSPCheckInterval caddy.Duration `json:"ocsp_interval,omitempty"` // Every so often, Caddy will scan all loaded, managed // certificates for expiration. This setting changes how // frequently the scan for expiring certificates is - // performed. If your certificate lifetimes are very - // short (less than ~24 hours), you should set this to - // a low value. + // performed. Default: 10m RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"` defaultPublicAutomationPolicy *AutomationPolicy diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 7f2d23e8e..cc89ef51b 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -57,6 +57,9 @@ type TLS struct { // Configures session ticket ephemeral keys (STEKs). SessionTickets *SessionTicketService `json:"session_tickets,omitempty"` + // Configures the in-memory certificate cache. + Cache *CertCacheOptions `json:"cache,omitempty"` + certificateLoaders []CertificateLoader automateNames []string certCache *certmagic.Cache @@ -89,6 +92,9 @@ func (t *TLS) Provision(ctx caddy.Context) error { cacheOpts.OCSPCheckInterval = time.Duration(t.Automation.OCSPCheckInterval) cacheOpts.RenewCheckInterval = time.Duration(t.Automation.RenewCheckInterval) } + if t.Cache != nil { + cacheOpts.Capacity = t.Cache.Capacity + } t.certCache = certmagic.NewCache(cacheOpts) // certificate loaders @@ -215,6 +221,11 @@ func (t *TLS) Validate() error { } } } + if t.Cache != nil { + if t.Cache.Capacity < 0 { + return fmt.Errorf("cache capacity must be >= 0") + } + } return nil } @@ -445,6 +456,15 @@ func (AutomateLoader) CaddyModule() caddy.ModuleInfo { } } +// CertCacheOptions configures the certificate cache. +type CertCacheOptions struct { + // Maximum number of certificates to allow in the + // cache. If reached, certificates will be randomly + // evicted to make room for new ones. Default: 0 + // (no limit). + Capacity int `json:"capacity,omitempty"` +} + // Variables related to storage cleaning. var ( storageCleanInterval = 12 * time.Hour |