diff options
author | Francis Lavoie <[email protected]> | 2024-10-07 17:39:47 -0400 |
---|---|---|
committer | GitHub <[email protected]> | 2024-10-07 17:39:47 -0400 |
commit | d7564d632fbed209e81978c5c2c529a7bf1836f7 (patch) | |
tree | 7e5dbe719988faf268e9a68ba37e0198ef333f5b /modules | |
parent | 88fd5f3491ab888f69f0be02cea68a49164298eb (diff) | |
download | caddy-d7564d632fbed209e81978c5c2c529a7bf1836f7.tar.gz caddy-d7564d632fbed209e81978c5c2c529a7bf1836f7.zip |
caddytls: Drop `rate_limit` and `burst`, has been deprecated (#6611)
Diffstat (limited to 'modules')
-rw-r--r-- | modules/caddytls/automation.go | 6 | ||||
-rw-r--r-- | modules/caddytls/ondemand.go | 31 | ||||
-rw-r--r-- | modules/caddytls/tls.go | 11 |
3 files changed, 5 insertions, 43 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index 1f1042ba0..f6a535077 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -322,12 +322,6 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { return err } - // check the rate limiter last because - // doing so makes a reservation - if !onDemandRateLimiter.Allow() { - return fmt.Errorf("on-demand rate limit exceeded") - } - return nil }, Managers: ap.Managers, diff --git a/modules/caddytls/ondemand.go b/modules/caddytls/ondemand.go index 89abfe03f..066473cd9 100644 --- a/modules/caddytls/ondemand.go +++ b/modules/caddytls/ondemand.go @@ -38,12 +38,11 @@ func init() { // OnDemandConfig configures on-demand TLS, for obtaining // needed certificates at handshake-time. Because this -// feature can easily be abused, you should use this to -// establish rate limits and/or an internal endpoint that -// Caddy can "ask" if it should be allowed to manage -// certificates for a given hostname. +// feature can easily be abused, Caddy must ask permission +// to your application whether a particular domain is allowed +// to have a certificate issued for it. type OnDemandConfig struct { - // DEPRECATED. WILL BE REMOVED SOON. Use 'permission' instead. + // DEPRECATED. WILL BE REMOVED SOON. Use 'permission' instead with the `http` module. Ask string `json:"ask,omitempty"` // REQUIRED. A module that will determine whether a @@ -51,25 +50,6 @@ type OnDemandConfig struct { // or obtained from an issuer on demand. PermissionRaw json.RawMessage `json:"permission,omitempty" caddy:"namespace=tls.permission inline_key=module"` permission OnDemandPermission - - // DEPRECATED. An optional rate limit to throttle - // the checking of storage and the issuance of - // certificates from handshakes if not already in - // storage. WILL BE REMOVED IN A FUTURE RELEASE. - RateLimit *RateLimit `json:"rate_limit,omitempty"` -} - -// DEPRECATED. WILL LIKELY BE REMOVED SOON. -// Instead of using this rate limiter, use a proper tool such as a -// level 3 or 4 firewall and/or a permission module to apply rate limits. -type RateLimit struct { - // A duration value. Storage may be checked and a certificate may be - // obtained 'burst' times during this interval. - Interval caddy.Duration `json:"interval,omitempty"` - - // How many times during an interval storage can be checked or a - // certificate can be obtained. - Burst int `json:"burst,omitempty"` } // OnDemandPermission is a type that can give permission for @@ -195,8 +175,7 @@ var ErrPermissionDenied = errors.New("certificate not allowed by permission modu // These perpetual values are used for on-demand TLS. var ( - onDemandRateLimiter = certmagic.NewRateLimiter(0, 0) - onDemandAskClient = &http.Client{ + onDemandAskClient = &http.Client{ Timeout: 10 * time.Second, CheckRedirect: func(req *http.Request, via []*http.Request) error { return fmt.Errorf("following http redirects is not allowed") diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index f04beb2ee..6e660dea8 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -188,17 +188,6 @@ func (t *TLS) Provision(ctx caddy.Context) error { t.Automation.OnDemand.permission = val.(OnDemandPermission) } - // on-demand rate limiting (TODO: deprecated, and should be removed later; rate limiting is ineffective now that permission modules are required) - if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil { - t.logger.Warn("DEPRECATED: on_demand.rate_limit will be removed in a future release; use permission modules or external certificate managers instead") - onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst) - onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval)) - } else { - // remove any existing rate limiter - onDemandRateLimiter.SetWindow(0) - onDemandRateLimiter.SetMaxEvents(0) - } - // run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036) if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" { t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true) |