summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--modules/caddytls/automation.go6
-rw-r--r--modules/caddytls/tls.go20
2 files changed, 22 insertions, 4 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index bc095fffe..37d5010c5 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -49,15 +49,13 @@ type AutomationConfig struct {
// Caddy staples OCSP (and caches the response) for all
// qualifying certificates by default. This setting
// changes how often it scans responses for freshness,
- // and updates them if they are getting stale.
+ // and updates them if they are getting stale. Default: 1h
OCSPCheckInterval caddy.Duration `json:"ocsp_interval,omitempty"`
// Every so often, Caddy will scan all loaded, managed
// certificates for expiration. This setting changes how
// frequently the scan for expiring certificates is
- // performed. If your certificate lifetimes are very
- // short (less than ~24 hours), you should set this to
- // a low value.
+ // performed. Default: 10m
RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"`
defaultPublicAutomationPolicy *AutomationPolicy
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 7f2d23e8e..cc89ef51b 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -57,6 +57,9 @@ type TLS struct {
// Configures session ticket ephemeral keys (STEKs).
SessionTickets *SessionTicketService `json:"session_tickets,omitempty"`
+ // Configures the in-memory certificate cache.
+ Cache *CertCacheOptions `json:"cache,omitempty"`
+
certificateLoaders []CertificateLoader
automateNames []string
certCache *certmagic.Cache
@@ -89,6 +92,9 @@ func (t *TLS) Provision(ctx caddy.Context) error {
cacheOpts.OCSPCheckInterval = time.Duration(t.Automation.OCSPCheckInterval)
cacheOpts.RenewCheckInterval = time.Duration(t.Automation.RenewCheckInterval)
}
+ if t.Cache != nil {
+ cacheOpts.Capacity = t.Cache.Capacity
+ }
t.certCache = certmagic.NewCache(cacheOpts)
// certificate loaders
@@ -215,6 +221,11 @@ func (t *TLS) Validate() error {
}
}
}
+ if t.Cache != nil {
+ if t.Cache.Capacity < 0 {
+ return fmt.Errorf("cache capacity must be >= 0")
+ }
+ }
return nil
}
@@ -445,6 +456,15 @@ func (AutomateLoader) CaddyModule() caddy.ModuleInfo {
}
}
+// CertCacheOptions configures the certificate cache.
+type CertCacheOptions struct {
+ // Maximum number of certificates to allow in the
+ // cache. If reached, certificates will be randomly
+ // evicted to make room for new ones. Default: 0
+ // (no limit).
+ Capacity int `json:"capacity,omitempty"`
+}
+
// Variables related to storage cleaning.
var (
storageCleanInterval = 12 * time.Hour