0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-30 22:34:15 -05:00

caddytls: Configurable cache size limit

This commit is contained in:
Matthew Holt 2020-06-05 11:14:39 -06:00
parent 9dafa63933
commit 11a132d48b
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
2 changed files with 22 additions and 4 deletions

View file

@ -49,15 +49,13 @@ type AutomationConfig struct {
// Caddy staples OCSP (and caches the response) for all // Caddy staples OCSP (and caches the response) for all
// qualifying certificates by default. This setting // qualifying certificates by default. This setting
// changes how often it scans responses for freshness, // changes how often it scans responses for freshness,
// and updates them if they are getting stale. // and updates them if they are getting stale. Default: 1h
OCSPCheckInterval caddy.Duration `json:"ocsp_interval,omitempty"` OCSPCheckInterval caddy.Duration `json:"ocsp_interval,omitempty"`
// Every so often, Caddy will scan all loaded, managed // Every so often, Caddy will scan all loaded, managed
// certificates for expiration. This setting changes how // certificates for expiration. This setting changes how
// frequently the scan for expiring certificates is // frequently the scan for expiring certificates is
// performed. If your certificate lifetimes are very // performed. Default: 10m
// short (less than ~24 hours), you should set this to
// a low value.
RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"` RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"`
defaultPublicAutomationPolicy *AutomationPolicy defaultPublicAutomationPolicy *AutomationPolicy

View file

@ -57,6 +57,9 @@ type TLS struct {
// Configures session ticket ephemeral keys (STEKs). // Configures session ticket ephemeral keys (STEKs).
SessionTickets *SessionTicketService `json:"session_tickets,omitempty"` SessionTickets *SessionTicketService `json:"session_tickets,omitempty"`
// Configures the in-memory certificate cache.
Cache *CertCacheOptions `json:"cache,omitempty"`
certificateLoaders []CertificateLoader certificateLoaders []CertificateLoader
automateNames []string automateNames []string
certCache *certmagic.Cache certCache *certmagic.Cache
@ -89,6 +92,9 @@ func (t *TLS) Provision(ctx caddy.Context) error {
cacheOpts.OCSPCheckInterval = time.Duration(t.Automation.OCSPCheckInterval) cacheOpts.OCSPCheckInterval = time.Duration(t.Automation.OCSPCheckInterval)
cacheOpts.RenewCheckInterval = time.Duration(t.Automation.RenewCheckInterval) cacheOpts.RenewCheckInterval = time.Duration(t.Automation.RenewCheckInterval)
} }
if t.Cache != nil {
cacheOpts.Capacity = t.Cache.Capacity
}
t.certCache = certmagic.NewCache(cacheOpts) t.certCache = certmagic.NewCache(cacheOpts)
// certificate loaders // certificate loaders
@ -215,6 +221,11 @@ func (t *TLS) Validate() error {
} }
} }
} }
if t.Cache != nil {
if t.Cache.Capacity < 0 {
return fmt.Errorf("cache capacity must be >= 0")
}
}
return nil return nil
} }
@ -445,6 +456,15 @@ func (AutomateLoader) CaddyModule() caddy.ModuleInfo {
} }
} }
// CertCacheOptions configures the certificate cache.
type CertCacheOptions struct {
// Maximum number of certificates to allow in the
// cache. If reached, certificates will be randomly
// evicted to make room for new ones. Default: 0
// (no limit).
Capacity int `json:"capacity,omitempty"`
}
// Variables related to storage cleaning. // Variables related to storage cleaning.
var ( var (
storageCleanInterval = 12 * time.Hour storageCleanInterval = 12 * time.Hour