mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-14 14:56:27 +03:00
tls: Clean up expired OCSP staples and certificates
This commit is contained in:
parent
484cee1ac1
commit
19f36667f7
3 changed files with 77 additions and 5 deletions
2
go.mod
2
go.mod
|
@ -18,7 +18,7 @@ require (
|
||||||
github.com/klauspost/compress v1.7.1-0.20190613161414-0b31f265a57b
|
github.com/klauspost/compress v1.7.1-0.20190613161414-0b31f265a57b
|
||||||
github.com/klauspost/cpuid v1.2.1
|
github.com/klauspost/cpuid v1.2.1
|
||||||
github.com/lucas-clemente/quic-go v0.7.1-0.20190908032346-fc962d18373a
|
github.com/lucas-clemente/quic-go v0.7.1-0.20190908032346-fc962d18373a
|
||||||
github.com/mholt/certmagic v0.7.1
|
github.com/mholt/certmagic v0.7.2
|
||||||
github.com/muhammadmuzzammil1998/jsonc v0.0.0-20190902132743-e4903c4dea48
|
github.com/muhammadmuzzammil1998/jsonc v0.0.0-20190902132743-e4903c4dea48
|
||||||
github.com/rs/cors v1.6.0
|
github.com/rs/cors v1.6.0
|
||||||
github.com/russross/blackfriday/v2 v2.0.1
|
github.com/russross/blackfriday/v2 v2.0.1
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -158,8 +158,8 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp
|
||||||
github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
|
github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
|
||||||
github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
|
github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
|
||||||
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
|
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
|
||||||
github.com/mholt/certmagic v0.7.1 h1:nbSSVwvlDE3+vttD/RBikBIkxrlKVkIQOz449gCrG5Q=
|
github.com/mholt/certmagic v0.7.2 h1:i4FRZyM33Ke6UdTrq69hLSRq1xvqS83JQTkzzUWtuF4=
|
||||||
github.com/mholt/certmagic v0.7.1/go.mod h1:hqHzDsY32TwZpj/KswVylheSISjquF/eOVOaJTYV15w=
|
github.com/mholt/certmagic v0.7.2/go.mod h1:hqHzDsY32TwZpj/KswVylheSISjquF/eOVOaJTYV15w=
|
||||||
github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI=
|
github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI=
|
||||||
github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
|
github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
|
||||||
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
|
||||||
|
|
|
@ -18,7 +18,9 @@ import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"log"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/caddyserver/caddy/v2"
|
"github.com/caddyserver/caddy/v2"
|
||||||
|
@ -40,6 +42,8 @@ type TLS struct {
|
||||||
certificateLoaders []CertificateLoader
|
certificateLoaders []CertificateLoader
|
||||||
certCache *certmagic.Cache
|
certCache *certmagic.Cache
|
||||||
ctx caddy.Context
|
ctx caddy.Context
|
||||||
|
storageCleanTicker *time.Ticker
|
||||||
|
storageCleanStop chan struct{}
|
||||||
}
|
}
|
||||||
|
|
||||||
// CaddyModule returns the Caddy module information.
|
// CaddyModule returns the Caddy module information.
|
||||||
|
@ -121,6 +125,9 @@ func (t *TLS) Provision(ctx caddy.Context) error {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
t.storageCleanTicker = time.NewTicker(storageCleanInterval)
|
||||||
|
t.storageCleanStop = make(chan struct{})
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -140,16 +147,25 @@ func (t *TLS) Start() error {
|
||||||
}
|
}
|
||||||
t.Certificates = nil // allow GC to deallocate
|
t.Certificates = nil // allow GC to deallocate
|
||||||
|
|
||||||
|
t.keepStorageClean()
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Stop stops the TLS module and cleans up any allocations.
|
// Stop stops the TLS module and cleans up any allocations.
|
||||||
func (t *TLS) Stop() error {
|
func (t *TLS) Stop() error {
|
||||||
|
// stop the certificate cache
|
||||||
if t.certCache != nil {
|
if t.certCache != nil {
|
||||||
// TODO: ensure locks are cleaned up too... maybe in certmagic though
|
|
||||||
t.certCache.Stop()
|
t.certCache.Stop()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// stop the session ticket rotation goroutine
|
||||||
t.SessionTickets.stop()
|
t.SessionTickets.stop()
|
||||||
|
|
||||||
|
// stop the storage cleaner goroutine and ticker
|
||||||
|
close(t.storageCleanStop)
|
||||||
|
t.storageCleanTicker.Stop()
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -200,12 +216,60 @@ func (t *TLS) getAutomationPolicyForName(name string) AutomationPolicy {
|
||||||
return AutomationPolicy{Management: new(ACMEManagerMaker)}
|
return AutomationPolicy{Management: new(ACMEManagerMaker)}
|
||||||
}
|
}
|
||||||
|
|
||||||
// CertificatesForSAN returns the list of all certificates in
|
// AllMatchingCertificates returns the list of all certificates in
|
||||||
// the cache which could be used to satisfy the given SAN.
|
// the cache which could be used to satisfy the given SAN.
|
||||||
func (t *TLS) AllMatchingCertificates(san string) []certmagic.Certificate {
|
func (t *TLS) AllMatchingCertificates(san string) []certmagic.Certificate {
|
||||||
return t.certCache.AllMatchingCertificates(san)
|
return t.certCache.AllMatchingCertificates(san)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// keepStorageClean immediately cleans up all known storage units
|
||||||
|
// if it was not recently done, and starts a goroutine that runs
|
||||||
|
// the operation at every tick from t.storageCleanTicker.
|
||||||
|
func (t *TLS) keepStorageClean() {
|
||||||
|
go func() {
|
||||||
|
for {
|
||||||
|
select {
|
||||||
|
case <-t.storageCleanStop:
|
||||||
|
return
|
||||||
|
case <-t.storageCleanTicker.C:
|
||||||
|
t.cleanStorageUnits()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
t.cleanStorageUnits()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (t *TLS) cleanStorageUnits() {
|
||||||
|
storageCleanMu.Lock()
|
||||||
|
defer storageCleanMu.Unlock()
|
||||||
|
|
||||||
|
if !storageClean.IsZero() && time.Since(storageClean) < storageCleanInterval {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
options := certmagic.CleanStorageOptions{
|
||||||
|
OCSPStaples: true,
|
||||||
|
ExpiredCerts: true,
|
||||||
|
ExpiredCertGracePeriod: 24 * time.Hour * 14,
|
||||||
|
}
|
||||||
|
|
||||||
|
// start with the default storage
|
||||||
|
certmagic.CleanStorage(t.ctx.Storage(), options)
|
||||||
|
|
||||||
|
// then clean each storage defined in ACME automation policies
|
||||||
|
for _, ap := range t.Automation.Policies {
|
||||||
|
if acmeMgmt, ok := ap.Management.(ACMEManagerMaker); ok {
|
||||||
|
if acmeMgmt.storage != nil {
|
||||||
|
certmagic.CleanStorage(acmeMgmt.storage, options)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
storageClean = time.Now()
|
||||||
|
|
||||||
|
log.Println("[INFO] tls: Cleaned up storage unit(s)")
|
||||||
|
}
|
||||||
|
|
||||||
// CertificateLoader is a type that can load certificates.
|
// CertificateLoader is a type that can load certificates.
|
||||||
// Certificates can optionally be associated with tags.
|
// Certificates can optionally be associated with tags.
|
||||||
type CertificateLoader interface {
|
type CertificateLoader interface {
|
||||||
|
@ -301,4 +365,12 @@ var (
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
// Variables related to storage cleaning.
|
||||||
|
var (
|
||||||
|
storageCleanInterval = 12 * time.Hour
|
||||||
|
|
||||||
|
storageClean time.Time
|
||||||
|
storageCleanMu sync.Mutex
|
||||||
|
)
|
||||||
|
|
||||||
const automateKey = "automate"
|
const automateKey = "automate"
|
||||||
|
|
Loading…
Reference in a new issue