serv/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-27 06:03:48 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

caddytls: Drop rate_limit and burst, has been deprecated (#6611)

Browse source
This commit is contained in:
Francis Lavoie 2024-10-07 17:39:47 -04:00 committed by GitHub
parent 88fd5f3491
commit d7564d632f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 7 additions and 89 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
caddyconfig/httpcaddyfile/options.go
View file

@ -394,36 +394,10 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", modName, nil) ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", modName, nil)
case "interval": case "interval":
if !d.NextArg() { return nil, d.Errf("the on_demand_tls 'interval' option is no longer supported, remove it from your config")
return nil, d.ArgErr()
}
dur, err := caddy.ParseDuration(d.Val())
if err != nil {
return nil, err
}
if ond == nil {
ond = new(caddytls.OnDemandConfig)
}
if ond.RateLimit == nil {
ond.RateLimit = new(caddytls.RateLimit)
}
ond.RateLimit.Interval = caddy.Duration(dur)
case "burst": case "burst":
if !d.NextArg() { return nil, d.Errf("the on_demand_tls 'burst' option is no longer supported, remove it from your config")
return nil, d.ArgErr()
}
burst, err := strconv.Atoi(d.Val())
if err != nil {
return nil, err
}
if ond == nil {
ond = new(caddytls.OnDemandConfig)
}
if ond.RateLimit == nil {
ond.RateLimit = new(caddytls.RateLimit)
}
ond.RateLimit.Burst = burst
default: default:
return nil, d.Errf("unrecognized parameter '%s'", d.Val()) return nil, d.Errf("unrecognized parameter '%s'", d.Val())

6
caddytest/integration/caddyfile_adapt/global_options.caddyfiletest
View file

@ -17,8 +17,6 @@
admin off admin off
on_demand_tls { on_demand_tls {
ask https://example.com ask https://example.com
interval 30s
burst 20
} }
local_certs local_certs
key_type ed25519 key_type ed25519
@ -72,10 +70,6 @@
"permission": { "permission": {
"endpoint": "https://example.com", "endpoint": "https://example.com",
"module": "http" "module": "http"
},
"rate_limit": {
"interval": 30000000000,
"burst": 20
} }
} }
}, },

6
caddytest/integration/caddyfile_adapt/global_options_acme.caddyfiletest
View file

@ -17,8 +17,6 @@
admin off admin off
on_demand_tls { on_demand_tls {
ask https://example.com ask https://example.com
interval 30s
burst 20
} }
storage_clean_interval 7d storage_clean_interval 7d
renew_interval 1d renew_interval 1d
@ -89,10 +87,6 @@
"permission": { "permission": {
"endpoint": "https://example.com", "endpoint": "https://example.com",
"module": "http" "module": "http"
},
"rate_limit": {
"interval": 30000000000,
"burst": 20
} }
}, },
"ocsp_interval": 172800000000000, "ocsp_interval": 172800000000000,

6
caddytest/integration/caddyfile_adapt/global_options_admin.caddyfiletest
View file

@ -16,8 +16,6 @@
} }
on_demand_tls { on_demand_tls {
ask https://example.com ask https://example.com
interval 30s
burst 20
} }
local_certs local_certs
key_type ed25519 key_type ed25519
@ -74,10 +72,6 @@
"permission": { "permission": {
"endpoint": "https://example.com", "endpoint": "https://example.com",
"module": "http" "module": "http"
},
"rate_limit": {
"interval": 30000000000,
"burst": 20
} }
} }
} }

6
modules/caddytls/automation.go
View file

@ -322,12 +322,6 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
return err return err
} }
// check the rate limiter last because
// doing so makes a reservation
if !onDemandRateLimiter.Allow() {
return fmt.Errorf("on-demand rate limit exceeded")
}
return nil return nil
}, },
Managers: ap.Managers, Managers: ap.Managers,

29
modules/caddytls/ondemand.go
View file

@ -38,12 +38,11 @@ func init() {
// OnDemandConfig configures on-demand TLS, for obtaining // OnDemandConfig configures on-demand TLS, for obtaining
// needed certificates at handshake-time. Because this // needed certificates at handshake-time. Because this
// feature can easily be abused, you should use this to // feature can easily be abused, Caddy must ask permission
// establish rate limits and/or an internal endpoint that // to your application whether a particular domain is allowed
// Caddy can "ask" if it should be allowed to manage // to have a certificate issued for it.
// certificates for a given hostname.
type OnDemandConfig struct { type OnDemandConfig struct {
// DEPRECATED. WILL BE REMOVED SOON. Use 'permission' instead. // DEPRECATED. WILL BE REMOVED SOON. Use 'permission' instead with the `http` module.
Ask string `json:"ask,omitempty"` Ask string `json:"ask,omitempty"`
// REQUIRED. A module that will determine whether a // REQUIRED. A module that will determine whether a
@ -51,25 +50,6 @@ type OnDemandConfig struct {
// or obtained from an issuer on demand. // or obtained from an issuer on demand.
PermissionRaw json.RawMessage `json:"permission,omitempty" caddy:"namespace=tls.permission inline_key=module"` PermissionRaw json.RawMessage `json:"permission,omitempty" caddy:"namespace=tls.permission inline_key=module"`
permission OnDemandPermission permission OnDemandPermission
// DEPRECATED. An optional rate limit to throttle
// the checking of storage and the issuance of
// certificates from handshakes if not already in
// storage. WILL BE REMOVED IN A FUTURE RELEASE.
RateLimit *RateLimit `json:"rate_limit,omitempty"`
}
// DEPRECATED. WILL LIKELY BE REMOVED SOON.
// Instead of using this rate limiter, use a proper tool such as a
// level 3 or 4 firewall and/or a permission module to apply rate limits.
type RateLimit struct {
// A duration value. Storage may be checked and a certificate may be
// obtained 'burst' times during this interval.
Interval caddy.Duration `json:"interval,omitempty"`
// How many times during an interval storage can be checked or a
// certificate can be obtained.
Burst int `json:"burst,omitempty"`
} }
// OnDemandPermission is a type that can give permission for // OnDemandPermission is a type that can give permission for
@ -195,7 +175,6 @@ var ErrPermissionDenied = errors.New("certificate not allowed by permission modu
// These perpetual values are used for on-demand TLS. // These perpetual values are used for on-demand TLS.
var ( var (
onDemandRateLimiter = certmagic.NewRateLimiter(0, 0)
onDemandAskClient = &http.Client{ onDemandAskClient = &http.Client{
Timeout: 10 * time.Second, Timeout: 10 * time.Second,
CheckRedirect: func(req *http.Request, via []*http.Request) error { CheckRedirect: func(req *http.Request, via []*http.Request) error {

11
modules/caddytls/tls.go
View file

@ -188,17 +188,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
t.Automation.OnDemand.permission = val.(OnDemandPermission) t.Automation.OnDemand.permission = val.(OnDemandPermission)
} }
// on-demand rate limiting (TODO: deprecated, and should be removed later; rate limiting is ineffective now that permission modules are required)
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil {
t.logger.Warn("DEPRECATED: on_demand.rate_limit will be removed in a future release; use permission modules or external certificate managers instead")
onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst)
onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
} else {
// remove any existing rate limiter
onDemandRateLimiter.SetWindow(0)
onDemandRateLimiter.SetMaxEvents(0)
}
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036) // run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" { if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true) t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)