mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-13 22:36:27 +03:00
caddytls: Drop rate_limit
and burst
, has been deprecated (#6611)
This commit is contained in:
parent
88fd5f3491
commit
d7564d632f
7 changed files with 7 additions and 89 deletions
|
@ -394,36 +394,10 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
|
||||||
ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", modName, nil)
|
ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", modName, nil)
|
||||||
|
|
||||||
case "interval":
|
case "interval":
|
||||||
if !d.NextArg() {
|
return nil, d.Errf("the on_demand_tls 'interval' option is no longer supported, remove it from your config")
|
||||||
return nil, d.ArgErr()
|
|
||||||
}
|
|
||||||
dur, err := caddy.ParseDuration(d.Val())
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if ond == nil {
|
|
||||||
ond = new(caddytls.OnDemandConfig)
|
|
||||||
}
|
|
||||||
if ond.RateLimit == nil {
|
|
||||||
ond.RateLimit = new(caddytls.RateLimit)
|
|
||||||
}
|
|
||||||
ond.RateLimit.Interval = caddy.Duration(dur)
|
|
||||||
|
|
||||||
case "burst":
|
case "burst":
|
||||||
if !d.NextArg() {
|
return nil, d.Errf("the on_demand_tls 'burst' option is no longer supported, remove it from your config")
|
||||||
return nil, d.ArgErr()
|
|
||||||
}
|
|
||||||
burst, err := strconv.Atoi(d.Val())
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if ond == nil {
|
|
||||||
ond = new(caddytls.OnDemandConfig)
|
|
||||||
}
|
|
||||||
if ond.RateLimit == nil {
|
|
||||||
ond.RateLimit = new(caddytls.RateLimit)
|
|
||||||
}
|
|
||||||
ond.RateLimit.Burst = burst
|
|
||||||
|
|
||||||
default:
|
default:
|
||||||
return nil, d.Errf("unrecognized parameter '%s'", d.Val())
|
return nil, d.Errf("unrecognized parameter '%s'", d.Val())
|
||||||
|
|
|
@ -17,8 +17,6 @@
|
||||||
admin off
|
admin off
|
||||||
on_demand_tls {
|
on_demand_tls {
|
||||||
ask https://example.com
|
ask https://example.com
|
||||||
interval 30s
|
|
||||||
burst 20
|
|
||||||
}
|
}
|
||||||
local_certs
|
local_certs
|
||||||
key_type ed25519
|
key_type ed25519
|
||||||
|
@ -72,10 +70,6 @@
|
||||||
"permission": {
|
"permission": {
|
||||||
"endpoint": "https://example.com",
|
"endpoint": "https://example.com",
|
||||||
"module": "http"
|
"module": "http"
|
||||||
},
|
|
||||||
"rate_limit": {
|
|
||||||
"interval": 30000000000,
|
|
||||||
"burst": 20
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
|
@ -17,8 +17,6 @@
|
||||||
admin off
|
admin off
|
||||||
on_demand_tls {
|
on_demand_tls {
|
||||||
ask https://example.com
|
ask https://example.com
|
||||||
interval 30s
|
|
||||||
burst 20
|
|
||||||
}
|
}
|
||||||
storage_clean_interval 7d
|
storage_clean_interval 7d
|
||||||
renew_interval 1d
|
renew_interval 1d
|
||||||
|
@ -89,10 +87,6 @@
|
||||||
"permission": {
|
"permission": {
|
||||||
"endpoint": "https://example.com",
|
"endpoint": "https://example.com",
|
||||||
"module": "http"
|
"module": "http"
|
||||||
},
|
|
||||||
"rate_limit": {
|
|
||||||
"interval": 30000000000,
|
|
||||||
"burst": 20
|
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"ocsp_interval": 172800000000000,
|
"ocsp_interval": 172800000000000,
|
||||||
|
|
|
@ -16,8 +16,6 @@
|
||||||
}
|
}
|
||||||
on_demand_tls {
|
on_demand_tls {
|
||||||
ask https://example.com
|
ask https://example.com
|
||||||
interval 30s
|
|
||||||
burst 20
|
|
||||||
}
|
}
|
||||||
local_certs
|
local_certs
|
||||||
key_type ed25519
|
key_type ed25519
|
||||||
|
@ -74,10 +72,6 @@
|
||||||
"permission": {
|
"permission": {
|
||||||
"endpoint": "https://example.com",
|
"endpoint": "https://example.com",
|
||||||
"module": "http"
|
"module": "http"
|
||||||
},
|
|
||||||
"rate_limit": {
|
|
||||||
"interval": 30000000000,
|
|
||||||
"burst": 20
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -322,12 +322,6 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
// check the rate limiter last because
|
|
||||||
// doing so makes a reservation
|
|
||||||
if !onDemandRateLimiter.Allow() {
|
|
||||||
return fmt.Errorf("on-demand rate limit exceeded")
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
},
|
},
|
||||||
Managers: ap.Managers,
|
Managers: ap.Managers,
|
||||||
|
|
|
@ -38,12 +38,11 @@ func init() {
|
||||||
|
|
||||||
// OnDemandConfig configures on-demand TLS, for obtaining
|
// OnDemandConfig configures on-demand TLS, for obtaining
|
||||||
// needed certificates at handshake-time. Because this
|
// needed certificates at handshake-time. Because this
|
||||||
// feature can easily be abused, you should use this to
|
// feature can easily be abused, Caddy must ask permission
|
||||||
// establish rate limits and/or an internal endpoint that
|
// to your application whether a particular domain is allowed
|
||||||
// Caddy can "ask" if it should be allowed to manage
|
// to have a certificate issued for it.
|
||||||
// certificates for a given hostname.
|
|
||||||
type OnDemandConfig struct {
|
type OnDemandConfig struct {
|
||||||
// DEPRECATED. WILL BE REMOVED SOON. Use 'permission' instead.
|
// DEPRECATED. WILL BE REMOVED SOON. Use 'permission' instead with the `http` module.
|
||||||
Ask string `json:"ask,omitempty"`
|
Ask string `json:"ask,omitempty"`
|
||||||
|
|
||||||
// REQUIRED. A module that will determine whether a
|
// REQUIRED. A module that will determine whether a
|
||||||
|
@ -51,25 +50,6 @@ type OnDemandConfig struct {
|
||||||
// or obtained from an issuer on demand.
|
// or obtained from an issuer on demand.
|
||||||
PermissionRaw json.RawMessage `json:"permission,omitempty" caddy:"namespace=tls.permission inline_key=module"`
|
PermissionRaw json.RawMessage `json:"permission,omitempty" caddy:"namespace=tls.permission inline_key=module"`
|
||||||
permission OnDemandPermission
|
permission OnDemandPermission
|
||||||
|
|
||||||
// DEPRECATED. An optional rate limit to throttle
|
|
||||||
// the checking of storage and the issuance of
|
|
||||||
// certificates from handshakes if not already in
|
|
||||||
// storage. WILL BE REMOVED IN A FUTURE RELEASE.
|
|
||||||
RateLimit *RateLimit `json:"rate_limit,omitempty"`
|
|
||||||
}
|
|
||||||
|
|
||||||
// DEPRECATED. WILL LIKELY BE REMOVED SOON.
|
|
||||||
// Instead of using this rate limiter, use a proper tool such as a
|
|
||||||
// level 3 or 4 firewall and/or a permission module to apply rate limits.
|
|
||||||
type RateLimit struct {
|
|
||||||
// A duration value. Storage may be checked and a certificate may be
|
|
||||||
// obtained 'burst' times during this interval.
|
|
||||||
Interval caddy.Duration `json:"interval,omitempty"`
|
|
||||||
|
|
||||||
// How many times during an interval storage can be checked or a
|
|
||||||
// certificate can be obtained.
|
|
||||||
Burst int `json:"burst,omitempty"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// OnDemandPermission is a type that can give permission for
|
// OnDemandPermission is a type that can give permission for
|
||||||
|
@ -195,8 +175,7 @@ var ErrPermissionDenied = errors.New("certificate not allowed by permission modu
|
||||||
|
|
||||||
// These perpetual values are used for on-demand TLS.
|
// These perpetual values are used for on-demand TLS.
|
||||||
var (
|
var (
|
||||||
onDemandRateLimiter = certmagic.NewRateLimiter(0, 0)
|
onDemandAskClient = &http.Client{
|
||||||
onDemandAskClient = &http.Client{
|
|
||||||
Timeout: 10 * time.Second,
|
Timeout: 10 * time.Second,
|
||||||
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
CheckRedirect: func(req *http.Request, via []*http.Request) error {
|
||||||
return fmt.Errorf("following http redirects is not allowed")
|
return fmt.Errorf("following http redirects is not allowed")
|
||||||
|
|
|
@ -188,17 +188,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
|
||||||
t.Automation.OnDemand.permission = val.(OnDemandPermission)
|
t.Automation.OnDemand.permission = val.(OnDemandPermission)
|
||||||
}
|
}
|
||||||
|
|
||||||
// on-demand rate limiting (TODO: deprecated, and should be removed later; rate limiting is ineffective now that permission modules are required)
|
|
||||||
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil {
|
|
||||||
t.logger.Warn("DEPRECATED: on_demand.rate_limit will be removed in a future release; use permission modules or external certificate managers instead")
|
|
||||||
onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst)
|
|
||||||
onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
|
|
||||||
} else {
|
|
||||||
// remove any existing rate limiter
|
|
||||||
onDemandRateLimiter.SetWindow(0)
|
|
||||||
onDemandRateLimiter.SetMaxEvents(0)
|
|
||||||
}
|
|
||||||
|
|
||||||
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
|
// run replacer on ask URL (for environment variables) -- return errors to prevent surprises (#5036)
|
||||||
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
|
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.Ask != "" {
|
||||||
t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)
|
t.Automation.OnDemand.Ask, err = repl.ReplaceOrErr(t.Automation.OnDemand.Ask, true, true)
|
||||||
|
|
Loading…
Reference in a new issue