mirror of https://github.com/caddyserver/caddy.git
caddytls: Configurable OCSP stapling; global option (closes #3714)
Allows user to disable OCSP stapling (including support in the Caddyfile via the ocsp_stapling global option) or overriding responder URLs. Useful in environments where responders are not reachable due to firewalls.
This commit is contained in:
parent
ef54483249
commit
09432ba64d
|
@ -43,6 +43,7 @@ func init() {
|
|||
RegisterGlobalOption("key_type", parseOptSingleString)
|
||||
RegisterGlobalOption("auto_https", parseOptAutoHTTPS)
|
||||
RegisterGlobalOption("servers", parseServerOptions)
|
||||
RegisterGlobalOption("ocsp_stapling", parseOCSPStaplingOptions)
|
||||
}
|
||||
|
||||
func parseOptTrue(d *caddyfile.Dispenser, _ interface{}) (interface{}, error) { return true, nil }
|
||||
|
@ -370,3 +371,17 @@ func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ interface{}) (interface{}, erro
|
|||
func parseServerOptions(d *caddyfile.Dispenser, _ interface{}) (interface{}, error) {
|
||||
return unmarshalCaddyfileServerOptions(d)
|
||||
}
|
||||
|
||||
func parseOCSPStaplingOptions(d *caddyfile.Dispenser, _ interface{}) (interface{}, error) {
|
||||
d.Next() // consume option name
|
||||
var val string
|
||||
if !d.AllArgs(&val) {
|
||||
return nil, d.ArgErr()
|
||||
}
|
||||
if val != "off" {
|
||||
return nil, d.Errf("invalid argument '%s'", val)
|
||||
}
|
||||
return certmagic.OCSPConfig{
|
||||
DisableStapling: val == "off",
|
||||
}, nil
|
||||
}
|
||||
|
|
|
@ -417,8 +417,9 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
|
|||
issuers, hasIssuers := options["cert_issuer"]
|
||||
_, hasLocalCerts := options["local_certs"]
|
||||
keyType, hasKeyType := options["key_type"]
|
||||
ocspStapling, hasOCSPStapling := options["ocsp_stapling"]
|
||||
|
||||
hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType
|
||||
hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling
|
||||
|
||||
// if there are no global options related to automation policies
|
||||
// set, then we can just return right away
|
||||
|
@ -444,6 +445,12 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon
|
|||
ap.Issuers = []certmagic.Issuer{new(caddytls.InternalIssuer)}
|
||||
}
|
||||
|
||||
if hasOCSPStapling {
|
||||
ocspConfig := ocspStapling.(certmagic.OCSPConfig)
|
||||
ap.DisableOCSPStapling = ocspConfig.DisableStapling
|
||||
ap.OCSPOverrides = ocspConfig.ResponderOverrides
|
||||
}
|
||||
|
||||
return ap, nil
|
||||
}
|
||||
|
||||
|
|
2
go.mod
2
go.mod
|
@ -6,7 +6,7 @@ require (
|
|||
github.com/Masterminds/sprig/v3 v3.1.0
|
||||
github.com/alecthomas/chroma v0.8.2
|
||||
github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a
|
||||
github.com/caddyserver/certmagic v0.12.1-0.20210104224249-7891c830824b
|
||||
github.com/caddyserver/certmagic v0.12.1-0.20210107224522-725b69d53d57
|
||||
github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac
|
||||
github.com/go-chi/chi v4.1.2+incompatible
|
||||
github.com/google/cel-go v0.6.0
|
||||
|
|
4
go.sum
4
go.sum
|
@ -99,8 +99,8 @@ github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTK
|
|||
github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
|
||||
github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g=
|
||||
github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
|
||||
github.com/caddyserver/certmagic v0.12.1-0.20210104224249-7891c830824b h1:3sAfeMhRiv0CVLWvM+bTSVkZIf1KupsMjglpaOCAQjE=
|
||||
github.com/caddyserver/certmagic v0.12.1-0.20210104224249-7891c830824b/go.mod h1:yHMCSjG2eOFdI/Jx0+CCzr2DLw+UQu42KbaOVBx7LwA=
|
||||
github.com/caddyserver/certmagic v0.12.1-0.20210107224522-725b69d53d57 h1:eslWGgoQlVAzOGMUfK3ncoHnONjCUVOPTGRD9JG3gAY=
|
||||
github.com/caddyserver/certmagic v0.12.1-0.20210107224522-725b69d53d57/go.mod h1:yHMCSjG2eOFdI/Jx0+CCzr2DLw+UQu42KbaOVBx7LwA=
|
||||
github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
|
||||
github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
|
||||
github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
|
||||
|
|
|
@ -107,6 +107,19 @@ type AutomationPolicy struct {
|
|||
// load.
|
||||
OnDemand bool `json:"on_demand,omitempty"`
|
||||
|
||||
// Disables OCSP stapling. Disabling OCSP stapling puts clients at
|
||||
// greater risk, reduces their privacy, and usually lowers client
|
||||
// performance. It is NOT recommended to disable this unless you
|
||||
// are able to justify the costs.
|
||||
// EXPERIMENTAL. Subject to change.
|
||||
DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"`
|
||||
|
||||
// Overrides the URLs of OCSP responders embedded in certificates.
|
||||
// Each key is a OCSP server URL to override, and its value is the
|
||||
// replacement. An empty value will disable querying of that server.
|
||||
// EXPERIMENTAL. Subject to change.
|
||||
OCSPOverrides map[string]string `json:"ocsp_overrides,omitempty"`
|
||||
|
||||
// Issuers stores the decoded issuer parameters. This is only
|
||||
// used to populate an underlying certmagic.Config's Issuers
|
||||
// field; it is not referenced thereafter.
|
||||
|
@ -205,9 +218,13 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
|
|||
RenewalWindowRatio: ap.RenewalWindowRatio,
|
||||
KeySource: keySource,
|
||||
OnDemand: ond,
|
||||
Storage: storage,
|
||||
Issuers: issuers,
|
||||
Logger: tlsApp.logger,
|
||||
OCSP: certmagic.OCSPConfig{
|
||||
DisableStapling: ap.DisableOCSPStapling,
|
||||
ResponderOverrides: ap.OCSPOverrides,
|
||||
},
|
||||
Storage: storage,
|
||||
Issuers: issuers,
|
||||
Logger: tlsApp.logger,
|
||||
}
|
||||
ap.magic = certmagic.New(tlsApp.certCache, template)
|
||||
|
||||
|
|
Loading…
Reference in New Issue