diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2021-04-12 16:09:02 -0600 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2021-04-12 16:09:02 -0600 |
commit | 2250920e1d8506991c97275f1e517e1189c20a2f (patch) | |
tree | 7fcb52b6404d93b6dfdf9423e2892990f57cd07b | |
parent | 42b7134ffa3bf3e9e86514c82407979c2627a5ab (diff) |
caddytls: Disable OCSP stapling for manual certs (#4064)
-rw-r--r-- | modules/caddytls/tls.go | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index a0853ba..c111bbb 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -56,6 +56,16 @@ type TLS struct { // Configures the in-memory certificate cache. Cache *CertCacheOptions `json:"cache,omitempty"` + // Disables OCSP stapling for manually-managed certificates only. + // To configure OCSP stapling for automated certificates, use an + // automation policy instead. + // + // Disabling OCSP stapling puts clients at greater risk, reduces their + // privacy, and usually lowers client performance. It is NOT recommended + // to disable this unless you are able to justify the costs. + // EXPERIMENTAL. Subject to change. + DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"` + certificateLoaders []CertificateLoader automateNames []string certCache *certmagic.Cache @@ -173,6 +183,9 @@ func (t *TLS) Provision(ctx caddy.Context) error { magic := certmagic.New(t.certCache, certmagic.Config{ Storage: ctx.Storage(), Logger: t.logger, + OCSP: certmagic.OCSPConfig{ + DisableStapling: t.DisableOCSPStapling, + }, }) for _, loader := range t.certificateLoaders { certs, err := loader.LoadCertificates() |