caddytls: Configurable OCSP stapling; global option (closes #3714)

Allows user to disable OCSP stapling (including support in the Caddyfile via the ocsp_stapling global option) or overriding responder URLs. Useful in environments where responders are not reachable due to firewalls.

1 files changed, 20 insertions, 3 deletions

diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index 509ad6e..ed29e06 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -107,6 +107,19 @@ type AutomationPolicy struct {
 	// load.
 	OnDemand bool `json:"on_demand,omitempty"`
 
+	// Disables OCSP stapling. Disabling OCSP stapling puts clients at
+	// greater risk, reduces their privacy, and usually lowers client
+	// performance. It is NOT recommended to disable this unless you
+	// are able to justify the costs.
+	// EXPERIMENTAL. Subject to change.
+	DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"`
+
+	// Overrides the URLs of OCSP responders embedded in certificates.
+	// Each key is a OCSP server URL to override, and its value is the
+	// replacement. An empty value will disable querying of that server.
+	// EXPERIMENTAL. Subject to change.
+	OCSPOverrides map[string]string `json:"ocsp_overrides,omitempty"`
+
 	// Issuers stores the decoded issuer parameters. This is only
 	// used to populate an underlying certmagic.Config's Issuers
 	// field; it is not referenced thereafter.
@@ -205,9 +218,13 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
 		RenewalWindowRatio: ap.RenewalWindowRatio,
 		KeySource:          keySource,
 		OnDemand:           ond,
-		Storage:            storage,
-		Issuers:            issuers,
-		Logger:             tlsApp.logger,
+		OCSP: certmagic.OCSPConfig{
+			DisableStapling:    ap.DisableOCSPStapling,
+			ResponderOverrides: ap.OCSPOverrides,
+		},
+		Storage: storage,
+		Issuers: issuers,
+		Logger:  tlsApp.logger,
 	}
 	ap.magic = certmagic.New(tlsApp.certCache, template)