caddytls: Disable OCSP stapling for manual certs (#4064)

author: Matthew Holt <mholt@users.noreply.github.com> 2021-04-12 16:09:02 -0600
committer: Matthew Holt <mholt@users.noreply.github.com> 2021-04-12 16:09:02 -0600
commit: 2250920e1d8506991c97275f1e517e1189c20a2f (patch)
tree: 7fcb52b6404d93b6dfdf9423e2892990f57cd07b /modules/caddytls
parent: 42b7134ffa3bf3e9e86514c82407979c2627a5ab (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index a0853ba..c111bbb 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -56,6 +56,16 @@ type TLS struct {
 	// Configures the in-memory certificate cache.
 	Cache *CertCacheOptions `json:"cache,omitempty"`
 
+	// Disables OCSP stapling for manually-managed certificates only.
+	// To configure OCSP stapling for automated certificates, use an
+	// automation policy instead.
+	//
+	// Disabling OCSP stapling puts clients at greater risk, reduces their
+	// privacy, and usually lowers client performance. It is NOT recommended
+	// to disable this unless you are able to justify the costs.
+	// EXPERIMENTAL. Subject to change.
+	DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"`
+
 	certificateLoaders []CertificateLoader
 	automateNames      []string
 	certCache          *certmagic.Cache
@@ -173,6 +183,9 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 	magic := certmagic.New(t.certCache, certmagic.Config{
 		Storage: ctx.Storage(),
 		Logger:  t.logger,
+		OCSP: certmagic.OCSPConfig{
+			DisableStapling: t.DisableOCSPStapling,
+		},
 	})
 	for _, loader := range t.certificateLoaders {
 		certs, err := loader.LoadCertificates()
author	Matthew Holt <mholt@users.noreply.github.com>	2021-04-12 16:09:02 -0600
committer	Matthew Holt <mholt@users.noreply.github.com>	2021-04-12 16:09:02 -0600
commit	2250920e1d8506991c97275f1e517e1189c20a2f (patch)
tree	7fcb52b6404d93b6dfdf9423e2892990f57cd07b /modules/caddytls
parent	42b7134ffa3bf3e9e86514c82407979c2627a5ab (diff)