summaryrefslogtreecommitdiff
path: root/modules/caddytls
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2019-10-21 12:03:51 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2019-10-21 12:03:51 -0600
commitfaf67b10670a14c24ce601be703dfb65f07ffa45 (patch)
tree6c6a677c073224460193dfeba8e0b7a15d33ebde /modules/caddytls
parent208f2ff93c1bd2c009e4b96f664c1808ede79f3a (diff)
tls: Make the on-demand rate limiter actually work
This required a custom rate limiter implementation in CertMagic
Diffstat (limited to 'modules/caddytls')
-rw-r--r--modules/caddytls/acmemanager.go12
-rw-r--r--modules/caddytls/tls.go14
2 files changed, 10 insertions, 16 deletions
diff --git a/modules/caddytls/acmemanager.go b/modules/caddytls/acmemanager.go
index dbc8fc9..9f31215 100644
--- a/modules/caddytls/acmemanager.go
+++ b/modules/caddytls/acmemanager.go
@@ -138,14 +138,10 @@ func (m *ACMEManagerMaker) makeCertMagicConfig(ctx caddy.Context) certmagic.Conf
return err
}
}
- // check the rate limiter last, since
- // even checking consumes a token; so
- // don't even bother checking if the
- // other regulations fail anyway
- if onDemand.RateLimit != nil {
- if !onDemandRateLimiter.Allow() {
- return fmt.Errorf("on-demand rate limit exceeded")
- }
+ // check the rate limiter last because
+ // doing so makes a reservation
+ if !onDemandRateLimiter.Allow() {
+ return fmt.Errorf("on-demand rate limit exceeded")
}
}
return nil
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 7aa1856..5054081 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -26,7 +26,6 @@ import (
"github.com/caddyserver/caddy/v2"
"github.com/go-acme/lego/v3/challenge"
"github.com/mholt/certmagic"
- "golang.org/x/time/rate"
)
func init() {
@@ -104,13 +103,12 @@ func (t *TLS) Provision(ctx caddy.Context) error {
// on-demand rate limiting
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil {
- limit := rate.Every(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
- onDemandRateLimiter.SetLimit(limit)
- onDemandRateLimiter.SetBurst(t.Automation.OnDemand.RateLimit.Burst)
+ onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst)
+ onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
} else {
- // if no rate limit is specified, be sure to remove any existing limit
- onDemandRateLimiter.SetLimit(0)
- onDemandRateLimiter.SetBurst(0)
+ // remove any existing rate limiter
+ onDemandRateLimiter.SetMaxEvents(0)
+ onDemandRateLimiter.SetWindow(0)
}
// load manual/static (unmanaged) certificates - we do this in
@@ -384,7 +382,7 @@ type ManagerMaker interface {
// These perpetual values are used for on-demand TLS.
var (
- onDemandRateLimiter = rate.NewLimiter(0, 1)
+ onDemandRateLimiter = certmagic.NewRateLimiter(0, 0)
onDemandAskClient = &http.Client{
Timeout: 10 * time.Second,
CheckRedirect: func(req *http.Request, via []*http.Request) error {