summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2021-01-07 15:52:58 -0700
committerMatthew Holt <mholt@users.noreply.github.com>2021-01-07 15:52:58 -0700
commit09432ba64d3931206181c895c845116db8d7e877 (patch)
treede933878ba370ee74a13c79103c3cc4aa666e9d8 /modules
parentef5448324948537bb4ce798567d79d0612d41220 (diff)
caddytls: Configurable OCSP stapling; global option (closes #3714)
Allows user to disable OCSP stapling (including support in the Caddyfile via the ocsp_stapling global option) or overriding responder URLs. Useful in environments where responders are not reachable due to firewalls.
Diffstat (limited to 'modules')
-rw-r--r--modules/caddytls/automation.go23
1 files changed, 20 insertions, 3 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index 509ad6e..ed29e06 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -107,6 +107,19 @@ type AutomationPolicy struct {
// load.
OnDemand bool `json:"on_demand,omitempty"`
+ // Disables OCSP stapling. Disabling OCSP stapling puts clients at
+ // greater risk, reduces their privacy, and usually lowers client
+ // performance. It is NOT recommended to disable this unless you
+ // are able to justify the costs.
+ // EXPERIMENTAL. Subject to change.
+ DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"`
+
+ // Overrides the URLs of OCSP responders embedded in certificates.
+ // Each key is a OCSP server URL to override, and its value is the
+ // replacement. An empty value will disable querying of that server.
+ // EXPERIMENTAL. Subject to change.
+ OCSPOverrides map[string]string `json:"ocsp_overrides,omitempty"`
+
// Issuers stores the decoded issuer parameters. This is only
// used to populate an underlying certmagic.Config's Issuers
// field; it is not referenced thereafter.
@@ -205,9 +218,13 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
RenewalWindowRatio: ap.RenewalWindowRatio,
KeySource: keySource,
OnDemand: ond,
- Storage: storage,
- Issuers: issuers,
- Logger: tlsApp.logger,
+ OCSP: certmagic.OCSPConfig{
+ DisableStapling: ap.DisableOCSPStapling,
+ ResponderOverrides: ap.OCSPOverrides,
+ },
+ Storage: storage,
+ Issuers: issuers,
+ Logger: tlsApp.logger,
}
ap.magic = certmagic.New(tlsApp.certCache, template)