diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2021-01-07 15:52:58 -0700 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2021-01-07 15:52:58 -0700 |
commit | 09432ba64d3931206181c895c845116db8d7e877 (patch) | |
tree | de933878ba370ee74a13c79103c3cc4aa666e9d8 /modules | |
parent | ef5448324948537bb4ce798567d79d0612d41220 (diff) |
caddytls: Configurable OCSP stapling; global option (closes #3714)
Allows user to disable OCSP stapling (including support in the Caddyfile via the ocsp_stapling global option) or overriding responder URLs. Useful in environments where responders are not reachable due to firewalls.
Diffstat (limited to 'modules')
-rw-r--r-- | modules/caddytls/automation.go | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index 509ad6e..ed29e06 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -107,6 +107,19 @@ type AutomationPolicy struct { // load. OnDemand bool `json:"on_demand,omitempty"` + // Disables OCSP stapling. Disabling OCSP stapling puts clients at + // greater risk, reduces their privacy, and usually lowers client + // performance. It is NOT recommended to disable this unless you + // are able to justify the costs. + // EXPERIMENTAL. Subject to change. + DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"` + + // Overrides the URLs of OCSP responders embedded in certificates. + // Each key is a OCSP server URL to override, and its value is the + // replacement. An empty value will disable querying of that server. + // EXPERIMENTAL. Subject to change. + OCSPOverrides map[string]string `json:"ocsp_overrides,omitempty"` + // Issuers stores the decoded issuer parameters. This is only // used to populate an underlying certmagic.Config's Issuers // field; it is not referenced thereafter. @@ -205,9 +218,13 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { RenewalWindowRatio: ap.RenewalWindowRatio, KeySource: keySource, OnDemand: ond, - Storage: storage, - Issuers: issuers, - Logger: tlsApp.logger, + OCSP: certmagic.OCSPConfig{ + DisableStapling: ap.DisableOCSPStapling, + ResponderOverrides: ap.OCSPOverrides, + }, + Storage: storage, + Issuers: issuers, + Logger: tlsApp.logger, } ap.magic = certmagic.New(tlsApp.certCache, template) |