From faf67b10670a14c24ce601be703dfb65f07ffa45 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 21 Oct 2019 12:03:51 -0600 Subject: tls: Make the on-demand rate limiter actually work This required a custom rate limiter implementation in CertMagic --- go.mod | 2 +- go.sum | 4 ++-- modules/caddytls/acmemanager.go | 12 ++++-------- modules/caddytls/tls.go | 14 ++++++-------- 4 files changed, 13 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index 0a66a78..be5f485 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/klauspost/compress v1.8.6 github.com/klauspost/cpuid v1.2.1 github.com/lucas-clemente/quic-go v0.12.1 - github.com/mholt/certmagic v0.8.0 + github.com/mholt/certmagic v0.8.3 github.com/muhammadmuzzammil1998/jsonc v0.0.0-20190906142622-1265e9b150c6 github.com/rs/cors v1.7.0 github.com/russross/blackfriday/v2 v2.0.1 diff --git a/go.sum b/go.sum index 3198595..4ecf483 100644 --- a/go.sum +++ b/go.sum @@ -172,8 +172,8 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU= github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= -github.com/mholt/certmagic v0.8.0 h1:WEQhZ4+ySd2cQz0Gf1iEk6xsUaEmmHe10SZiiKd7BdY= -github.com/mholt/certmagic v0.8.0/go.mod h1:91uJzK5K8IWtYQqTi5R2tsxV1pCde+wdGfaRaOZi6aQ= +github.com/mholt/certmagic v0.8.3 h1:JOUiX9IAZbbgyjNP2GY6v/6lorH+9GkZsc7ktMpGCSo= +github.com/mholt/certmagic v0.8.3/go.mod h1:91uJzK5K8IWtYQqTi5R2tsxV1pCde+wdGfaRaOZi6aQ= github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI= github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ= diff --git a/modules/caddytls/acmemanager.go b/modules/caddytls/acmemanager.go index dbc8fc9..9f31215 100644 --- a/modules/caddytls/acmemanager.go +++ b/modules/caddytls/acmemanager.go @@ -138,14 +138,10 @@ func (m *ACMEManagerMaker) makeCertMagicConfig(ctx caddy.Context) certmagic.Conf return err } } - // check the rate limiter last, since - // even checking consumes a token; so - // don't even bother checking if the - // other regulations fail anyway - if onDemand.RateLimit != nil { - if !onDemandRateLimiter.Allow() { - return fmt.Errorf("on-demand rate limit exceeded") - } + // check the rate limiter last because + // doing so makes a reservation + if !onDemandRateLimiter.Allow() { + return fmt.Errorf("on-demand rate limit exceeded") } } return nil diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 7aa1856..5054081 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -26,7 +26,6 @@ import ( "github.com/caddyserver/caddy/v2" "github.com/go-acme/lego/v3/challenge" "github.com/mholt/certmagic" - "golang.org/x/time/rate" ) func init() { @@ -104,13 +103,12 @@ func (t *TLS) Provision(ctx caddy.Context) error { // on-demand rate limiting if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil { - limit := rate.Every(time.Duration(t.Automation.OnDemand.RateLimit.Interval)) - onDemandRateLimiter.SetLimit(limit) - onDemandRateLimiter.SetBurst(t.Automation.OnDemand.RateLimit.Burst) + onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst) + onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval)) } else { - // if no rate limit is specified, be sure to remove any existing limit - onDemandRateLimiter.SetLimit(0) - onDemandRateLimiter.SetBurst(0) + // remove any existing rate limiter + onDemandRateLimiter.SetMaxEvents(0) + onDemandRateLimiter.SetWindow(0) } // load manual/static (unmanaged) certificates - we do this in @@ -384,7 +382,7 @@ type ManagerMaker interface { // These perpetual values are used for on-demand TLS. var ( - onDemandRateLimiter = rate.NewLimiter(0, 1) + onDemandRateLimiter = certmagic.NewRateLimiter(0, 0) onDemandAskClient = &http.Client{ Timeout: 10 * time.Second, CheckRedirect: func(req *http.Request, via []*http.Request) error { -- cgit v1.2.3