From 09432ba64d3931206181c895c845116db8d7e877 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Thu, 7 Jan 2021 15:52:58 -0700 Subject: caddytls: Configurable OCSP stapling; global option (closes #3714) Allows user to disable OCSP stapling (including support in the Caddyfile via the ocsp_stapling global option) or overriding responder URLs. Useful in environments where responders are not reachable due to firewalls. --- caddyconfig/httpcaddyfile/options.go | 15 +++++++++++++++ caddyconfig/httpcaddyfile/tlsapp.go | 9 ++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) (limited to 'caddyconfig') diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go index 119295b..54672a6 100644 --- a/caddyconfig/httpcaddyfile/options.go +++ b/caddyconfig/httpcaddyfile/options.go @@ -43,6 +43,7 @@ func init() { RegisterGlobalOption("key_type", parseOptSingleString) RegisterGlobalOption("auto_https", parseOptAutoHTTPS) RegisterGlobalOption("servers", parseServerOptions) + RegisterGlobalOption("ocsp_stapling", parseOCSPStaplingOptions) } func parseOptTrue(d *caddyfile.Dispenser, _ interface{}) (interface{}, error) { return true, nil } @@ -370,3 +371,17 @@ func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ interface{}) (interface{}, erro func parseServerOptions(d *caddyfile.Dispenser, _ interface{}) (interface{}, error) { return unmarshalCaddyfileServerOptions(d) } + +func parseOCSPStaplingOptions(d *caddyfile.Dispenser, _ interface{}) (interface{}, error) { + d.Next() // consume option name + var val string + if !d.AllArgs(&val) { + return nil, d.ArgErr() + } + if val != "off" { + return nil, d.Errf("invalid argument '%s'", val) + } + return certmagic.OCSPConfig{ + DisableStapling: val == "off", + }, nil +} diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 25b800a..10b5e7d 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -417,8 +417,9 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon issuers, hasIssuers := options["cert_issuer"] _, hasLocalCerts := options["local_certs"] keyType, hasKeyType := options["key_type"] + ocspStapling, hasOCSPStapling := options["ocsp_stapling"] - hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType + hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling // if there are no global options related to automation policies // set, then we can just return right away @@ -444,6 +445,12 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon ap.Issuers = []certmagic.Issuer{new(caddytls.InternalIssuer)} } + if hasOCSPStapling { + ocspConfig := ocspStapling.(certmagic.OCSPConfig) + ap.DisableOCSPStapling = ocspConfig.DisableStapling + ap.OCSPOverrides = ocspConfig.ResponderOverrides + } + return ap, nil } -- cgit v1.2.3