From 11a132d48b574ef113e411aa22c0801a5a3190bd Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Fri, 5 Jun 2020 11:14:39 -0600
Subject: caddytls: Configurable cache size limit

---
 modules/caddytls/tls.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

(limited to 'modules/caddytls/tls.go')

diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 7f2d23e..cc89ef5 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -57,6 +57,9 @@ type TLS struct {
 	// Configures session ticket ephemeral keys (STEKs).
 	SessionTickets *SessionTicketService `json:"session_tickets,omitempty"`
 
+	// Configures the in-memory certificate cache.
+	Cache *CertCacheOptions `json:"cache,omitempty"`
+
 	certificateLoaders []CertificateLoader
 	automateNames      []string
 	certCache          *certmagic.Cache
@@ -89,6 +92,9 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		cacheOpts.OCSPCheckInterval = time.Duration(t.Automation.OCSPCheckInterval)
 		cacheOpts.RenewCheckInterval = time.Duration(t.Automation.RenewCheckInterval)
 	}
+	if t.Cache != nil {
+		cacheOpts.Capacity = t.Cache.Capacity
+	}
 	t.certCache = certmagic.NewCache(cacheOpts)
 
 	// certificate loaders
@@ -215,6 +221,11 @@ func (t *TLS) Validate() error {
 			}
 		}
 	}
+	if t.Cache != nil {
+		if t.Cache.Capacity < 0 {
+			return fmt.Errorf("cache capacity must be >= 0")
+		}
+	}
 	return nil
 }
 
@@ -445,6 +456,15 @@ func (AutomateLoader) CaddyModule() caddy.ModuleInfo {
 	}
 }
 
+// CertCacheOptions configures the certificate cache.
+type CertCacheOptions struct {
+	// Maximum number of certificates to allow in the
+	// cache. If reached, certificates will be randomly
+	// evicted to make room for new ones. Default: 0
+	// (no limit).
+	Capacity int `json:"capacity,omitempty"`
+}
+
 // Variables related to storage cleaning.
 var (
 	storageCleanInterval = 12 * time.Hour
-- 
cgit v1.2.3