From 11a132d48b574ef113e411aa22c0801a5a3190bd Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Fri, 5 Jun 2020 11:14:39 -0600
Subject: caddytls: Configurable cache size limit

---
 modules/caddytls/automation.go |  6 ++----
 modules/caddytls/tls.go        | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 4 deletions(-)

(limited to 'modules/caddytls')

diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index bc095ff..37d5010 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -49,15 +49,13 @@ type AutomationConfig struct {
 	// Caddy staples OCSP (and caches the response) for all
 	// qualifying certificates by default. This setting
 	// changes how often it scans responses for freshness,
-	// and updates them if they are getting stale.
+	// and updates them if they are getting stale. Default: 1h
 	OCSPCheckInterval caddy.Duration `json:"ocsp_interval,omitempty"`
 
 	// Every so often, Caddy will scan all loaded, managed
 	// certificates for expiration. This setting changes how
 	// frequently the scan for expiring certificates is
-	// performed. If your certificate lifetimes are very
-	// short (less than ~24 hours), you should set this to
-	// a low value.
+	// performed. Default: 10m
 	RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"`
 
 	defaultPublicAutomationPolicy   *AutomationPolicy
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 7f2d23e..cc89ef5 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -57,6 +57,9 @@ type TLS struct {
 	// Configures session ticket ephemeral keys (STEKs).
 	SessionTickets *SessionTicketService `json:"session_tickets,omitempty"`
 
+	// Configures the in-memory certificate cache.
+	Cache *CertCacheOptions `json:"cache,omitempty"`
+
 	certificateLoaders []CertificateLoader
 	automateNames      []string
 	certCache          *certmagic.Cache
@@ -89,6 +92,9 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		cacheOpts.OCSPCheckInterval = time.Duration(t.Automation.OCSPCheckInterval)
 		cacheOpts.RenewCheckInterval = time.Duration(t.Automation.RenewCheckInterval)
 	}
+	if t.Cache != nil {
+		cacheOpts.Capacity = t.Cache.Capacity
+	}
 	t.certCache = certmagic.NewCache(cacheOpts)
 
 	// certificate loaders
@@ -215,6 +221,11 @@ func (t *TLS) Validate() error {
 			}
 		}
 	}
+	if t.Cache != nil {
+		if t.Cache.Capacity < 0 {
+			return fmt.Errorf("cache capacity must be >= 0")
+		}
+	}
 	return nil
 }
 
@@ -445,6 +456,15 @@ func (AutomateLoader) CaddyModule() caddy.ModuleInfo {
 	}
 }
 
+// CertCacheOptions configures the certificate cache.
+type CertCacheOptions struct {
+	// Maximum number of certificates to allow in the
+	// cache. If reached, certificates will be randomly
+	// evicted to make room for new ones. Default: 0
+	// (no limit).
+	Capacity int `json:"capacity,omitempty"`
+}
+
 // Variables related to storage cleaning.
 var (
 	storageCleanInterval = 12 * time.Hour
-- 
cgit v1.2.3