Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-06-06 14:05:19 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

tls: Make the on-demand rate limiter actually work

Browse Source 
This required a custom rate limiter implementation in CertMagic
This commit is contained in:
Matthew Holt
2019-10-21 12:03:51 -06:00
parent 208f2ff93c
commit faf67b1067
4 changed files with 13 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/caddytls/acmemanager.go
+4 -8
View File
@@ -138,14 +138,10 @@ func (m *ACMEManagerMaker) makeCertMagicConfig(ctx caddy.Context) certmagic.Conf
return err
}
}
// check the rate limiter last, since
// even checking consumes a token; so
// don't even bother checking if the
// other regulations fail anyway
if onDemand.RateLimit != nil {
if !onDemandRateLimiter.Allow() {
return fmt.Errorf("on-demand rate limit exceeded")
}
// check the rate limiter last because
// doing so makes a reservation
if !onDemandRateLimiter.Allow() {
return fmt.Errorf("on-demand rate limit exceeded")
}
}
return nil
modules/caddytls/tls.go
+6 -8
View File
@@ -26,7 +26,6 @@ import (
"github.com/caddyserver/caddy/v2"
"github.com/go-acme/lego/v3/challenge"
"github.com/mholt/certmagic"
"golang.org/x/time/rate"
)
func init() {
@@ -104,13 +103,12 @@ func (t *TLS) Provision(ctx caddy.Context) error {
// on-demand rate limiting
if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil {
limit := rate.Every(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
onDemandRateLimiter.SetLimit(limit)
onDemandRateLimiter.SetBurst(t.Automation.OnDemand.RateLimit.Burst)
onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst)
onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
} else {
// if no rate limit is specified, be sure to remove any existing limit
onDemandRateLimiter.SetLimit(0)
onDemandRateLimiter.SetBurst(0)
// remove any existing rate limiter
onDemandRateLimiter.SetMaxEvents(0)
onDemandRateLimiter.SetWindow(0)
}
// load manual/static (unmanaged) certificates - we do this in
@@ -384,7 +382,7 @@ type ManagerMaker interface {
// These perpetual values are used for on-demand TLS.
var (
onDemandRateLimiter = rate.NewLimiter(0, 1)
onDemandRateLimiter = certmagic.NewRateLimiter(0, 0)
onDemandAskClient = &http.Client{
Timeout: 10 * time.Second,
CheckRedirect: func(req *http.Request, via []*http.Request) error {