certmagic

package module
v0.8.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 29, 2021 License: Apache-2.0 Imports: 44 Imported by: 9

README

CertMagic

Easy and Powerful TLS Automation

The same library used by the Caddy Web Server

Caddy's automagic TLS features, now for your own Go programs, in one powerful and easy-to-use library!

CertMagic is the most mature, robust, and capable ACME client integration for Go.

With CertMagic, you can add one line to your Go application to serve securely over TLS, without ever having to touch certificates.

Instead of:

// plaintext HTTP, gross 🤢
http.ListenAndServe(":80", mux)

Use CertMagic:

// encrypted HTTPS with HTTP->HTTPS redirects - yay! 🔒😍
certmagic.HTTPS([]string{"example.com"}, mux)

That line of code will serve your HTTP router mux over HTTPS, complete with HTTP->HTTPS redirects. It obtains and renews the TLS certificates. It staples OCSP responses for greater privacy and security. As long as your domain name points to your server, CertMagic will keep its connections secure.

Compared to other ACME client libraries for Go, only CertMagic supports the full suite of ACME features, and no other library matches CertMagic's maturity and reliability.

CertMagic - Automatic HTTPS using Let's Encrypt

Sponsored by Relica - Cross-platform local and cloud file backup:

Relica - Cross-platform file backup to the cloud, local disks, or other computers

Menu

Features

  • Fully automated certificate management including issuance and renewal
  • One-liner, fully managed HTTPS servers
  • Full control over almost every aspect of the system
  • HTTP->HTTPS redirects (for HTTP applications)
  • Solves all 3 ACME challenges: HTTP, TLS-ALPN, and DNS
    • Challenge randomization and rotation
    • Robust retries
  • Over 50 DNS providers work out-of-the-box (powered by lego!)
  • Pluggable storage implementations (default: file system)
  • Wildcard certificates (requires DNS challenge)
  • OCSP stapling for each qualifying certificate (done right)
  • Distributed solving of all challenges (works behind load balancers)
  • Supports "on-demand" issuance of certificates (during TLS handshakes!)
    • Caddy / CertMagic pioneered this technology
    • Custom decision functions to regulate on-demand behavior
  • Optional event hooks for observation
  • Works with any certificate authority (CA) compliant with the ACME specification
  • Certificate revocation (please, only if private key is compromised)
  • Must-Staple (optional; not default)
  • Cross-platform support! Mac, Windows, Linux, BSD, Android...
  • Scales well to thousands of names/certificates per instance
  • Use in conjunction with your own certificates

Requirements

  1. Public DNS name(s) you control
  2. Server reachable from public Internet
    • Or use the DNS challenge to waive this requirement
  3. Control over port 80 (HTTP) and/or 443 (HTTPS)
    • Or they can be forwarded to other ports you control
    • Or use the DNS challenge to waive this requirement
    • (This is a requirement of the ACME protocol, not a library limitation)
  4. Persistent storage
    • Typically the local file system (default)
    • Other integrations available/possible

Before using this library, your domain names MUST be pointed (A/AAAA records) at your server (unless you use the DNS challenge)!

Installation

$ go get github.com/mholt/certmagic

Usage

Package Overview
Certificate authority

This library uses Let's Encrypt by default, but you can use any certificate authority that conforms to the ACME specification. Known/common CAs are provided as consts in the package, for example LetsEncryptStagingCA and LetsEncryptProductionCA.

The Config type

The certmagic.Config struct is how you can wield the power of this fully armed and operational battle station. However, an empty/uninitialized Config is not a valid one! In time, you will learn to use the force of certmagic.NewDefault() as I have.

Defaults

The default Config value is called certmagic.Default. Change its fields to suit your needs, then call certmagic.NewDefault() when you need a valid Config value. In other words, certmagic.Default is a template and is not valid for use directly.

You can set the default values easily, for example: certmagic.Default.Email = ....

The high-level functions in this package (HTTPS(), Listen(), ManageSync(), and ManageAsync()) use the default config exclusively. This is how most of you will interact with the package. This is suitable when all your certificates are managed the same way. However, if you need to manage certificates differently depending on their name, you will need to make your own cache and configs (keep reading).

Providing an email address

Although not strictly required, this is highly recommended best practice. It allows you to receive expiration emails if your certificates are expiring for some reason, and also allows the CA's engineers to potentially get in touch with you if something is wrong. I recommend setting certmagic.Default.Email or always setting the Email field of a new Config struct.

Development and Testing

Note that Let's Encrypt imposes strict rate limits at its production endpoint, so using it while developing your application may lock you out for a few days if you aren't careful!

While developing your application and testing it, use their staging endpoint which has much higher rate limits. Even then, don't hammer it: but it's much safer for when you're testing. When deploying, though, use their production CA because their staging CA doesn't issue trusted certificates.

To use staging, set certmagic.Default.CA = certmagic.LetsEncryptStagingCA or set CA of every Config struct.

Examples

There are many ways to use this library. We'll start with the highest-level (simplest) and work down (more control).

All these high-level examples use certmagic.Default for the config and the default cache and storage for serving up certificates.

First, we'll follow best practices and do the following:

// read and agree to your CA's legal documents
certmagic.Default.Agreed = true

// provide an email address
certmagic.Default.Email = "you@yours.com"

// use the staging endpoint while we're developing
certmagic.Default.CA = certmagic.LetsEncryptStagingCA

For fully-functional program examples, check out this Twitter thread (or read it unrolled into a single post). (Note that the package API has changed slightly since these posts.)

Serving HTTP handlers with HTTPS
err := certmagic.HTTPS([]string{"example.com", "www.example.com"}, mux)
if err != nil {
	return err
}

This starts HTTP and HTTPS listeners and redirects HTTP to HTTPS!

Starting a TLS listener
ln, err := certmagic.Listen([]string{"example.com"})
if err != nil {
	return err
}
Getting a tls.Config
tlsConfig, err := certmagic.TLS([]string{"example.com"})
if err != nil {
	return err
}
Advanced use

For more control (particularly, if you need a different way of managing each certificate), you'll make and use a Cache and a Config like so:

cache := certmagic.NewCache(certmagic.CacheOptions{
	GetConfigForCert: func(cert certmagic.Certificate) (*certmagic.Config, error) {
		// do whatever you need to do to get the right
		// configuration for this certificate; keep in
		// mind that this config value is used as a
		// template, and will be completed with any
		// defaults that are set in the Default config
		return certmagic.Config{
			// ...
		}), nil
	},
	...
})

magic := certmagic.New(cache, certmagic.Config{
	CA:     certmagic.LetsEncryptStagingCA,
	Email:  "you@yours.com",
	Agreed: true,
	// plus any other customization you want
})

// this obtains certificates or renews them if necessary
err := magic.ManageSync([]string{"example.com", "sub.example.com"})
if err != nil {
	return err
}

// to use its certificates and solve the TLS-ALPN challenge,
// you can get a TLS config to use in a TLS listener!
tlsConfig := magic.TLSConfig()

//// OR ////

// if you already have a TLS config you don't want to replace,
// we can simply set its GetCertificate field and append the
// TLS-ALPN challenge protocol to the NextProtos
myTLSConfig.GetCertificate = magic.GetCertificate
myTLSConfig.NextProtos = append(myTLSConfig.NextProtos, tlsalpn01.ACMETLS1Protocol}

// the HTTP challenge has to be handled by your HTTP server;
// if you don't have one, you should have disabled it earlier
// when you made the certmagic.Config
httpMux = magic.HTTPChallengeHandler(httpMux)

Great! This example grants you much more flexibility for advanced programs. However, the vast majority of you will only use the high-level functions described earlier, especially since you can still customize them by setting the package-level Default config.

Wildcard certificates

At time of writing (December 2018), Let's Encrypt only issues wildcard certificates with the DNS challenge. You can easily enable the DNS challenge with CertMagic for numerous providers (see the relevant section in the docs).

Behind a load balancer (or in a cluster)

CertMagic runs effectively behind load balancers and/or in cluster/fleet environments. In other words, you can have 10 or 1,000 servers all serving the same domain names, all sharing certificates and OCSP staples.

To do so, simply ensure that each instance is using the same Storage. That is the sole criteria for determining whether an instance is part of a cluster.

The default Storage is implemented using the file system, so mounting the same shared folder is sufficient (see Storage for more on that)! If you need an alternate Storage implementation, feel free to use one, provided that all the instances use the same one. :)

See Storage and the associated godoc for more information!

The ACME Challenges

This section describes how to solve the ACME challenges. Challenges are how you demonstrate to the certificate authority some control over your domain name, thus authorizing them to grant you a certificate for that name. The great innovation of ACME is that verification by CAs can now be automated, rather than having to click links in emails (who ever thought that was a good idea??).

If you're using the high-level convenience functions like HTTPS(), Listen(), or TLS(), the HTTP and/or TLS-ALPN challenges are solved for you because they also start listeners. However, if you're making a Config and you start your own server manually, you'll need to be sure the ACME challenges can be solved so certificates can be renewed.

The HTTP and TLS-ALPN challenges are the defaults because they don't require configuration from you, but they require that your server is accessible from external IPs on low ports. If that is not possible in your situation, you can enable the DNS challenge, which will disable the HTTP and TLS-ALPN challenges and use the DNS challenge exclusively.

Technically, only one challenge needs to be enabled for things to work, but using multiple is good for reliability in case a challenge is discontinued by the CA. This happened to the TLS-SNI challenge in early 2018—many popular ACME clients such as Traefik and Autocert broke, resulting in downtime for some sites, until new releases were made and patches deployed, because they used only one challenge; Caddy, however—this library's forerunner—was unaffected because it also used the HTTP challenge. If multiple challenges are enabled, they are chosen randomly to help prevent false reliance on a single challenge type. And if one fails, any remaining enabled challenges are tried before giving up.

HTTP Challenge

Per the ACME spec, the HTTP challenge requires port 80, or at least packet forwarding from port 80. It works by serving a specific HTTP response that only the genuine server would have to a normal HTTP request at a special endpoint.

If you are running an HTTP server, solving this challenge is very easy: just wrap your handler in HTTPChallengeHandler or call SolveHTTPChallenge() inside your own ServeHTTP() method.

For example, if you're using the standard library:

mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
	fmt.Fprintf(w, "Lookit my cool website over HTTPS!")
})

http.ListenAndServe(":80", magic.HTTPChallengeHandler(mux))

If wrapping your handler is not a good solution, try this inside your ServeHTTP() instead:

magic := certmagic.NewDefault()

func ServeHTTP(w http.ResponseWriter, req *http.Request) {
	if magic.HandleHTTPChallenge(w, r) {
		return // challenge handled; nothing else to do
	}
	...
}

If you are not running an HTTP server, you should disable the HTTP challenge or run an HTTP server whose sole job it is to solve the HTTP challenge.

TLS-ALPN Challenge

Per the ACME spec, the TLS-ALPN challenge requires port 443, or at least packet forwarding from port 443. It works by providing a special certificate using a standard TLS extension, Application Layer Protocol Negotiation (ALPN), having a special value. This is the most convenient challenge type because it usually requires no extra configuration and uses the standard TLS port which is where the certificates are used, also.

This challenge is easy to solve: just use the provided tls.Config when you make your TLS listener:

// use this to configure a TLS listener
tlsConfig := magic.TLSConfig()

Or make two simple changes to an existing tls.Config:

myTLSConfig.GetCertificate = magic.GetCertificate
myTLSConfig.NextProtos = append(myTLSConfig.NextProtos, tlsalpn01.ACMETLS1Protocol}

Then just make sure your TLS listener is listening on port 443:

ln, err := tls.Listen("tcp", ":443", myTLSConfig)
DNS Challenge

The DNS challenge is perhaps the most useful challenge because it allows you to obtain certificates without your server needing to be publicly accessible on the Internet, and it's the only challenge by which Let's Encrypt will issue wildcard certificates.

This challenge works by setting a special record in the domain's zone. To do this automatically, your DNS provider needs to offer an API by which changes can be made to domain names, and the changes need to take effect immediately for best results. CertMagic supports all of lego's DNS provider implementations! All of them clean up the temporary record after the challenge completes.

To enable it, just set the DNSProvider field on a certmagic.Config struct, or set the default certmagic.DNSProvider variable. For example, if my domains' DNS was served by DNSimple and I set my DNSimple API credentials in environment variables:

import "github.com/go-acme/lego/v4/providers/dns/dnsimple"

provider, err := dnsimple.NewDNSProvider()
if err != nil {
	return err
}

certmagic.Default.DNSProvider = provider

Now the DNS challenge will be used by default, and I can obtain certificates for wildcard domains. See the godoc documentation for the provider you're using to learn how to configure it. Most can be configured by env variables or by passing in a config struct. If you pass a config struct instead of using env variables, you will probably need to set some other defaults (that's just how lego works, currently):

PropagationTimeout: dns01.DefaultPollingInterval,
PollingInterval:    dns01.DefaultPollingInterval,
TTL:                dns01.DefaultTTL,

Enabling the DNS challenge disables the other challenges for that certmagic.Config instance.

On-Demand TLS

Normally, certificates are obtained and renewed before a listener starts serving, and then those certificates are maintained throughout the lifetime of the program. In other words, the certificate names are static. But sometimes you don't know all the names ahead of time, or you don't want to manage all the certificates up front. This is where On-Demand TLS shines.

Originally invented for use in Caddy (which was the first program to use such technology), On-Demand TLS makes it possible and easy to serve certificates for arbitrary or specific names during the lifetime of the server. When a TLS handshake is received, CertMagic will read the Server Name Indication (SNI) value and either load and present that certificate in the ServerHello, or if one does not exist, it will obtain it from a CA right then-and-there.

Of course, this has some obvious security implications. You don't want to DoS a CA or allow arbitrary clients to fill your storage with spammy TLS handshakes. That's why, when you enable On-Demand issuance, you should set limits or policy to allow getting certificates. CertMagic has an implicit whitelist built-in which is sufficient for nearly everyone, but also has a more advanced way to control on-demand issuance.

The simplest way to enable on-demand issuance is to set the OnDemand field of a Config (or the default package-level value):

certmagic.Default.OnDemand = new(certmagic.OnDemandConfig)

By setting this to a non-nil value, on-demand TLS is enabled for that config. For convenient security, CertMagic's high-level abstraction functions such as HTTPS(), TLS(), ManageSync(), ManageAsync(), and Listen() (which all accept a list of domain names) will whitelist those names automatically so only certificates for those names can be obtained when using the Default config. Usually this is sufficient for most users.

However, if you require advanced control over which domains can be issued certificates on-demand (for example, if you do not know which domain names you are managing, or just need to defer their operations until later), you should implement your own DecisionFunc:

// if the decision function returns an error, a certificate
// may not be obtained for that name at that time
certmagic.Default.OnDemand = &certmagic.OnDemandConfig{
	DecisionFunc: func(name string) error {
		if name != "example.com" {
			return fmt.Errorf("not allowed")
		}
		return nil
	},
}

The godoc describes how to use this in full detail, so please check it out!

Storage

CertMagic relies on storage to store certificates and other TLS assets (OCSP staple cache, coordinating locks, etc). Persistent storage is a requirement when using CertMagic: ephemeral storage will likely lead to rate limiting on the CA-side as CertMagic will always have to get new certificates.

By default, CertMagic stores assets on the local file system in $HOME/.local/share/certmagic (and honors $XDG_DATA_HOME if set). CertMagic will create the directory if it does not exist. If writes are denied, things will not be happy, so make sure CertMagic can write to it!

The notion of a "cluster" or "fleet" of instances that may be serving the same site and sharing certificates, etc, is tied to storage. Simply, any instances that use the same storage facilities are considered part of the cluster. So if you deploy 100 instances of CertMagic behind a load balancer, they are all part of the same cluster if they share the same storage configuration. Sharing storage could be mounting a shared folder, or implementing some other distributed storage system such as a database server or KV store.

The easiest way to change the storage being used is to set certmagic.DefaultStorage to a value that satisfies the Storage interface. Keep in mind that a valid Storage must be able to implement some operations atomically in order to provide locking and synchronization.

If you write a Storage implementation, please add it to the project wiki so people can find it!

Cache

All of the certificates in use are de-duplicated and cached in memory for optimal performance at handshake-time. This cache must be backed by persistent storage as described above.

Most applications will not need to interact with certificate caches directly. Usually, the closest you will come is to set the package-wide certmagic.DefaultStorage variable (before attempting to create any Configs). However, if your use case requires using different storage facilities for different Configs (that's highly unlikely and NOT recommended! Even Caddy doesn't get that crazy), you will need to call certmagic.NewCache() and pass in the storage you want to use, then get new Config structs with certmagic.NewWithCache() and pass in the cache.

Again, if you're needing to do this, you've probably over-complicated your application design.

FAQ

Can I use some of my own certificates while using CertMagic?

Yes, just call the relevant method on the Config to add your own certificate to the cache:

Keep in mind that unmanaged certificates are (obviously) not renewed for you, so you'll have to replace them when you do. However, OCSP stapling is performed even for unmanaged certificates that qualify.

Does CertMagic obtain SAN certificates?

Technically all certificates these days are SAN certificates because CommonName is deprecated. But if you're asking whether CertMagic issues and manages certificates with multiple SANs, the answer is no. But it does support serving them, if you provide your own.

How can I listen on ports 80 and 443? Do I have to run as root?

On Linux, you can use setcap to grant your binary the permission to bind low ports:

$ sudo setcap cap_net_bind_service=+ep /path/to/your/binary

and then you will not need to run with root privileges.

Contributing

We welcome your contributions! Please see our contributing guidelines for instructions.

Project History

CertMagic is the core of Caddy's advanced TLS automation code, extracted into a library. The underlying ACME client implementation is lego, which was originally developed for use in Caddy even before Let's Encrypt entered public beta in 2015.

In the years since then, Caddy's TLS automation techniques have been widely adopted, tried and tested in production, and served millions of sites and secured trillions of connections.

Now, CertMagic is the actual library used by Caddy. It's incredibly powerful and feature-rich, but also easy to use for simple Go programs: one line of code can enable fully-automated HTTPS applications with HTTP->HTTPS redirects.

Caddy is known for its robust HTTPS+ACME features. When ACME certificate authorities have had outages, in some cases Caddy was the only major client that didn't experience any downtime. Caddy can weather OCSP outages lasting days, or CA outages lasting weeks, without taking your sites offline.

Caddy was also the first to sport "on-demand" issuance technology, which obtains certificates during the first TLS handshake for an allowed SNI name.

Consequently, CertMagic brings all these (and more) features and capabilities right into your own Go programs.

You can watch a 2016 dotGo talk by the author of this library about using ACME to automate certificate management in Go programs:

Matthew Holt speaking at dotGo 2016 about ACME in Go

Credits and License

CertMagic is a project by Matthew Holt, who is the author; and various contributors, who are credited in the commit history of either CertMagic or Caddy.

CertMagic is licensed under Apache 2.0, an open source license. For convenience, its main points are summarized as follows (but this is no replacement for the actual license text):

  • The author owns the copyright to this code
  • Use, distribute, and modify the software freely
  • Private and internal use is allowed
  • License text and copyright notices must stay intact and be included with distributions
  • Any and all changes to the code must be documented

Documentation

Overview

Package certmagic automates the obtaining and renewal of TLS certificates, including TLS & HTTPS best practices such as robust OCSP stapling, caching, HTTP->HTTPS redirects, and more.

Its high-level API serves your HTTP handlers over HTTPS if you simply give the domain name(s) and the http.Handler; CertMagic will create and run the HTTPS server for you, fully managing certificates during the lifetime of the server. Similarly, it can be used to start TLS listeners or return a ready-to-use tls.Config -- whatever layer you need TLS for, CertMagic makes it easy. See the HTTPS, Listen, and TLS functions for that.

If you need more control, create a Cache using NewCache() and then make a Config using New(). You can then call Manage() on the config. But if you use this lower-level API, you'll have to be sure to solve the HTTP and TLS-ALPN challenges yourself (unless you disabled them or use the DNS challenge) by using the provided Config.GetCertificate function in your tls.Config and/or Config.HTTPChallangeHandler in your HTTP handler.

See the package's README for more instruction.

Index

Examples

Constants

View Source 
const (
	// HTTPChallengePort is the officially-designated port for
	// the HTTP challenge according to the ACME spec.
	HTTPChallengePort = 80

	// TLSALPNChallengePort is the officially-designated port for
	// the TLS-ALPN challenge according to the ACME spec.
	TLSALPNChallengePort = 443
)
View Source 
const (
	LetsEncryptStagingCA    = "https://acme-staging-v02.api.letsencrypt.org/directory"
	LetsEncryptProductionCA = "https://acme-v02.api.letsencrypt.org/directory"
)

Some well-known CA endpoints available to use.

View Source 
const (
	// DefaultRenewCheckInterval is how often to check certificates for renewal.
	DefaultRenewCheckInterval = 12 * time.Hour

	// DefaultRenewDurationBefore is how long before expiration to renew certificates.
	DefaultRenewDurationBefore = (24 * time.Hour) * 30

	// DefaultOCSPCheckInterval is how often to check if OCSP stapling needs updating.
	DefaultOCSPCheckInterval = 1 * time.Hour
)

Variables

View Source 
var (
	// HTTPPort is the port on which to serve HTTP
	// and, by extension, the HTTP challenge (unless
	// Default.AltHTTPPort is set).
	HTTPPort = 80

	// HTTPSPort is the port on which to serve HTTPS
	// and, by extension, the TLS-ALPN challenge
	// (unless Default.AltTLSALPNPort is set).
	HTTPSPort = 443
)

Port variables must remain their defaults unless you forward packets from the defaults to whatever these are set to; otherwise ACME challenges will fail.

View Source 
var (

	// RateLimitOrders is how many new ACME orders can
	// be made per account in RateLimitNewOrdersWindow.
	RateLimitOrders = 300

	// RateLimitOrdersWindow is the size of the sliding
	// window that throttles new ACME orders.
	RateLimitOrdersWindow = 3 * time.Hour
)

The following rate limits were chosen with respect to Let's Encrypt's rate limits as of 2019: https://letsencrypt.org/docs/rate-limits/

View Source 
var (
	UserAgent   string
	HTTPTimeout = 30 * time.Second
)

Some default values passed down to the underlying lego client.

View Source 
var Default = Config{
	CA:                  LetsEncryptProductionCA,
	RenewDurationBefore: DefaultRenewDurationBefore,
	KeyType:             certcrypto.EC256,
	Storage:             defaultFileStorage,
}

Default contains the package defaults for the various Config fields. This is used as a template when creating your own Configs with New(), and it is also used as the Config by all the high-level functions in this package.

The fields of this value will be used for Config fields which are unset. Feel free to modify these defaults, but do not use this Config by itself: it is only a template. Valid configurations can be obtained by calling New() (if you have your own certificate cache) or NewDefault() (if you only need a single config and want to use the default cache). This is the only Config which can access the default certificate cache.

Functions

func CleanStorage 

func CleanStorage(storage Storage, opts CleanStorageOptions)

CleanStorage removes assets which are no longer useful, according to opts.

func CleanUpOwnLocks 

func CleanUpOwnLocks()

CleanUpOwnLocks immediately cleans up all current locks obtained by this process. Since this does not cancel the operations that the locks are synchronizing, this should be called only immediately before process exit. TODO: have a way to properly cancel the active operations

func HTTPS 

func HTTPS(domainNames []string, mux http.Handler) error

HTTPS serves mux for all domainNames using the HTTP and HTTPS ports, redirecting all HTTP requests to HTTPS. It uses the Default config.

This high-level convenience function is opinionated and applies sane defaults for production use, including timeouts for HTTP requests and responses. To allow very long-lived connections, you should make your own http.Server values and use this package's Listen(), TLS(), or Config.TLSConfig() functions to customize to your needs. For example, servers which need to support large uploads or downloads with slow clients may need to use longer timeouts, thus this function is not suitable.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

Example

This is the simplest way for HTTP servers to use this package. Call HTTPS() with your domain names and your handler (or nil for the http.DefaultMux), and CertMagic will do the rest. 

http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
	fmt.Fprintf(w, "Hello, HTTPS visitor!")
})

err := HTTPS([]string{"example.com", "www.example.com"}, nil)
if err != nil {
	log.Fatal(err)
}

Output:

func HostQualifies 

func HostQualifies(hostname string) bool

HostQualifies returns true if the hostname alone appears eligible for automagic TLS. For example: localhost, empty hostname, and IP addresses are not eligible because we cannot obtain certificates for those names. Wildcard names are allowed, as long as they conform to CABF requirements (only one wildcard label, and it must be the left-most label). Names with certain special characters that are commonly accidental are also rejected.

func Listen 

func Listen(domainNames []string) (net.Listener, error)

Listen manages certificates for domainName and returns a TLS listener. It uses the Default config.

Because this convenience function returns only a TLS-enabled listener and does not presume HTTP is also being served, the HTTP challenge will be disabled. The package variable Default is modified so that the HTTP challenge is disabled.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

func LooksLikeHTTPChallenge 

func LooksLikeHTTPChallenge(r *http.Request) bool

LooksLikeHTTPChallenge returns true if r looks like an ACME HTTP challenge request from an ACME server.

func ManageAsync 

func ManageAsync(ctx context.Context, domainNames []string) error

ManageAsync is the same as ManageSync, except that certificates are managed asynchronously. This means that the function will return before certificates are ready, and errors that occur during certificate obtain or renew operations are only logged. It is vital that you monitor the logs if using this method, which is only recommended for automated/non-interactive environments.

func ManageSync 

func ManageSync(domainNames []string) error

ManageSync obtains certificates for domainNames and keeps them renewed using the Default config.

This is a slightly lower-level function; you will need to wire up support for the ACME challenges yourself. You can obtain a Config to help you do that by calling NewDefault().

You will need to ensure that you use a TLS config that gets certificates from this Config and that the HTTP and TLS-ALPN challenges can be solved. The easiest way to do this is to use NewDefault().TLSConfig() as your TLS config and to wrap your HTTP handler with NewDefault().HTTPChallengeHandler(). If you don't have an HTTP server, you will need to disable the HTTP challenge.

If you already have a TLS config you want to use, you can simply set its GetCertificate field to NewDefault().GetCertificate.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

func NormalizedName 

func NormalizedName(serverName string) string

NormalizedName returns a cleaned form of serverName that is used for consistency when referring to a SNI value.

func TLS 

func TLS(domainNames []string) (*tls.Config, error)

TLS enables management of certificates for domainNames and returns a valid tls.Config. It uses the Default config.

Because this is a convenience function that returns only a tls.Config, it does not assume HTTP is being served on the HTTP port, so the HTTP challenge is disabled (no HTTPChallengeHandler is necessary). The package variable Default is modified so that the HTTP challenge is disabled.

Calling this function signifies your acceptance to the CA's Subscriber Agreement and/or Terms of Service.

Types

type Cache 

type Cache struct {
	// contains filtered or unexported fields
}

Cache is a structure that stores certificates in memory. A Cache indexes certificates by name for quick access during TLS handshakes, and avoids duplicating certificates in memory. Generally, there should only be one per process. However, that is not a strict requirement; but using more than one is a code smell, and may indicate an over-engineered design.

An empty cache is INVALID and must not be used. Be sure to call NewCache to get a valid value.

These should be very long-lived values and must not be copied. Before all references leave scope to be garbage collected, ensure you call Stop() to stop maintenance on the certificates stored in this cache and release locks.

Caches are not usually manipulated directly; create a Config value with a pointer to a Cache, and then use the Config to interact with the cache. Caches are agnostic of any particular storage or ACME config, since each certificate may be managed and stored differently.

func NewCache 

func NewCache(opts CacheOptions) *Cache

NewCache returns a new, valid Cache for efficiently accessing certificates in memory. It also begins a maintenance goroutine to tend to the certificates in the cache. Call Stop() when you are done with the cache so it can clean up locks and stuff.

Most users of this package will not need to call this because a default certificate cache is created for you. Only advanced use cases require creating a new cache.

This function panics if opts.GetConfigForCert is not set. The reason is that a cache absolutely needs to be able to get a Config with which to manage TLS assets, and it is not safe to assume that the Default config is always the correct one, since you have created the cache yourself.

See the godoc for Cache to use it properly. When no longer needed, caches should be stopped with Stop() to clean up resources even if the process is being terminated, so that it can clean up any locks for other processes to unblock!

func (*Cache) AllMatchingCertificates 

func (certCache *Cache) AllMatchingCertificates(name string) []Certificate

AllMatchingCertificates returns a list of all certificates that could be used to serve the given SNI name, including exact SAN matches and wildcard matches.

func (*Cache) RenewManagedCertificates 

func (certCache *Cache) RenewManagedCertificates() error

RenewManagedCertificates renews managed certificates, including ones loaded on-demand. Note that this is done automatically on a regular basis; normally you will not need to call this. This method assumes non-interactive mode (i.e. operating in the background).

func (*Cache) Stop 

func (certCache *Cache) Stop()

Stop stops the maintenance goroutine for certificates in certCache. It blocks until stopping is complete. Once a cache is stopped, it cannot be reused.

type CacheOptions 

type CacheOptions struct {
	// REQUIRED. A function that returns a configuration
	// used for managing a certificate, or for accessing
	// that certificate's asset storage (e.g. for
	// OCSP staples, etc). The returned Config MUST
	// be associated with the same Cache as the caller.
	//
	// The reason this is a callback function, dynamically
	// returning a Config (instead of attaching a static
	// pointer to a Config on each certificate) is because
	// the config for how to manage a domain's certificate
	// might change from maintenance to maintenance. The
	// cache is so long-lived, we cannot assume that the
	// host's situation will always be the same; e.g. the
	// certificate might switch DNS providers, so the DNS
	// challenge (if used) would need to be adjusted from
	// the last time it was run ~8 weeks ago.
	GetConfigForCert ConfigGetter

	// How often to check certificates for renewal;
	// if unset, DefaultOCSPCheckInterval will be used.
	OCSPCheckInterval time.Duration

	// How often to check certificates for renewal;
	// if unset, DefaultRenewCheckInterval will be used.
	RenewCheckInterval time.Duration
}

CacheOptions is used to configure certificate caches. Once a cache has been created with certain options, those settings cannot be changed.

type CertMetadata 

type CertMetadata struct {
	Tags               []string // user-provided and arbitrary
	Subject            pkix.Name
	SerialNumber       *big.Int
	PublicKeyAlgorithm x509.PublicKeyAlgorithm
}

CertMetadata is data extracted from a parsed x509 certificate which is purely optional but can be useful when selecting which certificate to use if multiple match a ClientHello's ServerName. The more fields we add to this struct, the more memory use will increase at scale with large numbers of certificates in the cache.

func (CertMetadata) HasTag 

func (cm CertMetadata) HasTag(tag string) bool

HasTag returns true if cm.Tags has tag.

type Certificate 

type Certificate struct {
	tls.Certificate

	// Names is the list of names this certificate is written for.
	// The first is the CommonName (if any), the rest are SAN.
	Names []string

	// NotAfter is when the certificate expires.
	NotAfter time.Time

	// These fields are extracted to here mainly for custom
	// selection logic, which is optional; callers may wish
	// to use this information to choose a certificate when
	// more than one match the ClientHello
	CertMetadata
	// contains filtered or unexported fields
}

Certificate is a tls.Certificate with associated metadata tacked on. Even if the metadata can be obtained by parsing the certificate, we are more efficient by extracting the metadata onto this struct, but at the cost of slightly higher memory use.

func (Certificate) NeedsRenewal 

func (cert Certificate) NeedsRenewal(cfg *Config) bool

NeedsRenewal returns true if the certificate is expiring soon (according to cfg) or has expired.

type CertificateSelector 

type CertificateSelector interface {
	SelectCertificate(*tls.ClientHelloInfo, []Certificate) (Certificate, error)
}

CertificateSelector is a type which can select a certificate to use given multiple choices.

type CleanStorageOptions 

type CleanStorageOptions struct {
	OCSPStaples            bool
	ExpiredCerts           bool
	ExpiredCertGracePeriod time.Duration
}

CleanStorageOptions specifies how to clean up a storage unit.

type Config 

type Config struct {
	// The endpoint of the directory for the ACME
	// CA we are to use
	CA string

	// The email address to use when creating or
	// selecting an existing ACME server account
	Email string

	// Set to true if agreed to the CA's
	// subscriber agreement
	Agreed bool

	// Disable all HTTP challenges
	DisableHTTPChallenge bool

	// Disable all TLS-ALPN challenges
	DisableTLSALPNChallenge bool

	// How long before expiration to renew certificates
	RenewDurationBefore time.Duration

	// An optional event callback clients can set
	// to subscribe to certain things happening
	// internally by this config; invocations are
	// synchronous, so make them return quickly!
	OnEvent func(event string, data interface{})

	// The host (ONLY the host, not port) to listen
	// on if necessary to start a listener to solve
	// an ACME challenge
	ListenHost string

	// The alternate port to use for the ACME HTTP
	// challenge; if non-empty, this port will be
	// used instead of HTTPChallengePort to spin up
	// a listener for the HTTP challenge
	AltHTTPPort int

	// The alternate port to use for the ACME
	// TLS-ALPN challenge; the system must forward
	// TLSALPNChallengePort to this port for
	// challenge to succeed
	AltTLSALPNPort int

	// The DNS provider to use when solving the
	// ACME DNS challenge
	DNSProvider challenge.Provider

	// The ChallengeOption struct to provide
	// custom precheck or name resolution options
	// for DNS challenge validation and execution
	DNSChallengeOption dns01.ChallengeOption

	// The type of key to use when generating
	// certificates
	KeyType certcrypto.KeyType

	// The maximum amount of time to allow for
	// obtaining a certificate. If empty, the
	// default from the underlying lego lib is
	// used. If set, it must not be too low so
	// as to cancel orders too early, running
	// the risk of rate limiting.
	CertObtainTimeout time.Duration

	// DefaultServerName specifies a server name
	// to use when choosing a certificate if the
	// ClientHello's ServerName field is empty
	DefaultServerName string

	// The state needed to operate on-demand TLS;
	// if non-nil, on-demand TLS is enabled and
	// certificate operations are deferred to
	// TLS handshakes (or as-needed)
	OnDemand *OnDemandConfig

	// Add the must staple TLS extension to the
	// CSR generated by lego/acme
	MustStaple     bool
	PreferredChain string

	// The storage to access when storing or
	// loading TLS assets
	Storage Storage

	// NewManager returns a new Manager. If nil,
	// an ACME client will be created and used.
	NewManager func(interactive bool) (Manager, error)

	// CertSelection chooses one of the certificates
	// with which the ClientHello will be completed.
	// If not set, the first matching certificate
	// will be used.
	CertSelection CertificateSelector

	// TrustedRoots specifies a pool of root CA
	// certificates to trust when communicating
	// over a network to a peer.
	TrustedRoots *x509.CertPool
	// contains filtered or unexported fields
}

Config configures a certificate manager instance. An empty Config is not valid: use New() to obtain a valid Config.

func New 

func New(certCache *Cache, cfg Config) *Config

New makes a new, valid config based on cfg and uses the provided certificate cache. certCache MUST NOT be nil or this function will panic.

Use this method when you have an advanced use case that requires a custom certificate cache and config that may differ from the Default. For example, if not all certificates are managed/renewed the same way, you need to make your own Cache value with a GetConfigForCert callback that returns the correct configuration for each certificate. However, for the vast majority of cases, there will be only a single Config, thus the default cache (which always uses the default Config) and default config will suffice, and you should use New() instead.

func NewDefault 

func NewDefault() *Config

NewDefault makes a valid config based on the package Default config. Most users will call this function instead of New() since most use cases require only a single config for any and all certificates.

If your requirements are more advanced (for example, multiple configs depending on the certificate), then use New() instead. (You will need to make your own Cache first.) If you only need a single Config to manage your certs (even if that config changes, as long as it is the only one), customize the Default package variable before calling NewDefault().

All calls to NewDefault() will return configs that use the same, default certificate cache. All configs returned by NewDefault() are based on the values of the fields of Default at the time it is called.

func (*Config) CacheManagedCertificate 

func (cfg *Config) CacheManagedCertificate(domain string) (Certificate, error)

CacheManagedCertificate loads the certificate for domain into the cache, from the TLS storage for managed certificates. It returns a copy of the Certificate that was put into the cache.

This is a lower-level method; normally you'll call Manage() instead.

This method is safe for concurrent use.

func (*Config) CacheUnmanagedCertificatePEMBytes 

func (cfg *Config) CacheUnmanagedCertificatePEMBytes(certBytes, keyBytes []byte, tags []string) error

CacheUnmanagedCertificatePEMBytes makes a certificate out of the PEM bytes of the certificate and key, then caches it in memory.

This method is safe for concurrent use.

func (*Config) CacheUnmanagedCertificatePEMFile 

func (cfg *Config) CacheUnmanagedCertificatePEMFile(certFile, keyFile string, tags []string) error

CacheUnmanagedCertificatePEMFile loads a certificate for host using certFile and keyFile, which must be in PEM format. It stores the certificate in the in-memory cache.

This method is safe for concurrent use.

func (*Config) CacheUnmanagedTLSCertificate 

func (cfg *Config) CacheUnmanagedTLSCertificate(tlsCert tls.Certificate, tags []string) error

CacheUnmanagedTLSCertificate adds tlsCert to the certificate cache. It staples OCSP if possible.

This method is safe for concurrent use.

func (*Config) GetCertificate 

func (cfg *Config) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error)

GetCertificate gets a certificate to satisfy clientHello. In getting the certificate, it abides the rules and settings defined in the Config that matches clientHello.ServerName. It first checks the in- memory cache, then, if the config enables "OnDemand", it accesses disk, then accesses the network if it must obtain a new certificate via ACME.

This method is safe for use as a tls.Config.GetCertificate callback.

func (*Config) HTTPChallengeHandler 

func (cfg *Config) HTTPChallengeHandler(h http.Handler) http.Handler

HTTPChallengeHandler wraps h in a handler that can solve the ACME HTTP challenge. cfg is required, and it must have a certificate cache backed by a functional storage facility, since that is where the challenge state is stored between initiation and solution.

If a request is not an ACME HTTP challenge, h willl be invoked.

func (*Config) HandleHTTPChallenge 

func (cfg *Config) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool

HandleHTTPChallenge uses cfg to solve challenge requests from an ACME server that were initiated by this instance or any other instance in this cluster (being, any instances using the same storage cfg does).

If the HTTP challenge is disabled, this function is a no-op.

If cfg is nil or if cfg does not have a certificate cache backed by usable storage, solving the HTTP challenge will fail.

It returns true if it handled the request; if so, the response has already been written. If false is returned, this call was a no-op and the request has not been handled.

func (*Config) ManageAsync 

func (cfg *Config) ManageAsync(ctx context.Context, domainNames []string) error

ManageAsync is the same as ManageSync, except that ACME operations are performed asynchronously (in the background). This method returns before certificates are ready. It is crucial that the administrator monitors the logs and is notified of any errors so that corrective action can be taken as soon as possible. Any errors returned from this method occurred before ACME transactions started.

As long as logs are monitored, this method is typically recommended for non-interactive environments.

If there are failures loading, obtaining, or renewing a certificate, it will be retried with exponential backoff for up to about 1 day, with a maximum interval of about 1 hour. Cancelling ctx will cancel retries and shut down any goroutines spawned by ManageAsync.

func (*Config) ManageSync 

func (cfg *Config) ManageSync(domainNames []string) error

ManageSync causes the certificates for domainNames to be managed according to cfg. If cfg.OnDemand is not nil, then this simply whitelists the domain names and defers the certificate operations to when they are needed. Otherwise, the certificates for each name are loaded from storage or obtained from the CA. If loaded from storage, they are renewed if they are expiring or expired. It then caches the certificate in memory and is prepared to serve them up during TLS handshakes.

Note that name whitelisting for on-demand management only takes effect if cfg.OnDemand.DecisionFunc is not set (is nil); it will not overwrite an existing DecisionFunc, nor will it overwrite its decision; i.e. the implicit whitelist is only used if no DecisionFunc is set.

This method is synchronous, meaning that certificates for all domainNames must be successfully obtained (or renewed) before it returns. It returns immediately on the first error for any of the given domainNames. This behavior is recommended for interactive use (i.e. when an administrator is present) so that errors can be reported and fixed immediately.

func (*Config) ObtainCert 

func (cfg *Config) ObtainCert(name string, interactive bool) error

ObtainCert obtains a certificate for name using cfg, as long as a certificate does not already exist in storage for that name. The name must qualify and cfg must be flagged as Managed. This function is a no-op if storage already has a certificate for name.

It only obtains and stores certificates (and their keys), it does not load them into memory. If interactive is true, the user may be shown a prompt.

func (*Config) RenewCert 

func (cfg *Config) RenewCert(name string, interactive bool) error

RenewCert renews the certificate for name using cfg. It stows the renewed certificate and its assets in storage if successful.

func (*Config) RevokeCert 

func (cfg *Config) RevokeCert(domain string, interactive bool) error

RevokeCert revokes the certificate for domain via ACME protocol.

func (*Config) TLSConfig 

func (cfg *Config) TLSConfig() *tls.Config

TLSConfig is an opinionated method that returns a recommended, modern TLS configuration that can be used to configure TLS listeners, which also supports the TLS-ALPN challenge and serves up certificates managed by cfg.

Unlike the package TLS() function, this method does not, by itself, enable certificate management for any domain names.

Feel free to further customize the returned tls.Config, but do not mess with the GetCertificate or NextProtos fields unless you know what you're doing, as they're necessary to solve the TLS-ALPN challenge.

type ConfigGetter 

type ConfigGetter func(Certificate) (Config, error)

ConfigGetter is a function that returns a config that should be used when managing the given certificate or its assets.

type ErrNotExist 

type ErrNotExist interface {
	error
}

ErrNotExist is returned by Storage implementations when a resource is not found. It is similar to os.IsNotExist except this is a type, not a variable.

type FileStorage 

type FileStorage struct {
	Path string
}

FileStorage facilitates forming file paths derived from a root directory. It is used to get file paths in a consistent, cross-platform way or persisting ACME assets on the file system.

func (*FileStorage) Delete 

func (fs *FileStorage) Delete(key string) error

Delete deletes the value at key.

func (*FileStorage) Exists 

func (fs *FileStorage) Exists(key string) bool

Exists returns true if key exists in fs.

func (*FileStorage) Filename 

func (fs *FileStorage) Filename(key string) string

Filename returns the key as a path on the file system prefixed by fs.Path.

func (*FileStorage) List 

func (fs *FileStorage) List(prefix string, recursive bool) ([]string, error)

List returns all keys that match prefix.

func (*FileStorage) Load 

func (fs *FileStorage) Load(key string) ([]byte, error)

Load retrieves the value at key.

func (*FileStorage) Lock 

func (fs *FileStorage) Lock(key string) error

Lock obtains a lock named by the given key. It blocks until the lock can be obtained or an error is returned.

func (*FileStorage) Stat 

func (fs *FileStorage) Stat(key string) (KeyInfo, error)

Stat returns information about key.

func (*FileStorage) Store 

func (fs *FileStorage) Store(key string, value []byte) error

Store saves value at key.

func (*FileStorage) String 

func (fs *FileStorage) String() string

func (*FileStorage) Unlock 

func (fs *FileStorage) Unlock(key string) error

Unlock releases the lock for name.

type KeyBuilder 

type KeyBuilder struct{}

KeyBuilder provides a namespace for methods that build keys and key prefixes, for addressing items in a Storage implementation. 

var StorageKeys KeyBuilder

StorageKeys provides methods for accessing keys and key prefixes for items in a Storage. Typically, you will not need to use this because accessing storage is abstracted away for most cases. Only use this if you need to directly access TLS assets in your application.

func (KeyBuilder) CAPrefix 

func (keys KeyBuilder) CAPrefix(ca string) string

CAPrefix returns the storage key prefix for the given certificate authority URL.

func (KeyBuilder) OCSPStaple 

func (keys KeyBuilder) OCSPStaple(cert *Certificate, pemBundle []byte) string

OCSPStaple returns a key for the OCSP staple associated with the given certificate. If you have the PEM bundle handy, pass that in to save an extra encoding step.

func (KeyBuilder) Safe 

func (keys KeyBuilder) Safe(str string) string

Safe standardizes and sanitizes str for use as a storage key. This method is idempotent.

func (KeyBuilder) SiteCert 

func (keys KeyBuilder) SiteCert(ca, domain string) string

SiteCert returns the path to the certificate file for domain.

func (KeyBuilder) SiteMeta 

func (keys KeyBuilder) SiteMeta(ca, domain string) string

SiteMeta returns the path to the domain's asset metadata file.

func (KeyBuilder) SitePrefix 

func (keys KeyBuilder) SitePrefix(ca, domain string) string

SitePrefix returns a key prefix for items associated with the site using the given CA URL.

func (KeyBuilder) SitePrivateKey 

func (keys KeyBuilder) SitePrivateKey(ca, domain string) string

SitePrivateKey returns the path to domain's private key file.

func (KeyBuilder) UserPrefix 

func (keys KeyBuilder) UserPrefix(ca, email string) string

UserPrefix returns a key prefix for items related to the user with the given email for the given CA URL.

func (KeyBuilder) UserPrivateKey 

func (keys KeyBuilder) UserPrivateKey(ca, email string) string

UserPrivateKey gets the path to the private key file for the user with the given email address on the given CA URL.

func (KeyBuilder) UserReg 

func (keys KeyBuilder) UserReg(ca, email string) string

UserReg gets the path to the registration file for the user with the given email address for the given CA URL.

func (KeyBuilder) UsersPrefix 

func (keys KeyBuilder) UsersPrefix(ca string) string

UsersPrefix returns a key prefix for items related to users associated with the given CA URL.

type KeyInfo 

type KeyInfo struct {
	Key        string
	Modified   time.Time
	Size       int64
	IsTerminal bool // false for keys that only contain other keys (like directories)
}

KeyInfo holds information about a key in storage.

type Locker 

type Locker interface {
	// Lock acquires the lock for key, blocking until the lock
	// can be obtained or an error is returned. Note that, even
	// after acquiring a lock, an idempotent operation may have
	// already been performed by another process that acquired
	// the lock before - so always check to make sure idempotent
	// operations still need to be performed after acquiring the
	// lock.
	//
	// The actual implementation of obtaining of a lock must be
	// an atomic operation so that multiple Lock calls at the
	// same time always results in only one caller receiving the
	// lock at any given time.
	//
	// To prevent deadlocks, all implementations (where this concern
	// is relevant) should put a reasonable expiration on the lock in
	// case Unlock is unable to be called due to some sort of network
	// or system failure or crash.
	Lock(key string) error

	// Unlock releases the lock for key. This method must ONLY be
	// called after a successful call to Lock, and only after the
	// critical section is finished, even if it errored or timed
	// out. Unlock cleans up any resources allocated during Lock.
	Unlock(key string) error
}

Locker facilitates synchronization of certificate tasks across machines and networks.

type Manager 

type Manager interface {
	Obtain(name string) error
	Renew(name string) error
	Revoke(name string) error
}

Manager is a type that can manage a certificate. They are usually very short-lived.

type OnDemandConfig 

type OnDemandConfig struct {
	// If set, this function will be called to determine
	// whether a certificate can be obtained or renewed
	// for the given name. If an error is returned, the
	// request will be denied.
	DecisionFunc func(name string) error
	// contains filtered or unexported fields
}

OnDemandConfig configures on-demand TLS (certificate operations as-needed, like during TLS handshakes, rather than immediately).

When this package's high-level convenience functions are used (HTTPS, Manage, etc., where the Default config is used as a template), this struct regulates certificate operations using an implicit whitelist containing the names passed into those functions if no DecisionFunc is set. This ensures some degree of control by default to avoid certificate operations for aribtrary domain names. To override this whitelist, manually specify a DecisionFunc. To impose rate limits, specify your own DecisionFunc.

type RingBufferRateLimiter 

type RingBufferRateLimiter struct {
	// contains filtered or unexported fields
}

RingBufferRateLimiter uses a ring to enforce rate limits consisting of a maximum number of events within a single sliding window of a given duration. An empty value is not valid; use NewRateLimiter to get one.

func NewRateLimiter 

func NewRateLimiter(maxEvents int, window time.Duration) *RingBufferRateLimiter

NewRateLimiter returns a rate limiter that allows up to maxEvents in a sliding window of size window. If maxEvents and window are both 0, or if maxEvents is non-zero and window is 0, rate limiting is disabled. If maxEvents is 0 but the window is non-zero, it is impossible to make reservations, so Allow() will always return false and Wait() will panic (instead of blocking forever). This function panics if maxEvents is less than 0.

func (*RingBufferRateLimiter) Allow 

func (r *RingBufferRateLimiter) Allow() bool

Allow returns true if the event is allowed to happen right now. It does not wait. If the event is allowed, a reservation is made.

func (*RingBufferRateLimiter) MaxEvents 

func (r *RingBufferRateLimiter) MaxEvents() int

MaxEvents returns the maximum number of events that are allowed within the sliding window.

func (*RingBufferRateLimiter) SetMaxEvents 

func (r *RingBufferRateLimiter) SetMaxEvents(maxEvents int)

SetMaxEvents changes the maximum number of events that are allowed in the sliding window. If the new limit is lower, the oldest events will be forgotten. If the new limit is higher, the window will suddenly have capacity for new reservations.

func (*RingBufferRateLimiter) SetWindow 

func (r *RingBufferRateLimiter) SetWindow(window time.Duration)

SetWindow changes r's sliding window duration to window. Goroutines that are already blocked on a call to Wait() will not be affected.

func (*RingBufferRateLimiter) Wait 

func (r *RingBufferRateLimiter) Wait()

Wait makes a reservation then blocks until the event is allowed to occur. It panics if maxEvents is 0 but the window is non-zero, because Wait would only be able to block forever in that case.

func (*RingBufferRateLimiter) Window 

func (r *RingBufferRateLimiter) Window() time.Duration

Window returns the size of the sliding window.

type Storage 

type Storage interface {
	// Locker provides atomic synchronization
	// operations, making Storage safe to share.
	Locker

	// Store puts value at key.
	Store(key string, value []byte) error

	// Load retrieves the value at key.
	Load(key string) ([]byte, error)

	// Delete deletes key.
	Delete(key string) error

	// Exists returns true if the key exists
	// and there was no error checking.
	Exists(key string) bool

	// List returns all keys that match prefix.
	// If recursive is true, non-terminal keys
	// will be enumerated (i.e. "directories"
	// should be walked); otherwise, only keys
	// prefixed exactly by prefix will be listed.
	List(prefix string, recursive bool) ([]string, error)

	// Stat returns information about key.
	Stat(key string) (KeyInfo, error)
}

Storage is a type that implements a key-value store. Keys are prefix-based, with forward slash '/' as separators and without a leading slash.

Processes running in a cluster will wish to use the same Storage value (its implementation and configuration) in order to share certificates and other TLS resources with the cluster.

Implementations of Storage must be safe for concurrent use.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.