caddytls

package
v2.0.0-beta11 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 23, 2019 License: Apache-2.0 Imports: 25 Imported by: 55

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var SupportedCipherSuites = map[string]uint16{
	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384":       tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256":       tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":         tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256":   tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":         tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":            tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":          tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256":       tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":          tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
	"TLS_RSA_WITH_AES_128_GCM_SHA256":               tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
	"TLS_RSA_WITH_AES_256_GCM_SHA384":               tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
	"TLS_RSA_WITH_AES_256_CBC_SHA":                  tls.TLS_RSA_WITH_AES_256_CBC_SHA,
	"TLS_RSA_WITH_AES_128_CBC_SHA256":               tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
	"TLS_RSA_WITH_AES_128_CBC_SHA":                  tls.TLS_RSA_WITH_AES_128_CBC_SHA,
	"TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA":           tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
	"TLS_RSA_WITH_3DES_EDE_CBC_SHA":                 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
}

SupportedCipherSuites is the unordered map of cipher suite string names to their definition in crypto/tls. All values should be IANA-reserved names. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Two of the cipher suite constants in the standard lib do not use the full IANA name, but we do; see: https://github.com/golang/go/issues/32061 and https://github.com/golang/go/issues/30325#issuecomment-512862374. TODO: might not be needed much longer: https://github.com/golang/go/issues/30325

View Source 
var SupportedCurves = map[string]tls.CurveID{

	"x25519": tls.X25519,
	"p256":   tls.CurveP256,
	"p384":   tls.CurveP384,
	"p521":   tls.CurveP521,
}

SupportedCurves is the unordered map of supported curves. https://golang.org/pkg/crypto/tls/#CurveID

View Source 
var SupportedProtocols = map[string]uint16{
	"tls1.2": tls.VersionTLS12,
	"tls1.3": tls.VersionTLS13,
}

SupportedProtocols is a map of supported protocols.

Functions

This section is empty.

Types

type ACMEManagerMaker 

type ACMEManagerMaker struct {
	// The URL to the CA's ACME directory endpoint.
	CA string `json:"ca,omitempty"`

	// Your email address, so the CA can contact you if necessary.
	// Not required, but strongly recommended to provide one so
	// you can be reached if there is a problem. Your email is
	// not sent to any Caddy mothership or used for any purpose
	// other than ACME transactions.
	Email string `json:"email,omitempty"`

	// How long before a certificate's expiration to try renewing it.
	// Should usually be about 1/3 of certificate lifetime, but long
	// enough to give yourself time to troubleshoot problems before
	// expiration. Default: 30d
	RenewAhead caddy.Duration `json:"renew_ahead,omitempty"`

	// The type of key to generate for the certificate.
	// Supported values: `rsa2048`, `rsa4096`, `p256`, `p384`.
	KeyType string `json:"key_type,omitempty"`

	// Time to wait before timing out an ACME operation.
	ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"`

	// If true, certificates will be requested with MustStaple. Not all
	// CAs support this, and there are potentially serious consequences
	// of enabling this feature without proper threat modeling.
	MustStaple bool `json:"must_staple,omitempty"`

	// Configures the various ACME challenge types.
	Challenges *ChallengesConfig `json:"challenges,omitempty"`

	// If true, certificates will be managed "on demand", that is, during
	// TLS handshakes or when needed, as opposed to at startup or config
	// load.
	OnDemand bool `json:"on_demand,omitempty"`

	// Optionally configure a separate storage module associated with this
	// manager, instead of using Caddy's global/default-configured storage.
	Storage json.RawMessage `json:"storage,omitempty"`

	// An array of files of CA certificates to accept when connecting to the
	// ACME CA. Generally, you should only use this if the ACME CA endpoint
	// is internal or for development/testing purposes.
	TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"`
	// contains filtered or unexported fields
}

ACMEManagerMaker makes an ACME manager for managing certificates using ACME. If crafting one manually rather than through the config-unmarshal process (provisioning), be sure to call SetDefaults to ensure sane defaults after you have configured this struct to your liking.

func (ACMEManagerMaker) CaddyModule 

func (ACMEManagerMaker) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (ACMEManagerMaker) NewManager 

func (m ACMEManagerMaker) NewManager(interactive bool) (certmagic.Manager, error)

NewManager is a no-op to satisfy the ManagerMaker interface, because this manager type is a special case.

func (*ACMEManagerMaker) Provision 

func (m *ACMEManagerMaker) Provision(ctx caddy.Context) error

Provision sets up m.

type AutomateLoader 

type AutomateLoader []string

AutomateLoader is a no-op certificate loader module that is treated as a special case: it uses this app's automation features to load certificates for the list of hostnames, rather than loading certificates manually.

func (AutomateLoader) CaddyModule 

func (AutomateLoader) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

type AutomationConfig 

type AutomationConfig struct {
	// The list of automation policies. The first matching
	// policy will be applied for a given certificate/name.
	Policies []AutomationPolicy `json:"policies,omitempty"`

	// On-Demand TLS defers certificate operations to the
	// moment they are needed, e.g. during a TLS handshake.
	// Useful when you don't know all the hostnames up front.
	// Caddy was the first web server to deploy this technology.
	OnDemand *OnDemandConfig `json:"on_demand,omitempty"`

	// Caddy staples OCSP (and caches the response) for all
	// qualifying certificates by default. This setting
	// changes how often it scans responses for freshness,
	// and updates them if they are getting stale.
	OCSPCheckInterval caddy.Duration `json:"ocsp_interval,omitempty"`

	// Every so often, Caddy will scan all loaded, managed
	// certificates for expiration. Certificates which are
	// about 2/3 into their valid lifetime are due for
	// renewal. This setting changes how frequently the scan
	// is performed. If your certificate lifetimes are very
	// short (less than ~1 week), you should customize this.
	RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"`
}

AutomationConfig designates configuration for the construction and use of ACME clients.

type AutomationPolicy 

type AutomationPolicy struct {
	// Which hostnames this policy applies to.
	Hosts []string `json:"hosts,omitempty"`

	// How to manage certificates.
	ManagementRaw json.RawMessage `json:"management,omitempty" caddy:"namespace=tls.management inline_key=module"`

	// If true, certificate management will be conducted
	// in the foreground; this will block config reloads
	// and return errors if there were problems with
	// obtaining or renewing certificates. This is often
	// not desirable, especially when serving sites out
	// of your control. Default: false
	ManageSync bool `json:"manage_sync,omitempty"`

	Management ManagerMaker `json:"-"`
}

AutomationPolicy designates the policy for automating the management (obtaining, renewal, and revocation) of managed TLS certificates.

type CertKeyFilePair 

type CertKeyFilePair struct {
	// Path to the certificate (public key) file.
	Certificate string `json:"certificate"`

	// Path to the private key file.
	Key string `json:"key"`

	// The format of the cert and key. Can be "pem". Default: "pem"
	Format string `json:"format,omitempty"`

	// Arbitrary values to associate with this certificate.
	// Can be useful when you want to select a particular
	// certificate when there may be multiple valid candidates.
	Tags []string `json:"tags,omitempty"`
}

CertKeyFilePair pairs certificate and key file names along with their encoding format so that they can be loaded from disk.

type CertKeyPEMPair 

type CertKeyPEMPair struct {
	// The certificate (public key) in PEM format.
	CertificatePEM string `json:"certificate"`

	// The private key in PEM format.
	KeyPEM string `json:"key"`

	// Arbitrary values to associate with this certificate.
	// Can be useful when you want to select a particular
	// certificate when there may be multiple valid candidates.
	Tags []string `json:"tags,omitempty"`
}

CertKeyPEMPair pairs certificate and key PEM blocks.

type Certificate 

type Certificate struct {
	tls.Certificate
	Tags []string
}

Certificate is a TLS certificate, optionally associated with arbitrary tags.

type CertificateLoader 

type CertificateLoader interface {
	LoadCertificates() ([]Certificate, error)
}

CertificateLoader is a type that can load certificates. Certificates can optionally be associated with tags.

type ChallengesConfig 

type ChallengesConfig struct {
	// HTTP configures the ACME HTTP challenge. This
	// challenge is enabled and used automatically
	// and by default.
	HTTP *HTTPChallengeConfig `json:"http,omitempty"`

	// TLSALPN configures the ACME TLS-ALPN challenge.
	// This challenge is enabled and used automatically
	// and by default.
	TLSALPN *TLSALPNChallengeConfig `json:"tls-alpn,omitempty"`

	// Configures the ACME DNS challenge. Because this
	// challenge typically requires credentials for
	// interfacing with a DNS provider, this challenge is
	// not enabled by default. This is the only challenge
	// type which does not require a direct connection
	// to Caddy from an external server.
	DNSRaw json.RawMessage `json:"dns,omitempty" caddy:"namespace=tls.dns inline_key=provider"`

	DNS challenge.Provider `json:"-"`
}

ChallengesConfig configures the ACME challenges.

type ClientAuthentication 

type ClientAuthentication struct {
	// A list of base64 DER-encoded CA certificates
	// against which to validate client certificates.
	// Client certs which are not signed by any of
	// these CAs will be rejected.
	TrustedCACerts []string `json:"trusted_ca_certs,omitempty"`

	// A list of base64 DER-encoded client leaf certs
	// to accept. If this list is not empty, client certs
	// which are not in this list will be rejected.
	TrustedLeafCerts []string `json:"trusted_leaf_certs,omitempty"`
	// contains filtered or unexported fields
}

ClientAuthentication configures TLS client auth.

func (ClientAuthentication) Active 

func (clientauth ClientAuthentication) Active() bool

Active returns true if clientauth has an actionable configuration.

func (*ClientAuthentication) ConfigureTLSConfig 

func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) error

ConfigureTLSConfig sets up cfg to enforce clientauth's configuration.

type ConnectionMatcher 

type ConnectionMatcher interface {
	Match(*tls.ClientHelloInfo) bool
}

ConnectionMatcher is a type which matches TLS handshakes.

type ConnectionPolicies 

type ConnectionPolicies []*ConnectionPolicy

ConnectionPolicies is an ordered group of connection policies; the first matching policy will be used to configure TLS connections at handshake-time.

func (ConnectionPolicies) TLSConfig 

func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) (*tls.Config, error)

TLSConfig converts the group of policies to a standard-lib-compatible TLS configuration which selects the first matching policy based on the ClientHello.

type ConnectionPolicy 

type ConnectionPolicy struct {
	// How to match this policy with a TLS ClientHello. If
	// this policy is the first to match, it will be used.
	MatchersRaw caddy.ModuleMap `json:"match,omitempty" caddy:"namespace=tls.handshake_match"`

	// How to choose a certificate if more than one matched
	// the given ServerName (SNI) value.
	CertSelection json.RawMessage `json:"certificate_selection,omitempty" caddy:"namespace=tls.certificate_selection inline_key=policy"`

	// The list of cipher suites to support. Caddy's
	// defaults are modern and secure.
	CipherSuites []string `json:"cipher_suites,omitempty"`

	// The list of elliptic curves to support. Caddy's
	// defaults are modern and secure.
	Curves []string `json:"curves,omitempty"`

	// Protocols to use for Application-Layer Protocol
	// Negotiation (ALPN) during the handshake.
	ALPN []string `json:"alpn,omitempty"`

	// Minimum TLS protocol version to allow. Default: `tls1.2`
	ProtocolMin string `json:"protocol_min,omitempty"`

	// Maximum TLS protocol version to allow. Default: `tls1.3`
	ProtocolMax string `json:"protocol_max,omitempty"`

	// Enables and configures TLS client authentication.
	ClientAuthentication *ClientAuthentication `json:"client_authentication,omitempty"`
	// contains filtered or unexported fields
}

ConnectionPolicy specifies the logic for handling a TLS handshake.

type FileLoader 

type FileLoader []CertKeyFilePair

FileLoader loads certificates and their associated keys from disk.

func (FileLoader) CaddyModule 

func (FileLoader) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (FileLoader) LoadCertificates 

func (fl FileLoader) LoadCertificates() ([]Certificate, error)

LoadCertificates returns the certificates to be loaded by fl.

type FolderLoader 

type FolderLoader []string

FolderLoader loads certificates and their associated keys from disk by recursively walking the specified directories, looking for PEM files which contain both a certificate and a key.

func (FolderLoader) CaddyModule 

func (FolderLoader) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (FolderLoader) LoadCertificates 

func (fl FolderLoader) LoadCertificates() ([]Certificate, error)

LoadCertificates loads all the certificates+keys in the directories listed in fl from all files ending with .pem. This method of loading certificates expects the certificate and key to be bundled into the same file.

type HTTPChallengeConfig 

type HTTPChallengeConfig struct {
	// If true, the HTTP challenge will be disabled.
	Disabled bool `json:"disabled,omitempty"`

	// An alternate port on which to service this
	// challenge. Note that the HTTP challenge port is
	// hard-coded into the spec and cannot be changed,
	// so you would have to forward packets from the
	// standard HTTP challenge port to this one.
	AlternatePort int `json:"alternate_port,omitempty"`
}

HTTPChallengeConfig configures the ACME HTTP challenge.

type ManagerMaker 

type ManagerMaker interface {
	NewManager(interactive bool) (certmagic.Manager, error)
}

ManagerMaker makes a certificate manager.

type MatchServerName 

type MatchServerName []string

MatchServerName matches based on SNI.

func (MatchServerName) CaddyModule 

func (MatchServerName) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (MatchServerName) Match 

func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool

Match matches hello based on SNI.

type OnDemandConfig 

type OnDemandConfig struct {
	// An optional rate limit to throttle the
	// issuance of certificates from handshakes.
	RateLimit *RateLimit `json:"rate_limit,omitempty"`

	// If Caddy needs to obtain or renew a certificate
	// during a TLS handshake, it will perform a quick
	// HTTP request to this URL to check if it should be
	// allowed to try to get a certificate for the name
	// in the "domain" query string parameter, like so:
	// `?domain=example.com`. The endpoint must return a
	// 200 OK status if a certificate is allowed;
	// anything else will cause it to be denied.
	// Redirects are not followed.
	Ask string `json:"ask,omitempty"`
}

OnDemandConfig configures on-demand TLS, for obtaining needed certificates at handshake-time. Because this feature can easily be abused, you should set up rate limits and/or an internal endpoint that Caddy can "ask" if it should be allowed to manage certificates for a given hostname.

type PEMLoader 

type PEMLoader []CertKeyPEMPair

PEMLoader loads certificates and their associated keys by decoding their PEM blocks directly. This has the advantage of not needing to store them on disk at all.

func (PEMLoader) CaddyModule 

func (PEMLoader) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (PEMLoader) LoadCertificates 

func (pl PEMLoader) LoadCertificates() ([]Certificate, error)

LoadCertificates returns the certificates contained in pl.

type Policy 

type Policy struct {
	SerialNumber        *big.Int           `json:"serial_number,omitempty"`
	SubjectOrganization string             `json:"subject_organization,omitempty"`
	PublicKeyAlgorithm  PublicKeyAlgorithm `json:"public_key_algorithm,omitempty"`
	Tag                 string             `json:"tag,omitempty"`
}

Policy represents a policy for selecting the certificate used to complete a handshake when there may be multiple options. All fields specified must match the candidate certificate for it to be chosen. This was needed to solve https://github.com/caddyserver/caddy/issues/2588.

func (Policy) CaddyModule 

func (Policy) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (Policy) SelectCertificate 

func (p Policy) SelectCertificate(_ *tls.ClientHelloInfo, choices []certmagic.Certificate) (certmagic.Certificate, error)

SelectCertificate implements certmagic.CertificateSelector.

type PublicKeyAlgorithm 

type PublicKeyAlgorithm x509.PublicKeyAlgorithm

PublicKeyAlgorithm is a JSON-unmarshalable wrapper type.

func (*PublicKeyAlgorithm) UnmarshalJSON 

func (a *PublicKeyAlgorithm) UnmarshalJSON(b []byte) error

UnmarshalJSON satisfies json.Unmarshaler.

type RateLimit 

type RateLimit struct {
	// A duration value. A certificate may be obtained 'burst'
	// times during this interval.
	Interval caddy.Duration `json:"interval,omitempty"`

	// How many times during an interval a certificate can be obtained.
	Burst int `json:"burst,omitempty"`
}

RateLimit specifies an interval with optional burst size.

type STEKProvider 

type STEKProvider interface {
	// Initialize provides the STEK configuration to the STEK
	// module so that it can obtain and manage keys accordingly.
	// It returns the initial key(s) to use. Implementations can
	// rely on Next() being called if Initialize() returns
	// without error, so that it may know when it is done.
	Initialize(config *SessionTicketService) ([][32]byte, error)

	// Next returns the channel through which the next session
	// ticket keys will be transmitted until doneChan is closed.
	// Keys should be sent on keysChan as they are updated.
	// When doneChan is closed, any resources allocated in
	// Initialize() must be cleaned up.
	Next(doneChan <-chan struct{}) (keysChan <-chan [][32]byte)
}

STEKProvider is a type that can provide session ticket ephemeral keys (STEKs).

type SessionTicketService 

type SessionTicketService struct {
	// KeySource is the method by which Caddy produces or obtains
	// TLS session ticket keys (STEKs). By default, Caddy generates
	// them internally using a secure pseudorandom source.
	KeySource json.RawMessage `json:"key_source,omitempty" caddy:"namespace=tls.stek inline_key=provider"`

	// How often Caddy rotates STEKs. Default: 12h.
	RotationInterval caddy.Duration `json:"rotation_interval,omitempty"`

	// The maximum number of keys to keep in rotation. Default: 4.
	MaxKeys int `json:"max_keys,omitempty"`

	// Disables STEK rotation.
	DisableRotation bool `json:"disable_rotation,omitempty"`

	// Disables TLS session resumption by tickets.
	Disabled bool `json:"disabled,omitempty"`
	// contains filtered or unexported fields
}

SessionTicketService configures and manages TLS session tickets.

func (SessionTicketService) RotateSTEKs 

func (s SessionTicketService) RotateSTEKs(keys [][32]byte) ([][32]byte, error)

RotateSTEKs rotates the keys in keys by producing a new key and eliding the oldest one. The new slice of keys is returned.

type TLS 

type TLS struct {
	// Caches certificates in memory for quick use during
	// TLS handshakes. Each key is the name of a certificate
	// loader module. All loaded certificates get pooled
	// into the same cache and may be used to complete TLS
	// handshakes for the relevant server names (SNI).
	// Certificates loaded manually (anything other than
	// "automate") are not automatically managed and will
	// have to be refreshed manually before they expire.
	CertificatesRaw caddy.ModuleMap `json:"certificates,omitempty" caddy:"namespace=tls.certificates"`

	// Configures the automation of certificate management.
	Automation *AutomationConfig `json:"automation,omitempty"`

	// Configures session ticket ephemeral keys (STEKs).
	SessionTickets *SessionTicketService `json:"session_tickets,omitempty"`
	// contains filtered or unexported fields
}

TLS provides TLS facilities including certificate loading and management, client auth, and more.

func (*TLS) AllMatchingCertificates 

func (t *TLS) AllMatchingCertificates(san string) []certmagic.Certificate

AllMatchingCertificates returns the list of all certificates in the cache which could be used to satisfy the given SAN.

func (TLS) CaddyModule 

func (TLS) CaddyModule() caddy.ModuleInfo

CaddyModule returns the Caddy module information.

func (*TLS) Cleanup 

func (t *TLS) Cleanup() error

Cleanup frees up resources allocated during Provision.

func (*TLS) HandleHTTPChallenge 

func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool

HandleHTTPChallenge ensures that the HTTP challenge is handled for the certificate named by r.Host, if it is an HTTP challenge request.

func (*TLS) Manage 

func (t *TLS) Manage(names []string) error

Manage immediately begins managing names according to the matching automation policy.

func (*TLS) Provision 

func (t *TLS) Provision(ctx caddy.Context) error

Provision sets up the configuration for the TLS app.

func (*TLS) Start 

func (t *TLS) Start() error

Start activates the TLS module.

func (*TLS) Stop 

func (t *TLS) Stop() error

Stop stops the TLS module and cleans up any allocations.

type TLSALPNChallengeConfig 

type TLSALPNChallengeConfig struct {
	// If true, the TLS-ALPN challenge will be disabled.
	Disabled bool `json:"disabled,omitempty"`

	// An alternate port on which to service this
	// challenge. Note that the TLS-ALPN challenge port
	// is hard-coded into the spec and cannot be changed,
	// so you would have to forward packets from the
	// standard TLS-ALPN challenge port to this one.
	AlternatePort int `json:"alternate_port,omitempty"`
}

TLSALPNChallengeConfig configures the ACME TLS-ALPN challenge.

Source Files

View all Source files

Directories

Path Synopsis
Package distributedstek provides TLS session ticket ephemeral keys (STEKs) in a distributed fashion by utilizing configured storage for locking and key sharing.
 Package distributedstek provides TLS session ticket ephemeral keys (STEKs) in a distributed fashion by utilizing configured storage for locking and key sharing.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.