Documentation
¶
Index ¶
- Variables
- type ACMEManagerMaker
- type AutomationConfig
- type AutomationPolicy
- type CertKeyFilePair
- type Certificate
- type CertificateLoader
- type ChallengesConfig
- type ClientAuthentication
- type ConnectionMatcher
- type ConnectionPolicies
- type ConnectionPolicy
- type FileLoader
- type FolderLoader
- type HTTPChallengeConfig
- type ManagerMaker
- type MatchServerName
- type OnDemandConfig
- type PublicKeyAlgorithm
- type RateLimit
- type STEKProvider
- type SessionTicketService
- type TLS
- func (t *TLS) AllMatchingCertificates(san string) []certmagic.Certificate
- func (TLS) CaddyModule() caddy.ModuleInfo
- func (t *TLS) Cleanup() error
- func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool
- func (t *TLS) Manage(names []string) error
- func (t *TLS) Provision(ctx caddy.Context) error
- func (t *TLS) Start() error
- func (t *TLS) Stop() error
- type TLSALPNChallengeConfig
Constants ¶
This section is empty.
Variables ¶
var SupportedCipherSuites = map[string]uint16{ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256": tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_GCM_SHA256": tls.TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA256": tls.TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA": tls.TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA": tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA, }
SupportedCipherSuites is the unordered map of cipher suite string names to their definition in crypto/tls. All values should be IANA-reserved names. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Two of the cipher suite constants in the standard lib do not use the full IANA name, but we do; see: https://github.com/golang/go/issues/32061 and https://github.com/golang/go/issues/30325#issuecomment-512862374. TODO: might not be needed much longer: https://github.com/golang/go/issues/30325
var SupportedCurves = map[string]tls.CurveID{ "x25519": tls.X25519, "p256": tls.CurveP256, "p384": tls.CurveP384, "p521": tls.CurveP521, }
SupportedCurves is the unordered map of supported curves. https://golang.org/pkg/crypto/tls/#CurveID
var SupportedProtocols = map[string]uint16{ "tls1.2": tls.VersionTLS12, "tls1.3": tls.VersionTLS13, }
SupportedProtocols is a map of supported protocols.
Functions ¶
This section is empty.
Types ¶
type ACMEManagerMaker ¶
type ACMEManagerMaker struct {
CA string `json:"ca,omitempty"`
Email string `json:"email,omitempty"`
RenewAhead caddy.Duration `json:"renew_ahead,omitempty"`
KeyType string `json:"key_type,omitempty"`
ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"`
MustStaple bool `json:"must_staple,omitempty"`
Challenges *ChallengesConfig `json:"challenges,omitempty"`
OnDemand bool `json:"on_demand,omitempty"`
Storage json.RawMessage `json:"storage,omitempty"`
TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"`
// contains filtered or unexported fields
}
ACMEManagerMaker makes an ACME manager for managing certificates using ACME. If crafting one manually rather than through the config-unmarshal process (provisioning), be sure to call SetDefaults to ensure sane defaults after you have configured this struct to your liking.
func (ACMEManagerMaker) CaddyModule ¶
func (ACMEManagerMaker) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (ACMEManagerMaker) NewManager ¶
func (m ACMEManagerMaker) NewManager(interactive bool) (certmagic.Manager, error)
NewManager is a no-op to satisfy the ManagerMaker interface, because this manager type is a special case.
func (*ACMEManagerMaker) Provision ¶
func (m *ACMEManagerMaker) Provision(ctx caddy.Context) error
Provision sets up m.
type AutomationConfig ¶
type AutomationConfig struct {
Policies []AutomationPolicy `json:"policies,omitempty"`
OnDemand *OnDemandConfig `json:"on_demand,omitempty"`
OCSPCheckInterval caddy.Duration `json:"ocsp_interval,omitempty"`
RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"`
}
AutomationConfig designates configuration for the construction and use of ACME clients.
type AutomationPolicy ¶
type AutomationPolicy struct {
Hosts []string `json:"hosts,omitempty"`
ManagementRaw json.RawMessage `json:"management,omitempty"`
Management ManagerMaker `json:"-"`
}
AutomationPolicy designates the policy for automating the management of managed TLS certificates.
type CertKeyFilePair ¶
type CertKeyFilePair struct {
Certificate string `json:"certificate"`
Key string `json:"key"`
Format string `json:"format,omitempty"` // "pem" is default
Tags []string `json:"tags,omitempty"`
}
CertKeyFilePair pairs certificate and key file names along with their encoding format so that they can be loaded from disk.
type Certificate ¶
type Certificate struct {
tls.Certificate
Tags []string
}
Certificate is a TLS certificate, optionally associated with arbitrary tags.
type CertificateLoader ¶
type CertificateLoader interface {
LoadCertificates() ([]Certificate, error)
}
CertificateLoader is a type that can load certificates. Certificates can optionally be associated with tags.
type ChallengesConfig ¶
type ChallengesConfig struct {
HTTP *HTTPChallengeConfig `json:"http,omitempty"`
TLSALPN *TLSALPNChallengeConfig `json:"tls-alpn,omitempty"`
DNSRaw json.RawMessage `json:"dns,omitempty"`
DNS challenge.Provider `json:"-"`
}
ChallengesConfig configures the ACME challenges.
type ClientAuthentication ¶
type ClientAuthentication struct {
// A list of base64 DER-encoded CA certificates
// against which to validate client certificates.
// Client certs which are not signed by any of
// these CAs will be rejected.
TrustedCACerts []string `json:"trusted_ca_certs,omitempty"`
// A list of base64 DER-encoded client leaf certs
// to accept. If this list is not empty, client certs
// which are not in this list will be rejected.
TrustedLeafCerts []string `json:"trusted_leaf_certs,omitempty"`
// contains filtered or unexported fields
}
ClientAuthentication configures TLS client auth.
func (ClientAuthentication) Active ¶
func (clientauth ClientAuthentication) Active() bool
Active returns true if clientauth has an actionable configuration.
func (*ClientAuthentication) ConfigureTLSConfig ¶
func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) error
ConfigureTLSConfig sets up cfg to enforce clientauth's configuration.
type ConnectionMatcher ¶
type ConnectionMatcher interface {
Match(*tls.ClientHelloInfo) bool
}
ConnectionMatcher is a type which matches TLS handshakes.
type ConnectionPolicies ¶
type ConnectionPolicies []*ConnectionPolicy
ConnectionPolicies is an ordered group of connection policies; the first matching policy will be used to configure TLS connections at handshake-time.
type ConnectionPolicy ¶
type ConnectionPolicy struct {
Matchers map[string]json.RawMessage `json:"match,omitempty"`
CertSelection json.RawMessage `json:"certificate_selection,omitempty"`
CipherSuites []string `json:"cipher_suites,omitempty"`
Curves []string `json:"curves,omitempty"`
ALPN []string `json:"alpn,omitempty"`
ProtocolMin string `json:"protocol_min,omitempty"`
ProtocolMax string `json:"protocol_max,omitempty"`
ClientAuthentication *ClientAuthentication `json:"client_authentication,omitempty"`
// contains filtered or unexported fields
}
ConnectionPolicy specifies the logic for handling a TLS handshake.
type FileLoader ¶
type FileLoader []CertKeyFilePair
FileLoader loads certificates and their associated keys from disk.
func (FileLoader) CaddyModule ¶
func (FileLoader) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (FileLoader) LoadCertificates ¶
func (fl FileLoader) LoadCertificates() ([]Certificate, error)
LoadCertificates returns the certificates to be loaded by fl.
type FolderLoader ¶
type FolderLoader []string
FolderLoader loads certificates and their associated keys from disk by recursively walking the specified directories, looking for PEM files which contain both a certificate and a key.
func (FolderLoader) CaddyModule ¶
func (FolderLoader) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (FolderLoader) LoadCertificates ¶
func (fl FolderLoader) LoadCertificates() ([]Certificate, error)
LoadCertificates loads all the certificates+keys in the directories listed in fl from all files ending with .pem. This method of loading certificates expects the certificate and key to be bundled into the same file.
type HTTPChallengeConfig ¶
type HTTPChallengeConfig struct {
Disabled bool `json:"disabled,omitempty"`
AlternatePort int `json:"alternate_port,omitempty"`
}
HTTPChallengeConfig configures the ACME HTTP challenge.
type ManagerMaker ¶
ManagerMaker makes a certificate manager.
type MatchServerName ¶
type MatchServerName []string
MatchServerName matches based on SNI.
func (MatchServerName) CaddyModule ¶
func (MatchServerName) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (MatchServerName) Match ¶
func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool
Match matches hello based on SNI.
type OnDemandConfig ¶
type OnDemandConfig struct {
RateLimit *RateLimit `json:"rate_limit,omitempty"`
Ask string `json:"ask,omitempty"`
}
OnDemandConfig configures on-demand TLS, for obtaining needed certificates at handshake-time.
type PublicKeyAlgorithm ¶
type PublicKeyAlgorithm x509.PublicKeyAlgorithm
PublicKeyAlgorithm is a JSON-unmarshalable wrapper type.
func (*PublicKeyAlgorithm) UnmarshalJSON ¶
func (a *PublicKeyAlgorithm) UnmarshalJSON(b []byte) error
UnmarshalJSON satisfies json.Unmarshaler.
type RateLimit ¶
type RateLimit struct {
Interval caddy.Duration `json:"interval,omitempty"`
Burst int `json:"burst,omitempty"`
}
RateLimit specifies an interval with optional burst size.
type STEKProvider ¶
type STEKProvider interface {
// Initialize provides the STEK configuration to the STEK
// module so that it can obtain and manage keys accordingly.
// It returns the initial key(s) to use. Implementations can
// rely on Next() being called if Initialize() returns
// without error, so that it may know when it is done.
Initialize(config *SessionTicketService) ([][32]byte, error)
// Next returns the channel through which the next session
// ticket keys will be transmitted until doneChan is closed.
// Keys should be sent on keysChan as they are updated.
// When doneChan is closed, any resources allocated in
// Initialize() must be cleaned up.
Next(doneChan <-chan struct{}) (keysChan <-chan [][32]byte)
}
STEKProvider is a type that can provide session ticket ephemeral keys (STEKs).
type SessionTicketService ¶
type SessionTicketService struct {
KeySource json.RawMessage `json:"key_source,omitempty"`
RotationInterval caddy.Duration `json:"rotation_interval,omitempty"`
MaxKeys int `json:"max_keys,omitempty"`
DisableRotation bool `json:"disable_rotation,omitempty"`
Disabled bool `json:"disabled,omitempty"`
// contains filtered or unexported fields
}
SessionTicketService configures and manages TLS session tickets.
func (SessionTicketService) RotateSTEKs ¶
func (s SessionTicketService) RotateSTEKs(keys [][32]byte) ([][32]byte, error)
RotateSTEKs rotates the keys in keys by producing a new key and eliding the oldest one. The new slice of keys is returned.
type TLS ¶
type TLS struct {
Certificates map[string]json.RawMessage `json:"certificates,omitempty"`
Automation *AutomationConfig `json:"automation,omitempty"`
SessionTickets *SessionTicketService `json:"session_tickets,omitempty"`
// contains filtered or unexported fields
}
TLS represents a process-wide TLS configuration.
func (*TLS) AllMatchingCertificates ¶
func (t *TLS) AllMatchingCertificates(san string) []certmagic.Certificate
AllMatchingCertificates returns the list of all certificates in the cache which could be used to satisfy the given SAN.
func (TLS) CaddyModule ¶
func (TLS) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (*TLS) HandleHTTPChallenge ¶
HandleHTTPChallenge ensures that the HTTP challenge is handled for the certificate named by r.Host, if it is an HTTP challenge request.
func (*TLS) Manage ¶
Manage immediately begins managing names according to the matching automation policy.
type TLSALPNChallengeConfig ¶
type TLSALPNChallengeConfig struct {
Disabled bool `json:"disabled,omitempty"`
AlternatePort int `json:"alternate_port,omitempty"`
}
TLSALPNChallengeConfig configures the ACME TLS-ALPN challenge.
Source Files
Directories