ocsp-l2-cache

command module

v0.0.0-...-e455ca1 Latest Latest Go to latest Published: Dec 9, 2020 License: MPL-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/jcjones/ocsp-l2-cache

Links

Open Source Insights

README ¶

OCSP-L2-Cache: A Caching OCSP Forwarder

This OCSP responder is intended to lie between an authoritative OCSP responder and clients, caching responses in a Redis key-value store to reduce load on the authoritative responder.

Requirements

Redis 5

Configuration

Set these environment variables:

ListenOCSP
- default: :8080
ListenHealth
- default: :8081
RedisHost
- default: redis:6379
ID
- default: hostname
SyslogProto
- default: ""
- type: udp, tcp, or blank for local socket
SyslogAddr
- default: ""
CacheLifespan
- default: 24h
- type: Duration
ConnectionDeadline
- default: 1s
- type: Duration
Responders
- type: key ID in hex=http://url;...

Example run:

Responders="A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1=http://ocsp.int-x3.letsencrypt.org;C5B1AB4E4CB1CD6430937EC1849905ABE603E225=http://ocsp.int-x4.letsencrypt.org;142EB317B75856CBAE500940E61FAF9D8B14C2C6=http://r3.o.lencr.org;369D3EE0B140F6272C7CBF8D9D318AF654A64626=http://r4.o.lencr.org" go run main.go

An arbitrary number of these l2-cache instances can point to a Redis cluster for horizontal scaling. Once you run into issues at the Redis cluster, you can just construct another whole cluster.

Interacting

Probably easiest to use tools that can override the responder URL, like OpenSSL or jcjones/ocspchecker (assuming the cache is running on localhost:9020):

go get github.com/jcjones/ocspchecker

ocspchecker -nostaple -responder http://localhost:9020 -url https://letsencrypt.org -dump

Building and running

Via Docker:

docker build -t ocsp-l2-cache .

docker run --rm ocsp-l2-cache --publish 8080:80 --publish 8081:8080

TODOs

Switch from go-metrics to prometheus
Actual configuration mechanism
Containers
Actually compress the data in compressedresponse
Don't store the whole headers, synthesize everything we can to reduce storage needs
Link-failure tests
OcspStore tests with the mock cache
Admin API interface for pushing new cache entries, flushing entries
Deployment guidance
... more in the issues

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cli Package cli handles parsing input data by the main function	Package cli handles parsing input data by the main function
common Package common contains definitions used many places	Package common contains definitions used many places
fetcher Package fetch loads OCSP responses from another OCSP responder	Package fetch loads OCSP responses from another OCSP responder
repo Package repo gathers and maintains OCSP responses	Package repo gathers and maintains OCSP responses
server
storage

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL