notmain

package
v0.0.0-...-e8a49c5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 19, 2024 License: MPL-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config

type Config struct {
	OCSPResponder struct {
		DebugAddr string       `validate:"omitempty,hostname_port"`
		DB        cmd.DBConfig `validate:"required_without_all=Source SAService,structonly"`

		// Source indicates the source of pre-signed OCSP responses to be used. It
		// can be a DBConnect string or a file URL. The file URL style is used
		// when responding from a static file for intermediates and roots.
		// If DBConfig has non-empty fields, it takes precedence over this.
		Source string `validate:"required_without_all=DB.DBConnectFile SAService Redis"`

		// The list of issuer certificates, against which OCSP requests/responses
		// are checked to ensure we're not responding for anyone else's certs.
		IssuerCerts []string `validate:"min=1,dive,required"`

		Path string

		// ListenAddress is the address:port on which to listen for incoming
		// OCSP requests. This has a default value of ":80".
		ListenAddress string `validate:"omitempty,hostname_port"`

		// When to timeout a request. This should be slightly lower than the
		// upstream's timeout when making request to ocsp-responder.
		Timeout config.Duration `validate:"-"`

		// How often a response should be signed when using Redis/live-signing
		// path. This has a default value of 60h.
		LiveSigningPeriod config.Duration `validate:"-"`

		// A limit on how many requests to the RA (and onwards to the CA) will
		// be made to sign responses that are not fresh in the cache. This
		// should be set to somewhat less than
		// (HSM signing capacity) / (number of ocsp-responders).
		// Requests that would exceed this limit will block until capacity is
		// available and eventually serve an HTTP 500 Internal Server Error.
		// This has a default value of 1000.
		MaxInflightSignings int `validate:"min=0"`

		// A limit on how many goroutines can be waiting for a signing slot at
		// a time. When this limit is exceeded, additional signing requests
		// will immediately serve an HTTP 500 Internal Server Error until
		// we are back below the limit. This provides load shedding for when
		// inbound requests arrive faster than our ability to sign them.
		// The default of 0 means "no limit." A good value for this is the
		// longest queue we can expect to process before a timeout. For
		// instance, if the timeout is 5 seconds, and a signing takes 20ms,
		// and we have MaxInflightSignings = 40, we can expect to process
		// 40 * 5 / 0.02 = 10,000 requests before the oldest request times out.
		MaxSigningWaiters int `validate:"min=0"`

		ShutdownStopTimeout config.Duration

		RequiredSerialPrefixes []string `validate:"omitempty,dive,hexadecimal"`

		Features features.Config

		// Configuration for using Redis as a cache. This configuration should
		// allow for both read and write access.
		Redis *rocsp_config.RedisConfig `validate:"required_without=Source"`

		// TLS client certificate, private key, and trusted root bundle.
		TLS cmd.TLSConfig `validate:"required_without=Source,structonly"`

		// RAService configures how to communicate with the RA when it is necessary
		// to generate a fresh OCSP response.
		RAService *cmd.GRPCClientConfig

		// SAService configures how to communicate with the SA to look up
		// certificate status metadata used to confirm/deny that the response from
		// Redis is up-to-date.
		SAService *cmd.GRPCClientConfig `validate:"required_without_all=DB.DBConnectFile Source"`

		// LogSampleRate sets how frequently error logs should be emitted. This
		// avoids flooding the logs during outages. 1 out of N log lines will be emitted.
		// If LogSampleRate is 0, no logs will be emitted.
		LogSampleRate int `validate:"min=0"`
	}

	Syslog        cmd.SyslogConfig
	OpenTelemetry cmd.OpenTelemetryConfig

	// OpenTelemetryHTTPConfig configures tracing on incoming HTTP requests
	OpenTelemetryHTTPConfig cmd.OpenTelemetryHTTPConfig
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL