Documentation ¶
Index ¶
- Variables
- func CipherSuiteID(name string) uint16
- func CipherSuiteNameSupported(name string) bool
- func DefaultIssuers(ctx caddy.Context) ([]certmagic.Issuer, error)
- func ProtocolName(id uint16) string
- func SupportedCipherSuites() []*tls.CipherSuite
- type ACMEIssuer
- func (ACMEIssuer) CaddyModule() caddy.ModuleInfo
- func (iss *ACMEIssuer) GetACMEIssuer() *ACMEIssuer
- func (iss *ACMEIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error)
- func (iss *ACMEIssuer) IssuerKey() string
- func (iss *ACMEIssuer) PreCheck(ctx context.Context, names []string, interactive bool) error
- func (iss *ACMEIssuer) Provision(ctx caddy.Context) error
- func (iss *ACMEIssuer) Revoke(ctx context.Context, cert certmagic.CertificateResource, reason int) error
- func (iss *ACMEIssuer) SetConfig(cfg *certmagic.Config)
- func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
- type AutomateLoader
- type AutomationConfig
- type AutomationPolicy
- type CertCacheOptions
- type CertKeyFilePair
- type CertKeyPEMPair
- type Certificate
- type CertificateLoader
- type ChainPreference
- type ChallengesConfig
- type ClientAuthentication
- type ConfigSetter
- type ConnectionMatcher
- type ConnectionPolicies
- type ConnectionPolicy
- type CustomCertSelectionPolicy
- type DNSChallengeConfig
- type FileLoader
- type FolderLoader
- type HTTPChallengeConfig
- type InternalIssuer
- func (InternalIssuer) CaddyModule() caddy.ModuleInfo
- func (iss InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error)
- func (iss InternalIssuer) IssuerKey() string
- func (iss *InternalIssuer) Provision(ctx caddy.Context) error
- func (iss *InternalIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
- type MatchServerName
- type OnDemandConfig
- type PEMLoader
- type PublicKeyAlgorithm
- type RateLimit
- type STEKProvider
- type SessionTicketService
- type TLS
- func (t *TLS) AddAutomationPolicy(ap *AutomationPolicy) error
- func (t *TLS) AllMatchingCertificates(san string) []certmagic.Certificate
- func (TLS) CaddyModule() caddy.ModuleInfo
- func (t *TLS) Cleanup() error
- func (t *TLS) HandleHTTPChallenge(w http.ResponseWriter, r *http.Request) bool
- func (t *TLS) Manage(names []string) error
- func (t *TLS) Provision(ctx caddy.Context) error
- func (t *TLS) Start() error
- func (t *TLS) Stop() error
- func (t *TLS) Validate() error
- type TLSALPNChallengeConfig
- type ZeroSSLIssuer
- func (*ZeroSSLIssuer) CaddyModule() caddy.ModuleInfo
- func (iss *ZeroSSLIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error)
- func (iss *ZeroSSLIssuer) IssuerKey() string
- func (iss *ZeroSSLIssuer) PreCheck(ctx context.Context, names []string, interactive bool) error
- func (iss *ZeroSSLIssuer) Provision(ctx caddy.Context) error
- func (iss *ZeroSSLIssuer) Revoke(ctx context.Context, cert certmagic.CertificateResource, reason int) error
- func (iss *ZeroSSLIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
Constants ¶
This section is empty.
Variables ¶
var SupportedCurves = map[string]tls.CurveID{ "x25519": tls.X25519, "secp256r1": tls.CurveP256, "secp384r1": tls.CurveP384, "secp521r1": tls.CurveP521, }
SupportedCurves is the unordered map of supported curves. https://golang.org/pkg/crypto/tls/#CurveID
var SupportedProtocols = map[string]uint16{ "tls1.2": tls.VersionTLS12, "tls1.3": tls.VersionTLS13, }
SupportedProtocols is a map of supported protocols.
Functions ¶
func CipherSuiteID ¶
CipherSuiteID returns the ID of the cipher suite associated with the given name, or 0 if the name is not recognized/supported.
func CipherSuiteNameSupported ¶
CipherSuiteNameSupported returns true if name is a supported cipher suite.
func DefaultIssuers ¶
DefaultIssuers returns empty but provisioned default Issuers. This function is experimental and has no compatibility promises.
func ProtocolName ¶
ProtocolName returns the standard name for the passed protocol version ID (e.g. "TLS1.3") or a fallback representation of the ID value if the version is not supported.
func SupportedCipherSuites ¶
func SupportedCipherSuites() []*tls.CipherSuite
SupportedCipherSuites returns a list of all the cipher suites Caddy supports. The list is NOT ordered by security preference.
Types ¶
type ACMEIssuer ¶
type ACMEIssuer struct { // The URL to the CA's ACME directory endpoint. CA string `json:"ca,omitempty"` // The URL to the test CA's ACME directory endpoint. // This endpoint is only used during retries if there // is a failure using the primary CA. TestCA string `json:"test_ca,omitempty"` // Your email address, so the CA can contact you if necessary. // Not required, but strongly recommended to provide one so // you can be reached if there is a problem. Your email is // not sent to any Caddy mothership or used for any purpose // other than ACME transactions. Email string `json:"email,omitempty"` // If using an ACME CA that requires an external account // binding, specify the CA-provided credentials here. ExternalAccount *acme.EAB `json:"external_account,omitempty"` // Time to wait before timing out an ACME operation. ACMETimeout caddy.Duration `json:"acme_timeout,omitempty"` // Configures the various ACME challenge types. Challenges *ChallengesConfig `json:"challenges,omitempty"` // An array of files of CA certificates to accept when connecting to the // ACME CA. Generally, you should only use this if the ACME CA endpoint // is internal or for development/testing purposes. TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"` // Preferences for selecting alternate certificate chains, if offered // by the CA. By default, the first offered chain will be selected. // If configured, the chains may be sorted and the first matching chain // will be selected. PreferredChains *ChainPreference `json:"preferred_chains,omitempty"` // contains filtered or unexported fields }
ACMEIssuer makes an ACME manager for managing certificates using ACME.
TODO: support multiple ACME endpoints (probably requires an array of these structs) - caddy would also have to load certs from the backup CAs if the first one is expired...
func (ACMEIssuer) CaddyModule ¶
func (ACMEIssuer) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (*ACMEIssuer) GetACMEIssuer ¶
func (iss *ACMEIssuer) GetACMEIssuer() *ACMEIssuer
GetACMEIssuer returns iss. This is useful when other types embed ACMEIssuer, because type-asserting them to *ACMEIssuer will fail, but type-asserting them to an interface with only this method will succeed, and will still allow the embedded ACMEIssuer to be accessed and manipulated.
func (*ACMEIssuer) Issue ¶
func (iss *ACMEIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error)
Issue obtains a certificate for the given csr.
func (*ACMEIssuer) IssuerKey ¶
func (iss *ACMEIssuer) IssuerKey() string
IssuerKey returns the unique issuer key for the configured CA endpoint.
func (*ACMEIssuer) Provision ¶
func (iss *ACMEIssuer) Provision(ctx caddy.Context) error
Provision sets up iss.
func (*ACMEIssuer) Revoke ¶
func (iss *ACMEIssuer) Revoke(ctx context.Context, cert certmagic.CertificateResource, reason int) error
Revoke revokes the given certificate.
func (*ACMEIssuer) SetConfig ¶
func (iss *ACMEIssuer) SetConfig(cfg *certmagic.Config)
SetConfig sets the associated certmagic config for this issuer. This is required because ACME needs values from the config in order to solve the challenges during issuance. This implements the ConfigSetter interface.
func (*ACMEIssuer) UnmarshalCaddyfile ¶
func (iss *ACMEIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
UnmarshalCaddyfile deserializes Caddyfile tokens into iss.
... acme { dir <directory_url> test_dir <test_directory_url> email <email> timeout <duration> disable_http_challenge disable_tlsalpn_challenge alt_http_port <port> alt_tlsalpn_port <port> eab <key_id> <mac_key> trusted_roots <pem_files...> dns <provider_name> [<options>] resolvers <dns_servers...> }
type AutomateLoader ¶
type AutomateLoader []string
AutomateLoader is a no-op certificate loader module that is treated as a special case: it uses this app's automation features to load certificates for the list of hostnames, rather than loading certificates manually.
func (AutomateLoader) CaddyModule ¶
func (AutomateLoader) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
type AutomationConfig ¶
type AutomationConfig struct { // The list of automation policies. The first matching // policy will be applied for a given certificate/name. Policies []*AutomationPolicy `json:"policies,omitempty"` // On-Demand TLS defers certificate operations to the // moment they are needed, e.g. during a TLS handshake. // Useful when you don't know all the hostnames at // config-time, or when you are not in control of the // domain names you are managing certificates for. // In 2015, Caddy became the first web server to // implement this experimental technology. // // Note that this field does not enable on-demand TLS, // it only configures it for when it is used. To enable // it, create an automation policy with `on_demand`. OnDemand *OnDemandConfig `json:"on_demand,omitempty"` // Caddy staples OCSP (and caches the response) for all // qualifying certificates by default. This setting // changes how often it scans responses for freshness, // and updates them if they are getting stale. Default: 1h OCSPCheckInterval caddy.Duration `json:"ocsp_interval,omitempty"` // Every so often, Caddy will scan all loaded, managed // certificates for expiration. This setting changes how // frequently the scan for expiring certificates is // performed. Default: 10m RenewCheckInterval caddy.Duration `json:"renew_interval,omitempty"` // contains filtered or unexported fields }
AutomationConfig governs the automated management of TLS certificates.
type AutomationPolicy ¶
type AutomationPolicy struct { // Which subjects (hostnames or IP addresses) this policy applies to. Subjects []string `json:"subjects,omitempty"` // The modules that may issue certificates. Default: internal if all // subjects do not qualify for public certificates; othewise acme and // zerossl. IssuersRaw []json.RawMessage `json:"issuers,omitempty" caddy:"namespace=tls.issuance inline_key=module"` // DEPRECATED: Use `issuers` instead (November 2020). This field will // be removed in the future. IssuerRaw json.RawMessage `json:"issuer,omitempty" caddy:"namespace=tls.issuance inline_key=module"` // If true, certificates will be requested with MustStaple. Not all // CAs support this, and there are potentially serious consequences // of enabling this feature without proper threat modeling. MustStaple bool `json:"must_staple,omitempty"` // How long before a certificate's expiration to try renewing it, // as a function of its total lifetime. As a general and conservative // rule, it is a good idea to renew a certificate when it has about // 1/3 of its total lifetime remaining. This utilizes the majority // of the certificate's lifetime while still saving time to // troubleshoot problems. However, for extremely short-lived certs, // you may wish to increase the ratio to ~1/2. RenewalWindowRatio float64 `json:"renewal_window_ratio,omitempty"` // The type of key to generate for certificates. // Supported values: `ed25519`, `p256`, `p384`, `rsa2048`, `rsa4096`. KeyType string `json:"key_type,omitempty"` // Optionally configure a separate storage module associated with this // manager, instead of using Caddy's global/default-configured storage. StorageRaw json.RawMessage `json:"storage,omitempty" caddy:"namespace=caddy.storage inline_key=module"` // If true, certificates will be managed "on demand"; that is, during // TLS handshakes or when needed, as opposed to at startup or config // load. OnDemand bool `json:"on_demand,omitempty"` // Issuers stores the decoded issuer parameters. This is only // used to populate an underlying certmagic.Config's Issuers // field; it is not referenced thereafter. Issuers []certmagic.Issuer `json:"-"` // contains filtered or unexported fields }
AutomationPolicy designates the policy for automating the management (obtaining, renewal, and revocation) of managed TLS certificates.
An AutomationPolicy value is not valid until it has been provisioned; use the `AddAutomationPolicy()` method on the TLS app to properly provision a new policy.
func (*AutomationPolicy) Provision ¶
func (ap *AutomationPolicy) Provision(tlsApp *TLS) error
Provision sets up ap and builds its underlying CertMagic config.
type CertCacheOptions ¶
type CertCacheOptions struct { // Maximum number of certificates to allow in the // cache. If reached, certificates will be randomly // evicted to make room for new ones. Default: 0 // (no limit). Capacity int `json:"capacity,omitempty"` }
CertCacheOptions configures the certificate cache.
type CertKeyFilePair ¶
type CertKeyFilePair struct { // Path to the certificate (public key) file. Certificate string `json:"certificate"` // Path to the private key file. Key string `json:"key"` // The format of the cert and key. Can be "pem". Default: "pem" Format string `json:"format,omitempty"` // Arbitrary values to associate with this certificate. // Can be useful when you want to select a particular // certificate when there may be multiple valid candidates. Tags []string `json:"tags,omitempty"` }
CertKeyFilePair pairs certificate and key file names along with their encoding format so that they can be loaded from disk.
type CertKeyPEMPair ¶
type CertKeyPEMPair struct { // The certificate (public key) in PEM format. CertificatePEM string `json:"certificate"` // The private key in PEM format. KeyPEM string `json:"key"` // Arbitrary values to associate with this certificate. // Can be useful when you want to select a particular // certificate when there may be multiple valid candidates. Tags []string `json:"tags,omitempty"` }
CertKeyPEMPair pairs certificate and key PEM blocks.
type Certificate ¶
type Certificate struct { tls.Certificate Tags []string }
Certificate is a TLS certificate, optionally associated with arbitrary tags.
type CertificateLoader ¶
type CertificateLoader interface {
LoadCertificates() ([]Certificate, error)
}
CertificateLoader is a type that can load certificates. Certificates can optionally be associated with tags.
type ChainPreference ¶
type ChainPreference struct { // Prefer chains with the fewest number of bytes. Smallest *bool `json:"smallest,omitempty"` // Select first chain having a root with one of // these common names. RootCommonName []string `json:"root_common_name,omitempty"` // Select first chain that has any issuer with one // of these common names. AnyCommonName []string `json:"any_common_name,omitempty"` }
ChainPreference describes the client's preferred certificate chain, useful if the CA offers alternate chains. The first matching chain will be selected.
type ChallengesConfig ¶
type ChallengesConfig struct { // HTTP configures the ACME HTTP challenge. This // challenge is enabled and used automatically // and by default. HTTP *HTTPChallengeConfig `json:"http,omitempty"` // TLSALPN configures the ACME TLS-ALPN challenge. // This challenge is enabled and used automatically // and by default. TLSALPN *TLSALPNChallengeConfig `json:"tls-alpn,omitempty"` // Configures the ACME DNS challenge. Because this // challenge typically requires credentials for // interfacing with a DNS provider, this challenge is // not enabled by default. This is the only challenge // type which does not require a direct connection // to Caddy from an external server. // // NOTE: DNS providers are currently being upgraded, // and this API is subject to change, but should be // stabilized soon. DNS *DNSChallengeConfig `json:"dns,omitempty"` // Optionally customize the host to which a listener // is bound if required for solving a challenge. BindHost string `json:"bind_host,omitempty"` }
ChallengesConfig configures the ACME challenges.
type ClientAuthentication ¶
type ClientAuthentication struct { // A list of base64 DER-encoded CA certificates // against which to validate client certificates. // Client certs which are not signed by any of // these CAs will be rejected. TrustedCACerts []string `json:"trusted_ca_certs,omitempty"` // TrustedCACertPEMFiles is a list of PEM file names // from which to load certificates of trusted CAs. // Client certificates which are not signed by any of // these CA certificates will be rejected. TrustedCACertPEMFiles []string `json:"trusted_ca_certs_pem_files,omitempty"` // A list of base64 DER-encoded client leaf certs // to accept. If this list is not empty, client certs // which are not in this list will be rejected. TrustedLeafCerts []string `json:"trusted_leaf_certs,omitempty"` // The mode for authenticating the client. Allowed values are: // // Mode | Description // -----|--------------- // `request` | Ask clients for a certificate, but allow even if there isn't one; do not verify it // `require` | Require clients to present a certificate, but do not verify it // `verify_if_given` | Ask clients for a certificate; allow even if there isn't one, but verify it if there is // `require_and_verify` | Require clients to present a valid certificate that is verified // // The default mode is `require_and_verify` if any // TrustedCACerts or TrustedCACertPEMFiles or TrustedLeafCerts // are provided; otherwise, the default mode is `require`. Mode string `json:"mode,omitempty"` // contains filtered or unexported fields }
ClientAuthentication configures TLS client auth.
func (ClientAuthentication) Active ¶
func (clientauth ClientAuthentication) Active() bool
Active returns true if clientauth has an actionable configuration.
func (*ClientAuthentication) ConfigureTLSConfig ¶
func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) error
ConfigureTLSConfig sets up cfg to enforce clientauth's configuration.
type ConfigSetter ¶
ConfigSetter is implemented by certmagic.Issuers that need access to a parent certmagic.Config as part of their provisioning phase. For example, the ACMEIssuer requires a config so it can access storage and the cache to solve ACME challenges.
type ConnectionMatcher ¶
type ConnectionMatcher interface {
Match(*tls.ClientHelloInfo) bool
}
ConnectionMatcher is a type which matches TLS handshakes.
type ConnectionPolicies ¶
type ConnectionPolicies []*ConnectionPolicy
ConnectionPolicies govern the establishment of TLS connections. It is an ordered group of connection policies; the first matching policy will be used to configure TLS connections at handshake-time.
func (ConnectionPolicies) Provision ¶
func (cp ConnectionPolicies) Provision(ctx caddy.Context) error
Provision sets up each connection policy. It should be called during the Validate() phase, after the TLS app (if any) is already set up.
func (ConnectionPolicies) TLSConfig ¶
func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config
TLSConfig returns a standard-lib-compatible TLS configuration which selects the first matching policy based on the ClientHello.
type ConnectionPolicy ¶
type ConnectionPolicy struct { // How to match this policy with a TLS ClientHello. If // this policy is the first to match, it will be used. MatchersRaw caddy.ModuleMap `json:"match,omitempty" caddy:"namespace=tls.handshake_match"` // How to choose a certificate if more than one matched // the given ServerName (SNI) value. CertSelection *CustomCertSelectionPolicy `json:"certificate_selection,omitempty"` // The list of cipher suites to support. Caddy's // defaults are modern and secure. CipherSuites []string `json:"cipher_suites,omitempty"` // The list of elliptic curves to support. Caddy's // defaults are modern and secure. Curves []string `json:"curves,omitempty"` // Protocols to use for Application-Layer Protocol // Negotiation (ALPN) during the handshake. ALPN []string `json:"alpn,omitempty"` // Minimum TLS protocol version to allow. Default: `tls1.2` ProtocolMin string `json:"protocol_min,omitempty"` // Maximum TLS protocol version to allow. Default: `tls1.3` ProtocolMax string `json:"protocol_max,omitempty"` // Enables and configures TLS client authentication. ClientAuthentication *ClientAuthentication `json:"client_authentication,omitempty"` // DefaultSNI becomes the ServerName in a ClientHello if there // is no policy configured for the empty SNI value. DefaultSNI string `json:"default_sni,omitempty"` // contains filtered or unexported fields }
ConnectionPolicy specifies the logic for handling a TLS handshake. An empty policy is valid; safe and sensible defaults will be used.
func (ConnectionPolicy) SettingsEmpty ¶
func (p ConnectionPolicy) SettingsEmpty() bool
SettingsEmpty returns true if p's settings (fields except the matchers) are all empty/unset.
type CustomCertSelectionPolicy ¶
type CustomCertSelectionPolicy struct { // The certificate must have one of these serial numbers. SerialNumber []bigInt `json:"serial_number,omitempty"` // The certificate must have one of these organization names. SubjectOrganization []string `json:"subject_organization,omitempty"` // The certificate must use this public key algorithm. PublicKeyAlgorithm PublicKeyAlgorithm `json:"public_key_algorithm,omitempty"` // The certificate must have at least one of the tags in the list. AnyTag []string `json:"any_tag,omitempty"` // The certificate must have all of the tags in the list. AllTags []string `json:"all_tags,omitempty"` }
CustomCertSelectionPolicy represents a policy for selecting the certificate used to complete a handshake when there may be multiple options. All fields specified must match the candidate certificate for it to be chosen. This was needed to solve https://github.com/uptimerobot/caddy/issues/2588.
func (CustomCertSelectionPolicy) SelectCertificate ¶
func (p CustomCertSelectionPolicy) SelectCertificate(hello *tls.ClientHelloInfo, choices []certmagic.Certificate) (certmagic.Certificate, error)
SelectCertificate implements certmagic.CertificateSelector. It only chooses a certificate that at least meets the criteria in p. It then chooses the first non-expired certificate that is compatible with the client. If none are valid, it chooses the first viable candidate anyway.
type DNSChallengeConfig ¶
type DNSChallengeConfig struct { // The DNS provider module to use which will manage // the DNS records relevant to the ACME challenge. ProviderRaw json.RawMessage `json:"provider,omitempty" caddy:"namespace=dns.providers inline_key=name"` // The TTL of the TXT record used for the DNS challenge. TTL caddy.Duration `json:"ttl,omitempty"` // How long to wait for DNS record to propagate. PropagationTimeout caddy.Duration `json:"propagation_timeout,omitempty"` // Custom DNS resolvers to prefer over system/built-in defaults. // Often necessary to configure when using split-horizon DNS. Resolvers []string `json:"resolvers,omitempty"` // contains filtered or unexported fields }
DNSChallengeConfig configures the ACME DNS challenge.
NOTE: This API is still experimental and is subject to change.
type FileLoader ¶
type FileLoader []CertKeyFilePair
FileLoader loads certificates and their associated keys from disk.
func (FileLoader) CaddyModule ¶
func (FileLoader) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (FileLoader) LoadCertificates ¶
func (fl FileLoader) LoadCertificates() ([]Certificate, error)
LoadCertificates returns the certificates to be loaded by fl.
type FolderLoader ¶
type FolderLoader []string
FolderLoader loads certificates and their associated keys from disk by recursively walking the specified directories, looking for PEM files which contain both a certificate and a key.
func (FolderLoader) CaddyModule ¶
func (FolderLoader) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (FolderLoader) LoadCertificates ¶
func (fl FolderLoader) LoadCertificates() ([]Certificate, error)
LoadCertificates loads all the certificates+keys in the directories listed in fl from all files ending with .pem. This method of loading certificates expects the certificate and key to be bundled into the same file.
type HTTPChallengeConfig ¶
type HTTPChallengeConfig struct { // If true, the HTTP challenge will be disabled. Disabled bool `json:"disabled,omitempty"` // An alternate port on which to service this // challenge. Note that the HTTP challenge port is // hard-coded into the spec and cannot be changed, // so you would have to forward packets from the // standard HTTP challenge port to this one. AlternatePort int `json:"alternate_port,omitempty"` }
HTTPChallengeConfig configures the ACME HTTP challenge.
type InternalIssuer ¶
type InternalIssuer struct { // The ID of the CA to use for signing. The default // CA ID is "local". The CA can be configured with the // `pki` app. CA string `json:"ca,omitempty"` // The validity period of certificates. Lifetime caddy.Duration `json:"lifetime,omitempty"` // If true, the root will be the issuer instead of // the intermediate. This is NOT recommended and should // only be used when devices/clients do not properly // validate certificate chains. SignWithRoot bool `json:"sign_with_root,omitempty"` // contains filtered or unexported fields }
InternalIssuer is a certificate issuer that generates certificates internally using a locally-configured CA which can be customized using the `pki` app.
func (InternalIssuer) CaddyModule ¶
func (InternalIssuer) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (InternalIssuer) Issue ¶
func (iss InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error)
Issue issues a certificate to satisfy the CSR.
func (InternalIssuer) IssuerKey ¶
func (iss InternalIssuer) IssuerKey() string
IssuerKey returns the unique issuer key for the confgured CA endpoint.
func (*InternalIssuer) Provision ¶
func (iss *InternalIssuer) Provision(ctx caddy.Context) error
Provision sets up the issuer.
func (*InternalIssuer) UnmarshalCaddyfile ¶
func (iss *InternalIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
UnmarshalCaddyfile deserializes Caddyfile tokens into iss.
... internal { ca <name> }
type MatchServerName ¶
type MatchServerName []string
MatchServerName matches based on SNI. Names in this list may use left-most-label wildcards, similar to wildcard certificates.
func (MatchServerName) CaddyModule ¶
func (MatchServerName) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (MatchServerName) Match ¶
func (m MatchServerName) Match(hello *tls.ClientHelloInfo) bool
Match matches hello based on SNI.
type OnDemandConfig ¶
type OnDemandConfig struct { // An optional rate limit to throttle the // issuance of certificates from handshakes. RateLimit *RateLimit `json:"rate_limit,omitempty"` // If Caddy needs to obtain or renew a certificate // during a TLS handshake, it will perform a quick // HTTP request to this URL to check if it should be // allowed to try to get a certificate for the name // in the "domain" query string parameter, like so: // `?domain=example.com`. The endpoint must return a // 200 OK status if a certificate is allowed; // anything else will cause it to be denied. // Redirects are not followed. Ask string `json:"ask,omitempty"` }
OnDemandConfig configures on-demand TLS, for obtaining needed certificates at handshake-time. Because this feature can easily be abused, you should use this to establish rate limits and/or an internal endpoint that Caddy can "ask" if it should be allowed to manage certificates for a given hostname.
type PEMLoader ¶
type PEMLoader []CertKeyPEMPair
PEMLoader loads certificates and their associated keys by decoding their PEM blocks directly. This has the advantage of not needing to store them on disk at all.
func (PEMLoader) CaddyModule ¶
func (PEMLoader) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (PEMLoader) LoadCertificates ¶
func (pl PEMLoader) LoadCertificates() ([]Certificate, error)
LoadCertificates returns the certificates contained in pl.
type PublicKeyAlgorithm ¶
type PublicKeyAlgorithm x509.PublicKeyAlgorithm
PublicKeyAlgorithm is a JSON-unmarshalable wrapper type.
func (*PublicKeyAlgorithm) UnmarshalJSON ¶
func (a *PublicKeyAlgorithm) UnmarshalJSON(b []byte) error
UnmarshalJSON satisfies json.Unmarshaler.
type RateLimit ¶
type RateLimit struct { // A duration value. A certificate may be obtained 'burst' // times during this interval. Interval caddy.Duration `json:"interval,omitempty"` // How many times during an interval a certificate can be obtained. Burst int `json:"burst,omitempty"` }
RateLimit specifies an interval with optional burst size.
type STEKProvider ¶
type STEKProvider interface { // Initialize provides the STEK configuration to the STEK // module so that it can obtain and manage keys accordingly. // It returns the initial key(s) to use. Implementations can // rely on Next() being called if Initialize() returns // without error, so that it may know when it is done. Initialize(config *SessionTicketService) ([][32]byte, error) // Next returns the channel through which the next session // ticket keys will be transmitted until doneChan is closed. // Keys should be sent on keysChan as they are updated. // When doneChan is closed, any resources allocated in // Initialize() must be cleaned up. Next(doneChan <-chan struct{}) (keysChan <-chan [][32]byte) }
STEKProvider is a type that can provide session ticket ephemeral keys (STEKs).
type SessionTicketService ¶
type SessionTicketService struct { // KeySource is the method by which Caddy produces or obtains // TLS session ticket keys (STEKs). By default, Caddy generates // them internally using a secure pseudorandom source. KeySource json.RawMessage `json:"key_source,omitempty" caddy:"namespace=tls.stek inline_key=provider"` // How often Caddy rotates STEKs. Default: 12h. RotationInterval caddy.Duration `json:"rotation_interval,omitempty"` // The maximum number of keys to keep in rotation. Default: 4. MaxKeys int `json:"max_keys,omitempty"` // Disables STEK rotation. DisableRotation bool `json:"disable_rotation,omitempty"` // Disables TLS session resumption by tickets. Disabled bool `json:"disabled,omitempty"` // contains filtered or unexported fields }
SessionTicketService configures and manages TLS session tickets.
func (SessionTicketService) RotateSTEKs ¶
func (s SessionTicketService) RotateSTEKs(keys [][32]byte) ([][32]byte, error)
RotateSTEKs rotates the keys in keys by producing a new key and eliding the oldest one. The new slice of keys is returned.
type TLS ¶
type TLS struct { // Caches certificates in memory for quick use during // TLS handshakes. Each key is the name of a certificate // loader module. All loaded certificates get pooled // into the same cache and may be used to complete TLS // handshakes for the relevant server names (SNI). // Certificates loaded manually (anything other than // "automate") are not automatically managed and will // have to be refreshed manually before they expire. CertificatesRaw caddy.ModuleMap `json:"certificates,omitempty" caddy:"namespace=tls.certificates"` // Configures the automation of certificate management. Automation *AutomationConfig `json:"automation,omitempty"` // Configures session ticket ephemeral keys (STEKs). SessionTickets *SessionTicketService `json:"session_tickets,omitempty"` // Configures the in-memory certificate cache. Cache *CertCacheOptions `json:"cache,omitempty"` // contains filtered or unexported fields }
TLS provides TLS facilities including certificate loading and management, client auth, and more.
func (*TLS) AddAutomationPolicy ¶
func (t *TLS) AddAutomationPolicy(ap *AutomationPolicy) error
AddAutomationPolicy provisions and adds ap to the list of the app's automation policies. If an existing automation policy exists that has fewer hosts in its list than ap does, ap will be inserted before that other policy (this helps ensure that ap will be prioritized/chosen over, say, a catch-all policy).
func (*TLS) AllMatchingCertificates ¶
func (t *TLS) AllMatchingCertificates(san string) []certmagic.Certificate
AllMatchingCertificates returns the list of all certificates in the cache which could be used to satisfy the given SAN.
func (TLS) CaddyModule ¶
func (TLS) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (*TLS) HandleHTTPChallenge ¶
HandleHTTPChallenge ensures that the HTTP challenge is handled for the certificate named by r.Host, if it is an HTTP challenge request. It requires that the automation policy for r.Host has an issuer of type *certmagic.ACMEManager, or one that is ACME-enabled (GetACMEIssuer()).
func (*TLS) Manage ¶
Manage immediately begins managing names according to the matching automation policy.
type TLSALPNChallengeConfig ¶
type TLSALPNChallengeConfig struct { // If true, the TLS-ALPN challenge will be disabled. Disabled bool `json:"disabled,omitempty"` // An alternate port on which to service this // challenge. Note that the TLS-ALPN challenge port // is hard-coded into the spec and cannot be changed, // so you would have to forward packets from the // standard TLS-ALPN challenge port to this one. AlternatePort int `json:"alternate_port,omitempty"` }
TLSALPNChallengeConfig configures the ACME TLS-ALPN challenge.
type ZeroSSLIssuer ¶
type ZeroSSLIssuer struct { *ACMEIssuer // The API key (or "access key") for using the ZeroSSL API. APIKey string `json:"api_key,omitempty"` // contains filtered or unexported fields }
ZeroSSLIssuer makes an ACME manager for managing certificates using ACME.
func (*ZeroSSLIssuer) CaddyModule ¶
func (*ZeroSSLIssuer) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (*ZeroSSLIssuer) Issue ¶
func (iss *ZeroSSLIssuer) Issue(ctx context.Context, csr *x509.CertificateRequest) (*certmagic.IssuedCertificate, error)
Issue obtains a certificate for the given csr.
func (*ZeroSSLIssuer) IssuerKey ¶
func (iss *ZeroSSLIssuer) IssuerKey() string
IssuerKey returns the unique issuer key for the configured CA endpoint.
func (*ZeroSSLIssuer) Provision ¶
func (iss *ZeroSSLIssuer) Provision(ctx caddy.Context) error
Provision sets up iss.
func (*ZeroSSLIssuer) Revoke ¶
func (iss *ZeroSSLIssuer) Revoke(ctx context.Context, cert certmagic.CertificateResource, reason int) error
Revoke revokes the given certificate.
func (*ZeroSSLIssuer) UnmarshalCaddyfile ¶
func (iss *ZeroSSLIssuer) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
UnmarshalCaddyfile deserializes Caddyfile tokens into iss.
... zerossl [<api_key>] { ... }
Any of the subdirectives for the ACME issuer can be used in the block.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package distributedstek provides TLS session ticket ephemeral keys (STEKs) in a distributed fashion by utilizing configured storage for locking and key sharing.
|
Package distributedstek provides TLS session ticket ephemeral keys (STEKs) in a distributed fashion by utilizing configured storage for locking and key sharing. |