Use hashicorp's LRU cache for DNS & certificates

DNS caching is also limited to 30 seconds now instead of 5 minutes
2025-04-19 11:36:57 +00:00 · 2024-04-16 22:22:09 +02:00 · 2024-04-16 22:22:09 +02:00 · 18d09a163c
commit 18d09a163c
parent 7694deec83
8 changed files with 49 additions and 36 deletions
--- a/server/certificates/certificates.go
+++ b/server/certificates/certificates.go
@ -6,12 +6,11 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
+	"github.com/hashicorp/golang-lru/v2"
 	"strconv"
 	"strings"
 	"time"

-	"github.com/OrlovEvgeny/go-mcache"
-
 	"github.com/go-acme/lego/v4/certcrypto"
 	"github.com/go-acme/lego/v4/certificate"
 	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
@ -28,12 +27,14 @@ import (

 var ErrUserRateLimitExceeded = errors.New("rate limit exceeded: 10 certificates per user per 24 hours")

+var keyCache *lru.Cache[string, tls.Certificate]
+
 // TLSConfig returns the configuration for generating, serving and cleaning up Let's Encrypt certificates.
 func TLSConfig(mainDomainSuffix string,
 	giteaClient *gitea.Client,
 	acmeClient *AcmeClient,
 	firstDefaultBranch string,
-	keyCache *mcache.CacheDriver, challengeCache cache.ICache, dnsLookupCache *mcache.CacheDriver, canonicalDomainCache cache.ICache,
+	challengeCache cache.ICache, canonicalDomainCache cache.ICache,
 	certDB database.CertDB,
 	noDNS01 bool,
 	rawDomain string,
@ -88,7 +89,7 @@ func TLSConfig(mainDomainSuffix string,
 				}
 			} else {
 				var targetRepo, targetBranch string
-				targetOwner, targetRepo, targetBranch = dnsutils.GetTargetFromDNS(domain, mainDomainSuffix, firstDefaultBranch, dnsLookupCache)
+				targetOwner, targetRepo, targetBranch = dnsutils.GetTargetFromDNS(domain, mainDomainSuffix, firstDefaultBranch)
 				if targetOwner == "" {
 					// DNS not set up, return main certificate to redirect to the docs
 					domain = mainDomainSuffix
@ -107,9 +108,17 @@ func TLSConfig(mainDomainSuffix string,
 				}
 			}

+			if keyCache == nil {
+				var err error
+				keyCache, err = lru.New[string, tls.Certificate](4096)
+				if err != nil {
+					panic(err) // This should only happen if 4096 < 0 at the time of writing, which should be reason enough to panic.
+				}
+			}
+
 			if tlsCertificate, ok := keyCache.Get(domain); ok {
 				// we can use an existing certificate object
-				return tlsCertificate.(*tls.Certificate), nil
+				return &tlsCertificate, nil
 			}

 			var tlsCertificate *tls.Certificate
@ -134,9 +143,7 @@ func TLSConfig(mainDomainSuffix string,
 				}
 			}

-			if err := keyCache.Set(domain, tlsCertificate, 15*time.Minute); err != nil {
-				return nil, err
-			}
+			keyCache.Add(domain, *tlsCertificate)
 			return tlsCertificate, nil
 		},
 		NextProtos: []string{