pages/pages-server
1
0
Fork 0
mirror of https://codeberg.org/Codeberg/pages-server.git synced 2025-04-24 22:06:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added TokenBucket to limit the rate of validation failures. Partially addresses #149.

Browse source
This commit is contained in:
fsologureng 2023-01-03 20:52:07 -03:00
parent 9d769aeee7
commit 8e4748dce8
No known key found for this signature in database
GPG key ID: 312CA39E9416F6A8
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
server/certificates/certificates.go
View file

@ -163,6 +163,9 @@ var acmeClientOrderLimit = equalizer.NewTokenBucket(25, 15*time.Minute)
// rate limit is 20 / second, we want 5 / second (especially as one cert takes at least two requests) // rate limit is 20 / second, we want 5 / second (especially as one cert takes at least two requests)
var acmeClientRequestLimit = equalizer.NewTokenBucket(5, 1*time.Second) var acmeClientRequestLimit = equalizer.NewTokenBucket(5, 1*time.Second)
// rate limit is 5 / hour https://letsencrypt.org/docs/failed-validation-limit/
var acmeClientFailLimit = equalizer.NewTokenBucket(5, 1*time.Hour)
type AcmeTLSChallengeProvider struct { type AcmeTLSChallengeProvider struct {
challengeCache cache.SetGetKey challengeCache cache.SetGetKey
} }
@ -278,6 +281,9 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
res, err = acmeClient.Certificate.Renew(*renew, true, false, "") res, err = acmeClient.Certificate.Renew(*renew, true, false, "")
if err != nil { if err != nil {
log.Error().Err(err).Msgf("Couldn't renew certificate for %v, trying to request a new one", domains) log.Error().Err(err).Msgf("Couldn't renew certificate for %v, trying to request a new one", domains)
if acmeUseRateLimits {
acmeClientFailLimit.Take()
}
res = nil res = nil
} }
} }
@ -298,6 +304,9 @@ func obtainCert(acmeClient *lego.Client, domains []string, renew *certificate.Re
Bundle: true, Bundle: true,
MustStaple: false, MustStaple: false,
}) })
if acmeUseRateLimits && err != nil {
acmeClientFailLimit.Take()
}
} }
if err != nil { if err != nil {
log.Error().Err(err).Msgf("Couldn't obtain again a certificate or %v", domains) log.Error().Err(err).Msgf("Couldn't obtain again a certificate or %v", domains)