tls: Make the on-demand rate limiter actually work

This required a custom rate limiter implementation in CertMagic
2024-11-22 12:08:28 +08:00 · 2019-10-21 12:03:51 -06:00 · 2019-10-21 12:03:51 -06:00 · faf67b1067
commit faf67b1067
parent 208f2ff93c
4 changed files with 13 additions and 19 deletions
--- a/go.mod
+++ b/go.mod
@ -14,7 +14,7 @@ require (
 	github.com/klauspost/compress v1.8.6
 	github.com/klauspost/cpuid v1.2.1
 	github.com/lucas-clemente/quic-go v0.12.1
-	github.com/mholt/certmagic v0.8.0
+	github.com/mholt/certmagic v0.8.3
 	github.com/muhammadmuzzammil1998/jsonc v0.0.0-20190906142622-1265e9b150c6
 	github.com/rs/cors v1.7.0
 	github.com/russross/blackfriday/v2 v2.0.1
--- a/go.sum
+++ b/go.sum
@ -172,8 +172,8 @@ github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzp
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-tty v0.0.0-20180219170247-931426f7535a/go.mod h1:XPvLUNfbS4fJH25nqRHfWLMa1ONC8Amw+mIA639KxkE=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mholt/certmagic v0.8.0 h1:WEQhZ4+ySd2cQz0Gf1iEk6xsUaEmmHe10SZiiKd7BdY=
-github.com/mholt/certmagic v0.8.0/go.mod h1:91uJzK5K8IWtYQqTi5R2tsxV1pCde+wdGfaRaOZi6aQ=
+github.com/mholt/certmagic v0.8.3 h1:JOUiX9IAZbbgyjNP2GY6v/6lorH+9GkZsc7ktMpGCSo=
+github.com/mholt/certmagic v0.8.3/go.mod h1:91uJzK5K8IWtYQqTi5R2tsxV1pCde+wdGfaRaOZi6aQ=
 github.com/miekg/dns v1.1.15 h1:CSSIDtllwGLMoA6zjdKnaE6Tx6eVUxQ29LUgGetiDCI=
 github.com/miekg/dns v1.1.15/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ=
--- a/modules/caddytls/acmemanager.go
+++ b/modules/caddytls/acmemanager.go
@ -138,14 +138,10 @@ func (m *ACMEManagerMaker) makeCertMagicConfig(ctx caddy.Context) certmagic.Conf
 							return err
 						}
 					}
-					// check the rate limiter last, since
-					// even checking consumes a token; so
-					// don't even bother checking if the
-					// other regulations fail anyway
-					if onDemand.RateLimit != nil {
-						if !onDemandRateLimiter.Allow() {
-							return fmt.Errorf("on-demand rate limit exceeded")
-						}
+					// check the rate limiter last because
+					// doing so makes a reservation
+					if !onDemandRateLimiter.Allow() {
+						return fmt.Errorf("on-demand rate limit exceeded")
 					}
 				}
 				return nil
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@ -26,7 +26,6 @@ import (
 	"github.com/caddyserver/caddy/v2"
 	"github.com/go-acme/lego/v3/challenge"
 	"github.com/mholt/certmagic"
-	"golang.org/x/time/rate"
 )

 func init() {
@ -104,13 +103,12 @@ func (t *TLS) Provision(ctx caddy.Context) error {

 	// on-demand rate limiting
 	if t.Automation != nil && t.Automation.OnDemand != nil && t.Automation.OnDemand.RateLimit != nil {
-		limit := rate.Every(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
-		onDemandRateLimiter.SetLimit(limit)
-		onDemandRateLimiter.SetBurst(t.Automation.OnDemand.RateLimit.Burst)
+		onDemandRateLimiter.SetMaxEvents(t.Automation.OnDemand.RateLimit.Burst)
+		onDemandRateLimiter.SetWindow(time.Duration(t.Automation.OnDemand.RateLimit.Interval))
 	} else {
-		// if no rate limit is specified, be sure to remove any existing limit
-		onDemandRateLimiter.SetLimit(0)
-		onDemandRateLimiter.SetBurst(0)
+		// remove any existing rate limiter
+		onDemandRateLimiter.SetMaxEvents(0)
+		onDemandRateLimiter.SetWindow(0)
 	}

 	// load manual/static (unmanaged) certificates - we do this in
@ -384,7 +382,7 @@ type ManagerMaker interface {

 // These perpetual values are used for on-demand TLS.
 var (
-	onDemandRateLimiter = rate.NewLimiter(0, 1)
+	onDemandRateLimiter = certmagic.NewRateLimiter(0, 0)
 	onDemandAskClient   = &http.Client{
 		Timeout: 10 * time.Second,
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {