1
1
mirror of https://git.sr.ht/~emersion/tlstunnel synced 2024-11-19 15:53:50 +01:00

Evict unused unmanaged certs from cache on reload

This commit is contained in:
Simon Ser 2023-11-20 15:40:42 +01:00
parent bbdaec6b98
commit 37aeff9b6d

@ -48,6 +48,7 @@ type Server struct {
acmeCache *acmeCache acmeCache *acmeCache
cancelACME context.CancelFunc cancelACME context.CancelFunc
unmanagedHashes []string
} }
func NewServer() *Server { func NewServer() *Server {
@ -92,10 +93,11 @@ func (srv *Server) startACME() error {
srv.acmeCache.config.Store(srv.ACMEConfig) srv.acmeCache.config.Store(srv.ACMEConfig)
for _, cert := range srv.UnmanagedCerts { for _, cert := range srv.UnmanagedCerts {
_, err := srv.ACMEConfig.CacheUnmanagedTLSCertificate(ctx, cert, nil) hash, err := srv.ACMEConfig.CacheUnmanagedTLSCertificate(ctx, cert, nil)
if err != nil { if err != nil {
return fmt.Errorf("failed to cache unmanaged TLS certificate: %v", err) return fmt.Errorf("failed to cache unmanaged TLS certificate: %v", err)
} }
srv.unmanagedHashes = append(srv.unmanagedHashes, hash)
} }
if err := srv.ACMEConfig.ManageAsync(ctx, srv.ManagedNames); err != nil { if err := srv.ACMEConfig.ManageAsync(ctx, srv.ManagedNames); err != nil {
@ -183,7 +185,18 @@ func (srv *Server) Replace(old *Server) error {
} }
srv.acmeCache.cache.RemoveManaged(removeManaged) srv.acmeCache.cache.RemoveManaged(removeManaged)
// TODO: evict unused unmanaged certs from the cache // Cleanup unmanaged certs which are no longer used
unmanaged := make(map[string]struct{}, len(srv.unmanagedHashes))
for _, hash := range srv.unmanagedHashes {
unmanaged[hash] = struct{}{}
}
removeUnmanaged := make([]string, 0, len(old.unmanagedHashes))
for _, hash := range old.unmanagedHashes {
if _, ok := unmanaged[hash]; !ok {
removeUnmanaged = append(removeUnmanaged, hash)
}
}
srv.acmeCache.cache.Remove(removeUnmanaged)
return nil return nil
} }