homelab/traefik
1
0
Fork 0
Code Activity

Allow configuration of ACME provider http timeout

Browse source
This commit is contained in:
Tom Wiesing 2025-04-28 14:30:06 +02:00 committed by GitHub
parent 8f37c8f0c5
commit dddb68cd5f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 140 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

13
pkg/provider/acme/provider.go
View file

@ -50,6 +50,9 @@ type Configuration struct {
EAB *EAB `description:"External Account Binding to use." json:"eab,omitempty" toml:"eab,omitempty" yaml:"eab,omitempty"`
CertificatesDuration int `description:"Certificates' duration in hours." json:"certificatesDuration,omitempty" toml:"certificatesDuration,omitempty" yaml:"certificatesDuration,omitempty" export:"true"`
ClientTimeout ptypes.Duration `description:"Timeout for a complete HTTP transaction with the ACME server." json:"clientTimeout,omitempty" toml:"clientTimeout,omitempty" yaml:"clientTimeout,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
ClientResponseHeaderTimeout ptypes.Duration `description:"Timeout for receiving the response headers when communicating with the ACME server." json:"clientResponseHeaderTimeout,omitempty" toml:"clientResponseHeaderTimeout,omitempty" yaml:"clientResponseHeaderTimeout,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
CACertificates []string `description:"Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list." json:"caCertificates,omitempty" toml:"caCertificates,omitempty" yaml:"caCertificates,omitempty"`
CASystemCertPool bool `description:"Define if the certificates pool must use a copy of the system cert pool." json:"caSystemCertPool,omitempty" toml:"caSystemCertPool,omitempty" yaml:"caSystemCertPool,omitempty" export:"true"`
CAServerName string `description:"Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list." json:"caServerName,omitempty" toml:"caServerName,omitempty" yaml:"caServerName,omitempty" export:"true"`
@ -65,6 +68,8 @@ func (a *Configuration) SetDefaults() {
a.Storage = "acme.json"
a.KeyType = "RSA4096"
a.CertificatesDuration = 3 * 30 * 24 // 90 Days
a.ClientTimeout = ptypes.Duration(2 * time.Minute)
a.ClientResponseHeaderTimeout = ptypes.Duration(30 * time.Second)
}
// CertAndStore allows mapping a TLS certificate to a TLS store.
@ -164,6 +169,10 @@ func (p *Provider) Init() error {
return errors.New("cannot manage certificates with duration lower than 1 hour")
}
if p.ClientTimeout < p.ClientResponseHeaderTimeout {
return errors.New("clientTimeout must be at least clientResponseHeaderTimeout")
}
var err error
p.account, err = p.Store.GetAccount(p.ResolverName)
if err != nil {
@ -379,7 +388,7 @@ func (p *Provider) createHTTPClient() (*http.Client, error) {
}
return &http.Client{
Timeout: 2 * time.Minute,
Timeout: time.Duration(p.ClientTimeout),
Transport: &http.Transport{
Proxy: http.ProxyFromEnvironment,
DialContext: (&net.Dialer{
@ -387,7 +396,7 @@ func (p *Provider) createHTTPClient() (*http.Client, error) {
KeepAlive: 30 * time.Second,
}).DialContext,
TLSHandshakeTimeout: 30 * time.Second,
ResponseHeaderTimeout: 30 * time.Second,
ResponseHeaderTimeout: time.Duration(p.ClientResponseHeaderTimeout),
TLSClientConfig: tlsConfig,
},
}, nil