From c209349cd2cdebd41c85c16fbca5c2fb44fe7a49 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sun, 4 Oct 2020 15:46:22 +0200 Subject: [PATCH] Set high rate limit for our domain; add rate-limits page --- gui/apply-boulder | 5 +- gui/main.go | 2 +- gui/templates/views/about.tmpl | 2 +- nginx.conf | 8 +++ www/502.html | 2 +- www/rate-limits.html | 91 ++++++++++++++++++++++++++++++++++ 6 files changed, 106 insertions(+), 4 deletions(-) create mode 100644 www/rate-limits.html diff --git a/gui/apply-boulder b/gui/apply-boulder index 97bfeee..00f8473 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -27,6 +27,9 @@ fi if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ]; then sed -i -e "s/^\(.*\)\(\"n_subject_common_name_included\"\)/\1\2,\n\1\"e_dnsname_not_valid_tld\"/" config/ca-a.json sed -i -e "s/^\(.*\)\(\"n_subject_common_name_included\"\)/\1\2,\n\1\"e_dnsname_not_valid_tld\"/" config/ca-b.json + + sed -i -e "s/\( registrationOverrides:\)/ $PKI_LOCKDOWN_DOMAINS: 10000\n\1/" rate-limit-policies.yml + echo " $PKI_LOCKDOWN_DOMAINS: 10000" >> rate-limit-policies.yml fi if [ "$PKI_EXTENDED_TIMEOUT" == "1" ]; then @@ -85,4 +88,4 @@ cp -p $PKI_ROOT_CERT_BASE.pem test-root.pem openssl rsa -in $PKI_ROOT_CERT_BASE.key -pubout > test-root.pubkey.pem openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in test-root.key -out test-root.p8 -chown -R `ls -l rate-limit-policies.yml | cut -d" " -f 3,4 | sed 's/ /:/g'` . +chown -R `ls -l PKI.md | cut -d" " -f 3,4 | sed 's/ /:/g'` . diff --git a/gui/main.go b/gui/main.go index f6b1d9f..41da3db 100644 --- a/gui/main.go +++ b/gui/main.go @@ -2255,7 +2255,7 @@ func activeNav(active string, uri string, requestBase string) []navItem { Name: "Public Area", Icon: "fa-home", Attrs: map[template.HTMLAttr]string{ - "href": "/", + "href": "http://" + viper.GetString("labca.fqdn"), "title": "The non-Admin pages of this LabCA instance", }, } diff --git a/gui/templates/views/about.tmpl b/gui/templates/views/about.tmpl index 394b8c0..758be9d 100644 --- a/gui/templates/views/about.tmpl +++ b/gui/templates/views/about.tmpl @@ -17,7 +17,7 @@

Also if you are developing your own client application or integrating one into your own application, a local test ACME can be very handy. There is a lot of information on the internet about setting up your own PKI (Public Key Infrastructure) but those are usually not automated.

-

Getting Boulder up and running has quite a learning curve though and that is where LabCA comes in. It is a self-contained installation with a nice web GUI built on top of Boulder so you can quickly start using it. All regular management tasks can be done from the web interface. It is best installed in a Virtual Machine and uses Debian Linux as a base.

+

Getting Boulder up and running has quite a learning curve though and that is where LabCA comes in. It is a self-contained installation with a nice web GUI built on top of Boulder so you can quickly start using it. All regular management tasks can be done from the web interface. It is best installed in a Virtual Machine and uses Debian Linux as a base.

NOTE: although LabCA tries to be as robust as possible, use it at your own risk. If you depend on it, make sure that you know what you are doing!

{{ end }} diff --git a/nginx.conf b/nginx.conf index 6cf37f4..7408689 100644 --- a/nginx.conf +++ b/nginx.conf @@ -23,6 +23,10 @@ server { proxy_pass http://127.0.0.1:4002/; } + location /rate-limits { + try_files $uri $uri.html $uri/ =404; + } + location /terms/ { try_files $uri $uri.html $uri/ =404; } @@ -77,6 +81,10 @@ server { proxy_pass http://127.0.0.1:4002/; } + location /rate-limits { + try_files $uri $uri.html $uri/ =404; + } + location /terms/ { try_files $uri $uri.html $uri/ =404; } diff --git a/www/502.html b/www/502.html index a8af721..2c3e5ff 100644 --- a/www/502.html +++ b/www/502.html @@ -118,7 +118,7 @@
- Copyright © 2018 LabCA + Copyright © 2018-2020 LabCA
diff --git a/www/rate-limits.html b/www/rate-limits.html new file mode 100644 index 0000000..164c69a --- /dev/null +++ b/www/rate-limits.html @@ -0,0 +1,91 @@ + + + + + + + + + + + LabCA + + + + + + + + + +
+ + +
+
+
+

Rate Limits

+ +

+ It is unlikely that you hit the rate limit mechanism for your selected domain, as it is set to allow 10,000 certificates in LabCA. +

+

+ If your LabCA instance is set up to (also) allow official domains (not recommended), then for the other domains the main limit is + Certificates per Registered Domain: 5 per 24 hours. As per the + Let's Encrypt™ rate limits page , + a registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, + in the name www.example.com, the registered domain is example.com. + In new.blog.example.co.uk, the registered domain is example.co.uk. +

+

+ The other limit is the Duplicate Certificate limit of 2 per 90 days. This applies to renewals when the old dertificate + is still valid. +

+

+ Revoking certificates does not reset rate limits, because the resources used to issue those certificates have already been + consumed. +

+
+
+
+
+ + + + + + + +