diff --git a/internal/metrics/metrics.go b/internal/metrics/metrics.go index a29dbd0..4d604f4 100644 --- a/internal/metrics/metrics.go +++ b/internal/metrics/metrics.go @@ -16,19 +16,26 @@ var ( }, []string{labelPath}) responseStatus = prometheus.NewCounterVec(prometheus.CounterOpts{ - Name: "response_status", + Name: "http_response_status", Help: "Status of HTTP response", }, []string{labelPath, labelStatus}) httpDuration = prometheus.NewHistogramVec(prometheus.HistogramOpts{ Name: "http_response_time_seconds", Help: "Duration of HTTP requests.", - Buckets: prometheus.DefBuckets, + Buckets: prometheus.ExponentialBuckets(0.0001, 2, 10), }, []string{labelPath}) + + CrlEntries = prometheus.NewGauge(prometheus.GaugeOpts{ + Namespace: "ocspcrl", + Name: "crl_entries_total", + Help: "Number of entries in the CRL", + }) ) func init() { prometheus.MustRegister(totalRequests) prometheus.MustRegister(responseStatus) prometheus.MustRegister(httpDuration) + prometheus.MustRegister(CrlEntries) } diff --git a/internal/ocsp_source/source.go b/internal/ocsp_source/source.go index daac7e6..b667e51 100644 --- a/internal/ocsp_source/source.go +++ b/internal/ocsp_source/source.go @@ -6,6 +6,7 @@ import ( "crypto/x509" "math/big" "net/http" + "sync" "time" "golang.org/x/crypto/ocsp" @@ -16,6 +17,7 @@ type CrlSource struct { responderCertificate *x509.Certificate responderKey crypto.Signer crl *x509.RevocationList + crlMutex sync.Mutex } func NewCrlSource(caCertificate *x509.Certificate, responderKeyPair tls.Certificate) *CrlSource { @@ -26,8 +28,10 @@ func NewCrlSource(caCertificate *x509.Certificate, responderKeyPair tls.Certific } } -func (source *CrlSource) UseCrl(crl *x509.RevocationList) { - source.crl = crl +func (source *CrlSource) UseCrl(crl x509.RevocationList) { + source.crlMutex.Lock() + defer source.crlMutex.Unlock() + source.crl = &crl } func (source *CrlSource) Response(request *ocsp.Request) ([]byte, http.Header, error) { diff --git a/main.go b/main.go index 22a9645..7de0b68 100644 --- a/main.go +++ b/main.go @@ -91,7 +91,8 @@ func main() { if loadCrlError != nil { log.Fatalf("failed to load crl: %v", loadCrlError) } - source.UseCrl(crl) + metrics.CrlEntries.Set(float64(len(crl.RevokedCertificateEntries))) + source.UseCrl(*crl) signalChan := make(chan os.Signal, 1) signal.Notify(signalChan, os.Interrupt, syscall.SIGTERM) @@ -102,6 +103,10 @@ func main() { w.Header().Set("Content-Type", "application/pkix-crl") w.Write(crl.Raw) }) + applicationRouter.HandleFunc("/crl.pem", func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/pkix-crl") + pem.Encode(w, &pem.Block{Type: "X509 CRL", Bytes: crl.Raw}) + }) applicationServer := &http.Server{Addr: config.applicationListenAddress, Handler: metrics.Middleware(applicationRouter)} metricsSever := &http.Server{Addr: config.metricsListenAddress, Handler: promhttp.Handler()} @@ -109,14 +114,14 @@ func main() { applicationServerClosed := make(chan any) metricsServerClosed := make(chan any) go func() { - log.Printf("starting application server on %s", config.applicationListenAddress) + log.Printf("starting application server on %+q", config.applicationListenAddress) if listenError := applicationServer.ListenAndServe(); listenError != nil { log.Printf("application error: %v", listenError) } close(applicationServerClosed) }() go func() { - log.Printf("starting metrics server on %s", config.metricsListenAddress) + log.Printf("starting metrics server on %+q", config.metricsListenAddress) if listenError := metricsSever.ListenAndServe(); listenError != nil { log.Printf("metrics error: %v", listenError) }