README
¶
Certmagic Storage Backend for Alibaba Cloud OSS
This library allows you to use Alibaba Cloud OSS as key/certificate storage backend for your Certmagic-enabled HTTPS server. To protect your keys from unwanted attention, client-side encryption is possible.
Usage
Caddy
In this section, we create a caddy config using our OSS storage.
Getting started with Caddyfile
- Create a
Caddyfile
NOTE: See https://www.alibabacloud.com/help/zh/oss/regions-and-endpoints for OSS Region & Endpoint parameters.{ storage oss { bucket-name your-bucket-name region your-oss-region endpoint your-oss-endpoint access-key-id your-access-key-id access-key-secret your-access-key-secret } } localhost acme_server respond "Hello Caddy Storage OSS!" - Start caddy
$ xcaddy run - Check that it works
$ open https://localhost
Getting started with JSON config
Create a JSON config file with the following content:
{
…
"storage": {
"module": "oss",
"bucket-name": "your-bucket-name",
"region": "your-oss-region",
"endpoint": "your-oss-endpoint",
"access-key-id": "your-access-key-id",
"access-key-secret": "your-access-key-secret"
},
…
}
Client Side Encryption
This module supports client side encryption using google Tink, thus providing a simple way to customize the encryption algorithm and handle key rotation. To get started:
- Install tinkey
- Create a key set
Here is an example keyset.json:$ tinkey create-keyset --key-template AES128_GCM_RAW --out keyset.json{ "primaryKeyId": 1818673287, "key": [ { "keyData": { "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey", "value": "GhDEQ/4v72esAv3rbwZyS+ls", "keyMaterialType": "SYMMETRIC" }, "status": "ENABLED", "keyId": 1818673287, "outputPrefixType": "RAW" } ] } - Start caddy with the following Caddyfile config
{ storage oss { bucket-name your-bucket-name region your-oss-region endpoint your-oss-endpoint access-key-id your-access-key-id access-key-secret your-access-key-secret encryption-key-set ./keyset.json } } localhost acme_server respond "Hello Caddy Storage OSS!" - Start caddy
$ xcaddy run $ # to rotate the key-set $ tinkey rotate-keyset --in keyset.json --key-template AES128_GCM_RAW
Client Side Encryption with JSON config
- Follow steps 1-2 from above to install tinkey and create a keyset.json file
- Create a JSON config file with the following content:
{ … "storage": { "module": "oss", "bucket-name": "your-bucket-name", "region": "your-oss-region", "endpoint": "your-oss-endpoint", "access-key-id": "your-access-key-id", "access-key-secret": "your-access-key-secret", "encryption-key-set": "./keyset.json" }, … } - Start caddy
$ xcaddy run - To rotate the key-set
$ tinkey rotate-keyset --in keyset.json --key-template AES128_GCM_RAW
CertMagic
- Add the package:
go get github.com/aUsernameWoW/certmagic-oss
- Create a
certmagicoss.NewStoragewith acertmagicoss.Config:
import certmagicoss "github.com/aUsernameWoW/certmagic-oss/storage"
bucket := "my-example-bucket"
region := "your-oss-region"
endpoint := "your-oss-endpoint"
accessKeyID := "your-access-key-id"
accessKeySecret := "your-access-key-secret"
oss, _ := certmagicoss.NewStorage(
context.Background(),
certmagicoss.Config{
BucketName: bucket,
Region: region,
Endpoint: endpoint,
AccessKeyID: accessKeyID,
AccessKeySecret: accessKeySecret,
}
)
- Optionally, register as default storage.
certmagic.Default.Storage = oss
Building Caddy with this module
To build Caddy with this module, you can use xcaddy:
-
Install xcaddy if you haven't already:
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest -
Build Caddy with the certmagic-oss module:
xcaddy build --with github.com/aUsernameWoW/certmagic-oss -
If you want to specify a specific version or commit:
xcaddy build --with github.com/aUsernameWoW/certmagic-oss@v1.0.0 # or xcaddy build --with github.com/aUsernameWoW/certmagic-oss@main -
You can also build with other modules:
xcaddy build \ --with github.com/aUsernameWoW/certmagic-oss \ --with github.com/caddyserver/nginx-adapter
Credits
This project was written entirely by Qwen Coder. During the coding process, Qwen Coder was inspired by the project certmagic-gcs. We would like to thank them for their high-quality code and Qwen Coder for their dedication.
License
This module is distributed under Apache-2.0.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CaddyStorageOSS ¶
type CaddyStorageOSS struct {
// BucketName is the name of the storage bucket.
BucketName string `json:"bucket-name"`
// Region is the OSS region.
Region string `json:"region"`
// Endpoint is the OSS endpoint.
Endpoint string `json:"endpoint"`
// AccessKeyID is the access key ID for OSS.
AccessKeyID string `json:"access-key-id"`
// AccessKeySecret is the access key secret for OSS.
AccessKeySecret string `json:"access-key-secret"`
// EncryptionKeySet is the path of a json tink encryption keyset
EncryptionKeySet string `json:"encryption-key-set"`
}
CaddyStorageOSS implements a caddy storage backend for Alibaba Cloud OSS.
func (CaddyStorageOSS) CaddyModule ¶
func (CaddyStorageOSS) CaddyModule() caddy.ModuleInfo
CaddyModule returns the Caddy module information.
func (*CaddyStorageOSS) CertMagicStorage ¶
func (s *CaddyStorageOSS) CertMagicStorage() (certmagic.Storage, error)
CertMagicStorage returns a cert-magic storage.
func (*CaddyStorageOSS) UnmarshalCaddyfile ¶
func (s *CaddyStorageOSS) UnmarshalCaddyfile(d *caddyfile.Dispenser) error
UnmarshalCaddyfile unmarshall caddy file.
func (*CaddyStorageOSS) Validate ¶
func (s *CaddyStorageOSS) Validate() error
Validate caddy oss storage configuration.
Source Files
Directories