This library allows you to use Alibaba Cloud OSS as key/certificate storage backend for your Certmagic-enabled HTTPS server. To protect your keys from unwanted attention, client-side encryption is possible.
In this section, we create a caddy config using our OSS storage.
- Create a
Caddyfile
NOTE: See https://www.alibabacloud.com/help/zh/oss/regions-and-endpoints for OSS Region & Endpoint parameters.{ storage oss { bucket-name your-bucket-name region your-oss-region endpoint your-oss-endpoint access-key-id your-access-key-id access-key-secret your-access-key-secret } } localhost acme_server respond "Hello Caddy Storage OSS!"
- Start caddy
$ xcaddy run
- Check that it works
$ open https://localhost
Create a JSON config file with the following content:
{
…
"storage": {
"module": "oss",
"bucket-name": "your-bucket-name",
"region": "your-oss-region",
"endpoint": "your-oss-endpoint",
"access-key-id": "your-access-key-id",
"access-key-secret": "your-access-key-secret"
},
…
}
This module supports client side encryption using google Tink, thus providing a simple way to customize the encryption algorithm and handle key rotation. To get started:
- Install tinkey
- Create a key set
Here is an example keyset.json:
$ tinkey create-keyset --key-template AES128_GCM_RAW --out keyset.json
{ "primaryKeyId": 1818673287, "key": [ { "keyData": { "typeUrl": "type.googleapis.com/google.crypto.tink.AesGcmKey", "value": "GhDEQ/4v72esAv3rbwZyS+ls", "keyMaterialType": "SYMMETRIC" }, "status": "ENABLED", "keyId": 1818673287, "outputPrefixType": "RAW" } ] }
- Start caddy with the following Caddyfile config
{ storage oss { bucket-name your-bucket-name region your-oss-region endpoint your-oss-endpoint access-key-id your-access-key-id access-key-secret your-access-key-secret encryption-key-set ./keyset.json } } localhost acme_server respond "Hello Caddy Storage OSS!"
- Start caddy
$ xcaddy run $ # to rotate the key-set $ tinkey rotate-keyset --in keyset.json --key-template AES128_GCM_RAW
- Follow steps 1-2 from above to install tinkey and create a keyset.json file
- Create a JSON config file with the following content:
{ … "storage": { "module": "oss", "bucket-name": "your-bucket-name", "region": "your-oss-region", "endpoint": "your-oss-endpoint", "access-key-id": "your-access-key-id", "access-key-secret": "your-access-key-secret", "encryption-key-set": "./keyset.json" }, … }
- Start caddy
$ xcaddy run
- To rotate the key-set
$ tinkey rotate-keyset --in keyset.json --key-template AES128_GCM_RAW
- Add the package:
go get github.com/aUsernameWoW/certmagic-oss
- Create a
certmagicoss.NewStorage
with acertmagicoss.Config
:
import certmagicoss "github.com/aUsernameWoW/certmagic-oss/storage"
bucket := "my-example-bucket"
region := "your-oss-region"
endpoint := "your-oss-endpoint"
accessKeyID := "your-access-key-id"
accessKeySecret := "your-access-key-secret"
oss, _ := certmagicoss.NewStorage(
context.Background(),
certmagicoss.Config{
BucketName: bucket,
Region: region,
Endpoint: endpoint,
AccessKeyID: accessKeyID,
AccessKeySecret: accessKeySecret,
}
)
- Optionally, register as default storage.
certmagic.Default.Storage = oss
To build Caddy with this module, you can use xcaddy
:
-
Install xcaddy if you haven't already:
go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
-
Build Caddy with the certmagic-oss module:
xcaddy build --with github.com/aUsernameWoW/certmagic-oss
-
If you want to specify a specific version or commit:
xcaddy build --with github.com/aUsernameWoW/[email protected] # or xcaddy build --with github.com/aUsernameWoW/certmagic-oss@main
-
You can also build with other modules:
xcaddy build \ --with github.com/aUsernameWoW/certmagic-oss \ --with github.com/caddyserver/nginx-adapter
This project was written entirely by Qwen Coder. During the coding process, Qwen Coder was inspired by the project certmagic-gcs. We would like to thank them for their high-quality code and Qwen Coder for their dedication.
This module is distributed under Apache-2.0.