Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Vercel binding #272

Open
twifkak opened this issue May 17, 2022 · 2 comments
Open

Add Vercel binding #272

twifkak opened this issue May 17, 2022 · 2 comments

Comments

@twifkak
Copy link
Collaborator

twifkak commented May 17, 2022
edited

There are two three types of Vercel Functions and I'm not sure of the compare/contrast. One comparison here. There is a community Rust binding (API).

For storage, one can connect to an external DB but perhaps a more config-free approach would be to use edge caching and set up internal HTTP APIs for certs/OCSP.
@twifkak
Copy link
Collaborator Author

twifkak commented Aug 26, 2022

OK, Vercel doesn't support custom cache keys, which we need to separate SXG responses (for SXG crawlers) from non-SXG (for browsers and non-SXG crawlers). Judging by this flow diagram we should target Edge Middleware which isn't cached, so that users can still enable caching behind it.

@twifkak
Copy link
Collaborator Author

twifkak commented Sep 6, 2022

Perhaps the simplest option is to support some external DB with a free tier.

To clarify the "use edge caching and set up internal HTTP APIs" idea: Request the outcome of the last step. The handler for each step recursively fetches the previous step, and sets long cache headers for successful outcomes.

serve_preset_content would be handled by Vercel Functions, not Middleware, so it could be cached. When handling requests for the following URLs:

  • cert_url_dirname prefix: fetch /.well-known/sxg-internal/acme/download_certificate and /.well-known/sxg-internal/ocsp/response. If successful, generate a cert-chain+cbor and serve with a 3.5 day cache lifetime. Else, serve an error response with a short lifetime (1 minute?).
  • acme/download_certificate: fetch finalize_signing_request. If successful, perform the next step of ACME and serve the final state with a 45-day cache lifetime. Else, error response with a short lifetime.
  • acme/finalize_signing_request: fetch check_challenge_finished. Ditto if successful/error.
  • acme/check_challenge_finished: fetch request_challenge_validation. Ditto if successful/error.
  • acme/request_challenge_validation: Perform initial step. Ditto if successful/error.
  • ocsp/response: Fetch from OCSP responder. If successful, set a 3.5 day cache lifetime. Else, set a short lifetime (10 minutes?).

(We may also want to sign these URLs so external requestors can't forge them.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@twifkak