Only check allow_domain when we don't already have a cert

The allow_domain check might be somewhat costly - involving e.g. an external HTTP request to query a central registry. Make it so that this gets only done before requesting new certificates, not for every HTTPS connection.

Author: gohai

lib/resty/auto-ssl/ssl_certificate.lua

@@ -112,6 +112,12 @@ local function get_cert(auto_ssl_instance, domain)
     return convert_to_der_and_cache(domain, fullchain_pem, privkey_pem, false)
   end
 
+  -- Check to ensure the domain is one we allow for handling SSL.
+  local allow_domain = auto_ssl_instance:get("allow_domain")
+  if not allow_domain(domain) then
+    return nil, nil, nil, "domain not allowed"
+  end
+
   -- Finally, issue a new certificate if one hasn't been found yet.
   fullchain_pem, privkey_pem = issue_cert(auto_ssl_instance, storage, domain)
   if fullchain_pem and privkey_pem then
@@ -243,13 +249,6 @@ local function do_ssl(auto_ssl_instance, ssl_options)
     return
   end
 
-  -- Check to ensure the domain is one we allow for handling SSL.
-  local allow_domain = auto_ssl_instance:get("allow_domain")
-  if not allow_domain(domain) then
-    ngx.log(ngx.NOTICE, "auto-ssl: domain not allowed - using fallback - ", domain)
-    return
-  end
-
   -- Get or issue the certificate for this domain.
   local fullchain_der, privkey_der, newly_issued, get_cert_err = get_cert(auto_ssl_instance, domain)
   if get_cert_err then