feat: add a feature to use native root store for connection from proxy to the backend application

2023-10-11 14:16:15 +09:00 · 2023-10-11 14:16:15 +09:00 · 1c84ef795a
commit 1c84ef795a
parent af2bc58226
4 changed files with 29 additions and 18 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -5,17 +5,23 @@ version: 2
 updates:
  # Enable version updates for cargo
  - package-ecosystem: "cargo"
-    # Look for `Cargo.toml` and `lock` files in the `root` directory
    directory: "/"
-    # Check the crates.io for updates every day (weekdays)
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "cargo"
+    directory: "/rpxy-bin"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "cargo"
+    directory: "/rpxy-lib"
    schedule:
      interval: "daily"

  # Enable version updates for Docker
  - package-ecosystem: "docker"
-    # Look for a `Dockerfile` in the `root` directory
-    directory: "/"
-    # Check for updates everyday
+    directory: "/docker"
    schedule:
      interval: "daily"

@ -23,5 +29,4 @@ updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
-      # Check for updates everyday
      interval: "daily"
--- a/rpxy-bin/Cargo.toml
+++ b/rpxy-bin/Cargo.toml
@ -16,6 +16,7 @@ default = ["http3-quinn", "cache"]
 http3-quinn = ["rpxy-lib/http3-quinn"]
 http3-s2n = ["rpxy-lib/http3-s2n"]
 cache = ["rpxy-lib/cache"]
+native-roots = ["rpxy-lib/native-roots"]

 [dependencies]
 rpxy-lib = { path = "../rpxy-lib/", default-features = false, features = [
--- a/rpxy-lib/Cargo.toml
+++ b/rpxy-lib/Cargo.toml
@ -17,6 +17,7 @@ http3-quinn = ["quinn", "h3", "h3-quinn", "socket2"]
 http3-s2n = ["h3", "s2n-quic", "s2n-quic-rustls", "s2n-quic-h3"]
 sticky-cookie = ["base64", "sha2", "chrono"]
 cache = ["http-cache-semantics", "lru"]
+native-roots = ["hyper-rustls/native-tokio"]

 [dependencies]
 rand = "0.8.5"
--- a/rpxy-lib/src/handler/forwarder.rs
+++ b/rpxy-lib/src/handler/forwarder.rs
@ -118,18 +118,22 @@ where
 impl Forwarder<HttpsConnector<HttpConnector>, Body> {
  /// Build forwarder
  pub async fn new<T: CryptoSource>(_globals: &std::sync::Arc<Globals<T>>) -> Self {
-    // let connector = TrustDnsResolver::default().into_rustls_webpki_https_connector();
-    let connector = hyper_rustls::HttpsConnectorBuilder::new()
-      .with_webpki_roots()
-      .https_or_http()
-      .enable_http1()
-      .enable_http2()
-      .build();
-    let connector_h2 = hyper_rustls::HttpsConnectorBuilder::new()
-      .with_webpki_roots()
-      .https_or_http()
-      .enable_http2()
-      .build();
+    #[cfg(feature = "native-roots")]
+    let builder = hyper_rustls::HttpsConnectorBuilder::new().with_native_roots();
+    #[cfg(feature = "native-roots")]
+    let builder_h2 = hyper_rustls::HttpsConnectorBuilder::new().with_native_roots();
+    #[cfg(feature = "native-roots")]
+    info!("Native cert store is used for the connection to backend applications");
+
+    #[cfg(not(feature = "native-roots"))]
+    let builder = hyper_rustls::HttpsConnectorBuilder::new().with_webpki_roots();
+    #[cfg(not(feature = "native-roots"))]
+    let builder_h2 = hyper_rustls::HttpsConnectorBuilder::new().with_webpki_roots();
+    #[cfg(not(feature = "native-roots"))]
+    info!("Mozilla WebPKI root certs is used for the connection to backend applications");
+
+    let connector = builder.https_or_http().enable_http1().enable_http2().build();
+    let connector_h2 = builder_h2.https_or_http().enable_http2().build();

    let inner = Client::builder().build::<_, Body>(connector);
    let inner_h2 = Client::builder().http2_only(true).build::<_, Body>(connector_h2);