feat: add a feature to use native root store for connection from proxy to the backend application

.github/dependabot.yml

@@ -5,17 +5,23 @@ version: 2
 updates:
   # Enable version updates for cargo
   - package-ecosystem: "cargo"
-    # Look for `Cargo.toml` and `lock` files in the `root` directory
     directory: "/"
-    # Check the crates.io for updates every day (weekdays)
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "cargo"
+    directory: "/rpxy-bin"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "cargo"
+    directory: "/rpxy-lib"
     schedule:
       interval: "daily"
 
   # Enable version updates for Docker
   - package-ecosystem: "docker"
-    # Look for a `Dockerfile` in the `root` directory
+    directory: "/docker"
-    directory: "/"
-    # Check for updates everyday
     schedule:
       interval: "daily"
 
@@ -23,5 +29,4 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      # Check for updates everyday
       interval: "daily"

rpxy-bin/Cargo.toml

@@ -16,6 +16,7 @@ default = ["http3-quinn", "cache"]
 http3-quinn = ["rpxy-lib/http3-quinn"]
 http3-s2n = ["rpxy-lib/http3-s2n"]
 cache = ["rpxy-lib/cache"]
+native-roots = ["rpxy-lib/native-roots"]
 
 [dependencies]
 rpxy-lib = { path = "../rpxy-lib/", default-features = false, features = [

rpxy-lib/Cargo.toml

@@ -17,6 +17,7 @@ http3-quinn = ["quinn", "h3", "h3-quinn", "socket2"]
 http3-s2n = ["h3", "s2n-quic", "s2n-quic-rustls", "s2n-quic-h3"]
 sticky-cookie = ["base64", "sha2", "chrono"]
 cache = ["http-cache-semantics", "lru"]
+native-roots = ["hyper-rustls/native-tokio"]
 
 [dependencies]
 rand = "0.8.5"

rpxy-lib/src/handler/forwarder.rs

@@ -118,18 +118,22 @@ where
 impl Forwarder<HttpsConnector<HttpConnector>, Body> {
   /// Build forwarder
   pub async fn new<T: CryptoSource>(_globals: &std::sync::Arc<Globals<T>>) -> Self {
-    // let connector = TrustDnsResolver::default().into_rustls_webpki_https_connector();
+    #[cfg(feature = "native-roots")]
-    let connector = hyper_rustls::HttpsConnectorBuilder::new()
+    let builder = hyper_rustls::HttpsConnectorBuilder::new().with_native_roots();
-      .with_webpki_roots()
+    #[cfg(feature = "native-roots")]
-      .https_or_http()
+    let builder_h2 = hyper_rustls::HttpsConnectorBuilder::new().with_native_roots();
-      .enable_http1()
+    #[cfg(feature = "native-roots")]
-      .enable_http2()
+    info!("Native cert store is used for the connection to backend applications");
-      .build();
+
-    let connector_h2 = hyper_rustls::HttpsConnectorBuilder::new()
+    #[cfg(not(feature = "native-roots"))]
-      .with_webpki_roots()
+    let builder = hyper_rustls::HttpsConnectorBuilder::new().with_webpki_roots();
-      .https_or_http()
+    #[cfg(not(feature = "native-roots"))]
-      .enable_http2()
+    let builder_h2 = hyper_rustls::HttpsConnectorBuilder::new().with_webpki_roots();
-      .build();
+    #[cfg(not(feature = "native-roots"))]
+    info!("Mozilla WebPKI root certs is used for the connection to backend applications");
+
+    let connector = builder.https_or_http().enable_http1().enable_http2().build();
+    let connector_h2 = builder_h2.https_or_http().enable_http2().build();
 
     let inner = Client::builder().build::<_, Body>(connector);
     let inner_h2 = Client::builder().http2_only(true).build::<_, Body>(connector_h2);