diff --git a/.build/DEB/postinst b/.build/DEB/postinst index f7564d8..b3f180e 100644 --- a/.build/DEB/postinst +++ b/.build/DEB/postinst @@ -2,8 +2,19 @@ set -e +# Create rpxy user if it doesn't exist +if ! id rpxy >/dev/null 2>&1; then + useradd --system --no-create-home --shell /usr/sbin/nologin rpxy +fi + +# Set correct user for config directory +if [ -d /etc/rpxy ]; then + chown -R rpxy:rpxy /etc/rpxy +fi + +# Reload systemd, enable and start the service systemctl daemon-reload systemctl enable rpxy systemctl start rpxy -exit 0 \ No newline at end of file +exit 0 diff --git a/.build/DEB/postrm b/.build/DEB/postrm new file mode 100644 index 0000000..b88f939 --- /dev/null +++ b/.build/DEB/postrm @@ -0,0 +1,17 @@ +#!/bin/bash + +set -e + +# Remove the rpxy user and configuration directory only if purging the package +if [ "$1" = "purge" ]; then + if id rpxy >/dev/null 2>&1; then + userdel rpxy + fi + + # Remove config directory + if [ -d /etc/rpxy ]; then + rm -rf /etc/rpxy + fi +fi + +exit 0 diff --git a/.build/DEB/prerm b/.build/DEB/prerm index fa07f70..d4548d6 100644 --- a/.build/DEB/prerm +++ b/.build/DEB/prerm @@ -2,7 +2,9 @@ set -e +# Stop and disable the service before removing systemctl stop rpxy || true systemctl disable rpxy || true +systemctl daemon-reload -exit 0 \ No newline at end of file +exit 0 diff --git a/.build/Jenkinsfile b/.build/Jenkinsfile index a0b96f1..292539d 100644 --- a/.build/Jenkinsfile +++ b/.build/Jenkinsfile @@ -63,11 +63,12 @@ pipeline { mv rust-rpxy/.build/DEB/prerm . mv rust-rpxy/.build/RPM/rpxy.spec . mv rust-rpxy/.build/rpxy-start.sh . + mv rust-rpxy/.build/config.toml . mv rust-rpxy/.build/rpxy.service . ''' stash includes: "control, postinst, prerm, rpxy-start.sh", name: "deb-control" stash includes: "rpxy.spec", name: "rpm-spec" - stash includes: "rpxy.service", name: "service-file" + stash includes: "rpxy.service, config.toml", name: "service-file" // Stash LICENSE and README.md sh 'mv rust-rpxy/LICENSE .' @@ -113,7 +114,7 @@ pipeline { sh """ mkdir -p rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS} mkdir -p rpxy-${env.BUILD_VERSION} - mv rpxy rpxy.service LICENSE README.md rpxy-${env.BUILD_VERSION}/ + mv rpxy rpxy.service LICENSE README.md config.toml rpxy-${env.BUILD_VERSION}/ tar -czf rpmbuild/SOURCES/rpxy-${env.BUILD_VERSION}.tar.gz rpxy-${env.BUILD_VERSION}/ rm -rf rpxy-${env.BUILD_VERSION} """ @@ -171,6 +172,7 @@ pipeline { mkdir -p rpxy_${env.BUILD_VERSION}-1_amd64/usr/local/bin mkdir -p rpxy_${env.BUILD_VERSION}-1_amd64/etc/systemd/system mkdir -p rpxy_${env.BUILD_VERSION}-1_amd64/usr/share/doc/rpxy + mkdir -p rpxy_${env.BUILD_VERSION}-1_amd64/etc/rpxy mkdir -p rpxy_${env.BUILD_VERSION}-1_amd64/DEBIAN """ @@ -184,11 +186,12 @@ pipeline { chmod 0755 rpxy_${env.BUILD_VERSION}-1_amd64/usr/local/bin/rpxy-start.sh """ - // Move binary, service file, control file, LICENSE, and README.md + // Move binary, service, control and config file, LICENSE, and README.md sh """ mv rpxy rpxy_${env.BUILD_VERSION}-1_amd64/usr/bin/ mv rpxy.service rpxy_${env.BUILD_VERSION}-1_amd64/etc/systemd/system/ mv LICENSE README.md rpxy_${env.BUILD_VERSION}-1_amd64/usr/share/doc/rpxy/ + mv config.toml rpxy_${env.BUILD_VERSION}-1_amd64/etc/rpxy/ mv control rpxy_${env.BUILD_VERSION}-1_amd64/DEBIAN/ """ diff --git a/.build/RPM/rpxy.spec b/.build/RPM/rpxy.spec index 29e1c99..5f664c9 100644 --- a/.build/RPM/rpxy.spec +++ b/.build/RPM/rpxy.spec @@ -18,10 +18,16 @@ This rpm installs rpxy into /usr/bin and sets up a systemd service. %install rm -rf %{buildroot} +# Copy binary mkdir -p %{buildroot}%{_bindir} cp rpxy %{buildroot}%{_bindir}/ +# Create systemd service mkdir -p %{buildroot}%{_sysconfdir}/systemd/system cp rpxy.service %{buildroot}%{_sysconfdir}/systemd/system/ +# Create config directory +mkdir -p %{buildroot}%{_sysconfdir}/rpxy/acme_registry +cp config.toml %{buildroot}%{_sysconfdir}/rpxy/ +# Copy documentation mkdir -p %{buildroot}%{_docdir}/rpxy cp LICENSE %{buildroot}%{_docdir}/rpxy/ cp README.md %{buildroot}%{_docdir}/rpxy/ @@ -29,18 +35,52 @@ cp README.md %{buildroot}%{_docdir}/rpxy/ %clean rm -rf %{buildroot} +%pre +# Create the rpxy user if it does not exist +if ! id rpxy >/dev/null 2>&1; then + /usr/sbin/useradd -r -s /bin/false -d / -c "rpxy system user" rpxy +fi + +%post +# Set ownership of config file to rpxy user +chown -R rpxy:rpxy %{_sysconfdir}/rpxy + +# Reload systemd, enable and start rpxy service +systemctl daemon-reload +systemctl enable rpxy +if [ $1 -eq 1 ]; then + systemctl start rpxy +fi + +%preun +# Stop the service on uninstall or upgrade +if [ $1 -eq 0 ]; then + systemctl stop rpxy +fi + +%postun +# On uninstall, disable the service and reload systemd +if [ $1 -eq 0 ]; then + systemctl disable rpxy + systemctl daemon-reload +fi + +# Remove rpxy user only if package is being completely removed (not upgraded) +if [ $1 -eq 0 ]; then + # Check if the rpxy user exists before attempting to delete + if id rpxy >/dev/null 2>&1; then + /usr/sbin/userdel rpxy + fi + + # Remove the configuration directory if it exists and is empty + if [ -d %{_sysconfdir}/rpxy ]; then + rm -rf %{_sysconfdir}/rpxy + fi +fi + %files %license %{_docdir}/rpxy/LICENSE %doc %{_docdir}/rpxy/README.md -%{_bindir}/rpxy %{_sysconfdir}/systemd/system/rpxy.service - -%post -systemctl daemon-reload -systemctl enable rpxy - -%preun -systemctl stop rpxy - -%postun -systemctl disable rpxy \ No newline at end of file +%attr(-, rpxy, rpxy) %{_bindir}/rpxy +%attr(-, rpxy, rpxy) %config(noreplace) %{_sysconfdir}/rpxy/config.toml diff --git a/.build/config.toml b/.build/config.toml new file mode 100644 index 0000000..5b60c51 --- /dev/null +++ b/.build/config.toml @@ -0,0 +1,86 @@ +######################################## +# # +# rust-rxpy configuration # +# # +######################################## +################################### +# Global settings # +################################### +# Both or either one of http/https ports must be specified +listen_port = 80 +listen_port_tls = 443 + +# Optional for h2 and http1.1 +tcp_listen_backlog = 1024 + +# Optional for h2 and http1.1 +max_concurrent_streams = 100 + +# Optional. Counted in total for http1.1, 2, 3 +max_clients = 512 + +# Optional: Listen [::] +listen_ipv6 = false + +# Optional: App that serves all plaintext http request by referring to HOSTS or request header +# execpt for configured application. +# Note that this is only for http. +# Note that nothing is served for requests via https since secure channel cannot be +# established for unconfigured server_name, and they are always rejected by checking SNI. +# default_app = 'another_localhost' + +################################### +# Backend settings # +################################### +[apps] + +###################################################################### +## Registering a backend app served by a domain name "localhost" +#[apps.localhost] +#server_name = 'localhost' # Domain name + +# Optional: TLS setting. if https_port is specified and tls is true above, either of this must be given. +#tls = { https_redirection = true, tls_cert_path = '/certs/server.crt', tls_cert_key_path = '/certs/server.key' } +#tls = { https_redirection = true, acme = true } + +############################################ +# For more settings check: # +# https://github.com/junkurihara/rust-rpxy # +############################################ + +################################### +# Experimantal settings # +################################### +[experimental] +# Higly recommend not to be true. If true, you ignore RFC. if not specified, it is always false. +# This might be required to be true when a certificate is used by multiple backend hosts, especially in case where a TLS connection is re-used. +# We should note that this strongly depends on the client implementation. +ignore_sni_consistency = false + +# Force connection handling timeout regardless of the connection status, i.e., idle or not. +# 0 represents an infinite timeout. [default: 0] +# Note that idel and header read timeouts are always specified independently of this. +connection_handling_timeout = 0 # sec + +# If this specified, h3 is enabled +[experimental.h3] +alt_svc_max_age = 3600 # sec +request_max_body_size = 65536 # bytes +max_concurrent_connections = 10000 +max_concurrent_bidistream = 100 +max_concurrent_unistream = 100 +max_idle_timeout = 10 # secs. 0 represents an infinite timeout. +# WARNING: If a peer or its network path malfunctions or acts maliciously, an infinite idle timeout can result in permanently hung futures! + +# If this specified, file cache feature is enabled +[experimental.cache] +cache_dir = '/tmp/rpxy/.cache' # optional. default is "./cache" relative to the current working directory +max_cache_entry = 1000 # optional. default is 1k +max_cache_each_size = 65535 # optional. default is 64k +max_cache_each_size_on_memory = 4096 # optional. default is 4k if 0, it is always file cache. + +# ACME settings. Unless specified, ACME is disabled. +[experimental.acme] +dir_url = "https://acme-v02.api.letsencrypt.org/directory" +email = "test@example.com" +registry_path = "/etc/rpxy/acme_registry" \ No newline at end of file diff --git a/.build/rpxy-start.sh b/.build/rpxy-start.sh index b3ddae2..ba06ef7 100644 --- a/.build/rpxy-start.sh +++ b/.build/rpxy-start.sh @@ -1,10 +1,29 @@ #!/bin/bash +# Ensure the cache directory exists as it could get deleted on system restart +if [ ! -d /tmp/rpxy/.cache ]; then + # Create the temporary directory for rpxy + mkdir -p /tmp/rpxy/.cache + chown -R rpxy:rpxy /tmp/rpxy + chmod 700 /tmp/rpxy/.cache +fi + # Check if rpxy-webui is installed if dpkg-query -W -f='${Status}' rpxy-webui 2>/dev/null | grep -q "install ok installed"; then echo "rpxy-webui is installed. Starting rpxy with rpxy-webui" - exec /usr/local/bin/rpxy --enable-webui + exec /usr/local/bin/rpxy -w -c /var/www/rpxy-webui/storage/app/config.toml else echo "rpxy-webui is not installed. Starting with default config" - exec /usr/local/bin/rpxy + + # Ensure the /etc/rpxy directory exists + if [ ! -d /etc/rpxy ]; then + mkdir -p /etc/rpxy + fi + + # Create the config file if it doesn't exist + if [ ! -f /etc/rpxy/config.toml ]; then + echo "# Default rpxy config file" > /etc/rpxy/config.toml + fi + + exec /usr/local/bin/rpxy -c /etc/rpxy/config.toml fi diff --git a/.build/rpxy.service b/.build/rpxy.service index 836efaa..606384b 100644 --- a/.build/rpxy.service +++ b/.build/rpxy.service @@ -5,7 +5,8 @@ After=network.target [Service] ExecStart=/usr/local/bin/rpxy-start.sh Restart=always -User=nobody +User=rpxy +AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target