Merge pull request #225 from junkurihara/develop

0.9.4

.github/workflows/release.yml

@@ -34,16 +34,6 @@ jobs:
             platform: linux/arm64
             tags-suffix: "-slim"
 
-          - target: "musl"
-            build-feature: "-slim-pq"
-            platform: linux/amd64
-            tags-suffix: "-slim-pq"
-
-          - target: "musl"
-            build-feature: "-slim-pq"
-            platform: linux/arm64
-            tags-suffix: "-slim-pq"
-
           - target: "gnu"
             build-feature: "-s2n"
             platform: linux/amd64
@@ -54,26 +44,6 @@ jobs:
             platform: linux/arm64
             tags-suffix: "-s2n"
 
-          - target: "gnu"
-            build-feature: "-pq"
-            platform: linux/amd64
-            tags-suffix: "-pq"
-
-          - target: "gnu"
-            build-feature: "-pq"
-            platform: linux/arm64
-            tags-suffix: "-pq"
-
-          - target: "gnu"
-            build-feature: "-s2n-pq"
-            platform: linux/amd64
-            tags-suffix: "-s2n-pq"
-
-          - target: "gnu"
-            build-feature: "-s2n-pq"
-            platform: linux/arm64
-            tags-suffix: "-s2n-pq"
-
           - target: "gnu"
             build-feature: "-webpki-roots"
             platform: linux/amd64

.github/workflows/release_docker.yml

@@ -30,17 +30,6 @@ jobs:
               jqtype/rpxy:latest
               ghcr.io/junkurihara/rust-rpxy:latest
 
-          - target: "default-pq"
-            dockerfile: ./docker/Dockerfile
-            platforms: linux/amd64,linux/arm64
-            build-args: |
-              "CARGO_FEATURES=--no-default-features --features=http3-quinn,cache,rustls-backend,acme,post-quantum"
-            tags-suffix: "-pq"
-            # Aliases must be used only for release builds
-            aliases: |
-              jqtype/rpxy:pq
-              ghcr.io/junkurihara/rust-rpxy:pq
-
           - target: "default-slim"
             dockerfile: ./docker/Dockerfile-slim
             build-contexts: |
@@ -53,20 +42,6 @@ jobs:
               jqtype/rpxy:slim
               ghcr.io/junkurihara/rust-rpxy:slim
 
-          - target: "default-slim-pq"
-            dockerfile: ./docker/Dockerfile-slim
-            build-args: |
-              "CARGO_FEATURES=--no-default-features --features=http3-quinn,cache,rustls-backend,acme,post-quantum"
-            build-contexts: |
-              messense/rust-musl-cross:amd64-musl=docker-image://messense/rust-musl-cross:x86_64-musl
-              messense/rust-musl-cross:arm64-musl=docker-image://messense/rust-musl-cross:aarch64-musl
-            platforms: linux/amd64,linux/arm64
-            tags-suffix: "-slim-pq"
-            # Aliases must be used only for release builds
-            aliases: |
-              jqtype/rpxy:slim-pq
-              ghcr.io/junkurihara/rust-rpxy:slim-pq
-
           - target: "s2n"
             dockerfile: ./docker/Dockerfile
             build-args: |
@@ -79,18 +54,6 @@ jobs:
               jqtype/rpxy:s2n
               ghcr.io/junkurihara/rust-rpxy:s2n
 
-          - target: "s2n-pq"
-            dockerfile: ./docker/Dockerfile
-            build-args: |
-              "CARGO_FEATURES=--no-default-features --features=http3-s2n,cache,rustls-backend,acme,post-quantum"
-              "ADDITIONAL_DEPS=pkg-config libssl-dev cmake libclang1 gcc g++"
-            platforms: linux/amd64,linux/arm64
-            tags-suffix: "-s2n-pq"
-            # Aliases must be used only for release builds
-            aliases: |
-              jqtype/rpxy:s2n-pq
-              ghcr.io/junkurihara/rust-rpxy:s2n-pq
-
           - target: "webpki-roots"
             dockerfile: ./docker/Dockerfile
             platforms: linux/amd64,linux/arm64

CHANGELOG.md

@@ -1,6 +1,13 @@
 # CHANGELOG
 
-## 0.10.0 (Unreleased)
+## 0.9.5 or 0.10.0 (Unreleased)
+
+## 0.9.4
+
+### Improvement
+
+- Feat: Enable the hybrid post-quantum key exchange for TLS and QUIC with `X25519MLKEM768` by default.
+- Deps and refactor
 
 ## 0.9.3
 

Cargo.toml

@@ -1,5 +1,5 @@
 [workspace.package]
-version = "0.9.3"
+version = "0.9.4"
 authors = ["Jun Kurihara"]
 homepage = "https://github.com/junkurihara/rust-rpxy"
 repository = "https://github.com/junkurihara/rust-rpxy"

README.md

@@ -14,11 +14,11 @@
 
 [^pure_rust]: Doubtfully can be claimed to be written in pure Rust since current `rpxy` is based on `aws-lc-rs` for cryptographic operations.
 
-By default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib] Furthermore, `rpxy` supports the automatic issuance and renewal of certificates via [TLS-ALPN-01 (RFC8737)](https://www.rfc-editor.org/rfc/rfc8737) of [ACME protocol (RFC8555)](https://www.rfc-editor.org/rfc/rfc8555) thanks to [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme), and the hybridized post-quantum key exchange [`X25519Kyber768Draft00`](https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/)[^kyber] for TLS incoming and outgoing initiation thanks to [`rustls-post-quantum`](https://docs.rs/rustls-post-quantum/latest/rustls_post_quantum/).
+By default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib] Furthermore, `rpxy` supports the automatic issuance and renewal of certificates via [TLS-ALPN-01 (RFC8737)](https://www.rfc-editor.org/rfc/rfc8737) of [ACME protocol (RFC8555)](https://www.rfc-editor.org/rfc/rfc8555) thanks to [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme), and the hybridized post-quantum key exchange [`X25519MLKEM768`](https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html)[^kyber] for TLS/QUIC incoming and outgoing initiation thanks to [`rustls-post-quantum`](https://docs.rs/rustls-post-quantum/latest/rustls_post_quantum/).
 
  [^h3lib]: HTTP/3 libraries are mutually exclusive. You need to explicitly specify `s2n-quic` with `--no-default-features` flag. Also note that if you build `rpxy` with `s2n-quic`, then it requires `openssl` just for building the package.
 
- [^kyber]: This is not yet a default feature. You need to specify `--features post-quantum` when building `rpxy`. Also note that `X25519Kyber768Draft00` is a draft version yet this is widely used on the Internet. We will update the feature when the newest version (`X25519MLKEM768` in [`ECDHE-MLKEM`](https://www.ietf.org/archive/id/draft-kwiatkowski-tls-ecdhe-mlkem-02.html)) is available.
+ [^kyber]: This is already a default feature.  Also note that `X25519MLKEM768` is still a draft version yet this is widely used on the Internet.
 
  This project is still *work-in-progress*. But it is already working in some production environments and serves a number of domain names. Furthermore it *significantly outperforms* NGINX and Caddy, e.g., *1.5x faster than NGINX*, in the setting of a very simple HTTP reverse-proxy scenario (See [`bench`](./bench/) directory).
 

rpxy-acme/Cargo.toml

@@ -14,25 +14,25 @@ publish.workspace = true
 post-quantum = ["rustls-post-quantum"]
 
 [dependencies]
-url = { version = "2.5.2" }
+url = { version = "2.5.4" }
-rustc-hash = "2.0.0"
+rustc-hash = "2.1.0"
-thiserror = "1.0.66"
+thiserror = "2.0.6"
-tracing = "0.1.40"
+tracing = "0.1.41"
 async-trait = "0.1.83"
 base64 = "0.22.1"
-aws-lc-rs = { version = "1.10.0", default-features = false, features = [
+aws-lc-rs = { version = "1.11.1", default-features = false, features = [
   "aws-lc-sys",
 ] }
 blocking = "1.6.1"
-rustls = { version = "0.23.16", default-features = false, features = [
+rustls = { version = "0.23.20", default-features = false, features = [
   "std",
   "aws_lc_rs",
 ] }
-rustls-platform-verifier = { version = "0.3.4" }
+rustls-platform-verifier = { version = "0.4.0" }
 rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [
   "aws-lc-rs",
 ] }
-rustls-post-quantum = { version = "0.1.0", optional = true }
+rustls-post-quantum = { version = "0.2.1", optional = true }
-tokio = { version = "1.41.0", default-features = false }
+tokio = { version = "1.42.0", default-features = false }
-tokio-util = { version = "0.7.12", default-features = false }
+tokio-util = { version = "0.7.13", default-features = false }
-tokio-stream = { version = "0.1.16", default-features = false }
+tokio-stream = { version = "0.1.17", default-features = false }

rpxy-bin/Cargo.toml

@@ -13,10 +13,8 @@ publish.workspace = true
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [features]
-# default = ["http3-quinn", "cache", "rustls-backend", "acme", "post-quantum"]
+default = ["http3-quinn", "cache", "rustls-backend", "acme", "post-quantum"]
 # default = ["http3-s2n", "cache", "rustls-backend", "acme", "post-quantum"]
-default = ["http3-quinn", "cache", "rustls-backend", "acme"]
-# default = ["http3-s2n", "cache", "rustls-backend", "acme"]
 http3-quinn = ["rpxy-lib/http3-quinn"]
 http3-s2n = ["rpxy-lib/http3-s2n"]
 native-tls-backend = ["rpxy-lib/native-tls-backend"]
@@ -32,29 +30,29 @@ rpxy-lib = { path = "../rpxy-lib/", default-features = false, features = [
 ] }
 
 mimalloc = { version = "*", default-features = false }
-anyhow = "1.0.91"
+anyhow = "1.0.94"
-rustc-hash = "2.0.0"
+rustc-hash = "2.1.0"
-serde = { version = "1.0.214", default-features = false, features = ["derive"] }
+serde = { version = "1.0.216", default-features = false, features = ["derive"] }
-tokio = { version = "1.41.0", default-features = false, features = [
+tokio = { version = "1.42.0", default-features = false, features = [
   "net",
   "rt-multi-thread",
   "time",
   "sync",
   "macros",
 ] }
-tokio-util = { version = "0.7.12", default-features = false }
+tokio-util = { version = "0.7.13", default-features = false }
 async-trait = "0.1.83"
 futures-util = { version = "0.3.31", default-features = false }
 
 # config
-clap = { version = "4.5.20", features = ["std", "cargo", "wrap_help"] }
+clap = { version = "4.5.23", features = ["std", "cargo", "wrap_help"] }
 toml = { version = "0.8.19", default-features = false, features = ["parse"] }
-hot_reload = "0.1.6"
+hot_reload = "0.1.8"
 serde_ignored = "0.1.10"
 
 # logging
-tracing = { version = "0.1.40" }
+tracing = { version = "0.1.41" }
-tracing-subscriber = { version = "0.3.18", features = ["env-filter"] }
+tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
 
 ################################
 # cert management

rpxy-bin/src/config/service.rs

@@ -8,17 +8,16 @@ pub struct ConfigTomlReloader {
 }
 
 #[async_trait]
-impl Reload<ConfigToml> for ConfigTomlReloader {
+impl Reload<ConfigToml, String> for ConfigTomlReloader {
   type Source = String;
-  async fn new(source: &Self::Source) -> Result<Self, ReloaderError<ConfigToml>> {
+  async fn new(source: &Self::Source) -> Result<Self, ReloaderError<ConfigToml, String>> {
     Ok(Self {
       config_path: source.clone(),
     })
   }
 
-  async fn reload(&self) -> Result<Option<ConfigToml>, ReloaderError<ConfigToml>> {
+  async fn reload(&self) -> Result<Option<ConfigToml>, ReloaderError<ConfigToml, String>> {
-    let conf = ConfigToml::new(&self.config_path)
+    let conf = ConfigToml::new(&self.config_path).map_err(|e| ReloaderError::<ConfigToml, String>::Reload(e.to_string()))?;
-      .map_err(|_e| ReloaderError::<ConfigToml>::Reload("Failed to reload config toml"))?;
     Ok(Some(conf))
   }
 }

rpxy-bin/src/log.rs

@@ -21,7 +21,7 @@ pub fn init_logger() {
           .target()
           .starts_with(env!("CARGO_PKG_NAME").replace('-', "_").as_str())
           && metadata.level() <= &level)
-          || metadata.level() <= &tracing::Level::ERROR.min(level)
+          || metadata.level() <= &tracing::Level::WARN.min(level)
       }));
     tracing_subscriber::registry().with(stdio_layer).init();
   } else {

rpxy-bin/src/main.rs

@@ -40,10 +40,13 @@ fn main() {
         std::process::exit(1);
       }
     } else {
-      let (config_service, config_rx) =
+      let (config_service, config_rx) = ReloaderService::<ConfigTomlReloader, ConfigToml, String>::new(
-        ReloaderService::<ConfigTomlReloader, ConfigToml>::new(&parsed_opts.config_file_path, CONFIG_WATCH_DELAY_SECS, false)
+        &parsed_opts.config_file_path,
-          .await
+        CONFIG_WATCH_DELAY_SECS,
-          .unwrap();
+        false,
+      )
+      .await
+      .unwrap();
 
       tokio::select! {
         config_res = config_service.start() => {
@@ -246,7 +249,7 @@ async fn rpxy_service_without_watcher(
 }
 
 async fn rpxy_service_with_watcher(
-  mut config_rx: ReloaderReceiver<ConfigToml>,
+  mut config_rx: ReloaderReceiver<ConfigToml, String>,
   runtime_handle: tokio::runtime::Handle,
 ) -> Result<(), anyhow::Error> {
   info!("Start rpxy service with dynamic config reloader");

rpxy-certs/Cargo.toml

@@ -16,13 +16,13 @@ post-quantum = ["rustls-post-quantum"]
 http3 = []
 
 [dependencies]
-rustc-hash = { version = "2.0.0" }
+rustc-hash = { version = "2.1.0" }
-tracing = { version = "0.1.40" }
+tracing = { version = "0.1.41" }
 derive_builder = { version = "0.20.2" }
-thiserror = { version = "1.0.66" }
+thiserror = { version = "2.0.6" }
-hot_reload = { version = "0.1.6" }
+hot_reload = { version = "0.1.8" }
 async-trait = { version = "0.1.83" }
-rustls = { version = "0.23.16", default-features = false, features = [
+rustls = { version = "0.23.20", default-features = false, features = [
   "std",
   "aws_lc_rs",
 ] }
@@ -31,11 +31,11 @@ rustls-webpki = { version = "0.102.8", default-features = false, features = [
   "std",
   "aws_lc_rs",
 ] }
-rustls-post-quantum = { version = "0.1.0", optional = true }
+rustls-post-quantum = { version = "0.2.1", optional = true }
 x509-parser = { version = "0.16.0" }
 
 [dev-dependencies]
-tokio = { version = "1.41.0", default-features = false, features = [
+tokio = { version = "1.42.0", default-features = false, features = [
   "rt-multi-thread",
   "macros",
 ] }

rpxy-lib/Cargo.toml

@@ -37,11 +37,11 @@ post-quantum = [
 
 [dependencies]
 rand = "0.8.5"
-rustc-hash = "2.0.0"
+rustc-hash = "2.1.0"
-bytes = "1.8.0"
+bytes = "1.9.0"
 derive_builder = "0.20.2"
 futures = { version = "0.3.31", features = ["alloc", "async-await"] }
-tokio = { version = "1.41.0", default-features = false, features = [
+tokio = { version = "1.42.0", default-features = false, features = [
   "net",
   "rt-multi-thread",
   "time",
@@ -49,18 +49,18 @@ tokio = { version = "1.41.0", default-features = false, features = [
   "macros",
   "fs",
 ] }
-tokio-util = { version = "0.7.12", default-features = false }
+tokio-util = { version = "0.7.13", default-features = false }
 pin-project-lite = "0.2.15"
 async-trait = "0.1.83"
 
 # Error handling
-anyhow = "1.0.91"
+anyhow = "1.0.94"
-thiserror = "1.0.66"
+thiserror = "2.0.6"
 
 # http for both server and client
-http = "1.1.0"
+http = "1.2.0"
 http-body-util = "0.1.2"
-hyper = { version = "1.5.0", default-features = false }
+hyper = { version = "1.5.1", default-features = false }
 hyper-util = { version = "0.1.10", features = ["full"] }
 futures-util = { version = "0.3.31", default-features = false }
 futures-channel = { version = "0.3.31", default-features = false }
@@ -79,32 +79,32 @@ hyper-rustls = { version = "0.27.3", default-features = false, features = [
 
 # tls and cert management for server
 rpxy-certs = { path = "../rpxy-certs/", default-features = false }
-hot_reload = "0.1.6"
+hot_reload = "0.1.8"
-rustls = { version = "0.23.16", default-features = false }
+rustls = { version = "0.23.20", default-features = false }
-rustls-post-quantum = { version = "0.1.0", optional = true }
+rustls-post-quantum = { version = "0.2.1", optional = true }
-tokio-rustls = { version = "0.26.0", features = ["early-data"] }
+tokio-rustls = { version = "0.26.1", features = ["early-data"] }
 
 # acme
 rpxy-acme = { path = "../rpxy-acme/", default-features = false, optional = true }
 
 # logging
-tracing = { version = "0.1.40" }
+tracing = { version = "0.1.41" }
 
 # http/3
-quinn = { version = "0.11.5", optional = true }
+quinn = { version = "0.11.6", optional = true }
 h3 = { version = "0.0.6", features = ["tracing"], optional = true }
 h3-quinn = { version = "0.0.7", optional = true }
-s2n-quic = { version = "1.48.0", path = "../submodules/s2n-quic/quic/s2n-quic/", default-features = false, features = [
+s2n-quic = { version = "1.51.0", path = "../submodules/s2n-quic/quic/s2n-quic/", default-features = false, features = [
   "provider-tls-rustls",
 ], optional = true }
-s2n-quic-core = { version = "0.48.0", path = "../submodules/s2n-quic/quic/s2n-quic-core", default-features = false, optional = true }
+s2n-quic-core = { version = "0.51.0", path = "../submodules/s2n-quic/quic/s2n-quic-core", default-features = false, optional = true }
-s2n-quic-rustls = { version = "0.48.0", path = "../submodules/s2n-quic/quic/s2n-quic-rustls", optional = true }
+s2n-quic-rustls = { version = "0.51.0", path = "../submodules/s2n-quic/quic/s2n-quic-rustls", optional = true }
 s2n-quic-h3 = { path = "../submodules/s2n-quic/quic/s2n-quic-h3/", features = [
   "tracing",
 ], optional = true }
 ##########
 # for UDP socket wit SO_REUSEADDR when h3 with quinn
-socket2 = { version = "0.5.7", features = ["all"], optional = true }
+socket2 = { version = "0.5.8", features = ["all"], optional = true }
 
 # cache
 http-cache-semantics = { path = "../submodules/rusty-http-cache-semantics", default-features = false, optional = true }
@@ -112,7 +112,7 @@ lru = { version = "0.12.5", optional = true }
 sha2 = { version = "0.10.8", default-features = false, optional = true }
 
 # cookie handling for sticky cookie
-chrono = { version = "0.4.38", default-features = false, features = [
+chrono = { version = "0.4.39", default-features = false, features = [
   "unstable-locales",
   "alloc",
   "clock",

rpxy-lib/src/message_handler/http_result.rs

@@ -53,6 +53,7 @@ impl From<HttpError> for StatusCode {
       HttpError::FailedToAddSetCookeInResponse(_) => StatusCode::INTERNAL_SERVER_ERROR,
       HttpError::FailedToGenerateDownstreamResponse(_) => StatusCode::INTERNAL_SERVER_ERROR,
       HttpError::FailedToUpgrade(_) => StatusCode::INTERNAL_SERVER_ERROR,
+      HttpError::FailedToGetResponseFromBackend(_) => StatusCode::BAD_GATEWAY,
       // HttpError::NoUpgradeExtensionInRequest => StatusCode::BAD_REQUEST,
       // HttpError::NoUpgradeExtensionInResponse => StatusCode::BAD_GATEWAY,
       _ => StatusCode::INTERNAL_SERVER_ERROR,

submodules/s2n-quic

@@ -1 +1 @@
-Subproject commit ffeaac1eb32589599c9be357f2273a2824741c7d
+Subproject commit b49cb517d0256864a9382f04fedd0e9f71531d85