diff --git a/config-example.toml b/config-example.toml index 319a4a3..b0a1945 100644 --- a/config-example.toml +++ b/config-example.toml @@ -11,7 +11,9 @@ listen_port = 8080 listen_port_tls = 8443 # Optional. If you listen on a custom port like 8443 but redirect with firewall to 443 -# tls_redirection_port = 443 +# When you specify this, the server sends a redirection response 301 with specified port to the client for plaintext http request. +# Otherwise, the server sends 301 with the same port as `listen_port_tls`. +# https_redirection_port = 443 # Optional for h2 and http1.1 tcp_listen_backlog = 1024 diff --git a/rpxy-bin/src/config/parse.rs b/rpxy-bin/src/config/parse.rs index a591c40..7292b58 100644 --- a/rpxy-bin/src/config/parse.rs +++ b/rpxy-bin/src/config/parse.rs @@ -59,6 +59,13 @@ pub fn build_settings(config: &ConfigToml) -> std::result::Result<(ProxyConfig, "Some apps serves only plaintext HTTP" ); } + // https redirection port must be configured only when both http_port and https_port are configured. + if proxy_config.https_redirection_port.is_some() { + ensure!( + proxy_config.https_port.is_some() && proxy_config.http_port.is_some(), + "https_redirection_port can be specified only when both http_port and https_port are specified" + ); + } // https redirection can be configured if both ports are active if !(proxy_config.https_port.is_some() && proxy_config.http_port.is_some()) { ensure!( diff --git a/rpxy-bin/src/config/toml.rs b/rpxy-bin/src/config/toml.rs index 5f24475..9befc19 100644 --- a/rpxy-bin/src/config/toml.rs +++ b/rpxy-bin/src/config/toml.rs @@ -13,7 +13,7 @@ pub struct ConfigToml { pub listen_port: Option, pub listen_port_tls: Option, pub listen_ipv6: Option, - pub tls_redirection_port: Option, + pub https_redirection_port: Option, pub tcp_listen_backlog: Option, pub max_concurrent_streams: Option, pub max_clients: Option, @@ -108,8 +108,11 @@ impl TryInto for &ConfigToml { // listen port and socket http_port: self.listen_port, https_port: self.listen_port_tls, - https_redirection_port: if self.tls_redirection_port.is_some() { - self.tls_redirection_port } else { self.listen_port_tls }, + https_redirection_port: if self.https_redirection_port.is_some() { + self.https_redirection_port + } else { + self.listen_port_tls + }, ..Default::default() }; ensure!( diff --git a/rpxy-lib/src/globals.rs b/rpxy-lib/src/globals.rs index 97aadef..82d66c0 100644 --- a/rpxy-lib/src/globals.rs +++ b/rpxy-lib/src/globals.rs @@ -30,8 +30,12 @@ pub struct ProxyConfig { pub listen_sockets: Vec, /// http port pub http_port: Option, - /// https port + /// https port listening for TLS by default pub https_port: Option, + /// https redirection port that notifies the client the port to connect to. + /// Tis is used when the reverse proxy is behind a middlebox mapping the https port A to the reverse proxy's https port B. + /// Typically, it is the container environment. (e.g. the host exposes 443 and the container exposes 8443 for https, then the redirection port is 443) + pub https_redirection_port: Option, /// tcp listen backlog pub tcp_listen_backlog: u32, @@ -85,6 +89,7 @@ impl Default for ProxyConfig { listen_sockets: Vec::new(), http_port: None, https_port: None, + https_redirection_port: None, tcp_listen_backlog: TCP_LISTEN_BACKLOG, // TODO: Reconsider each timeout values diff --git a/rpxy-lib/src/message_handler/handler_main.rs b/rpxy-lib/src/message_handler/handler_main.rs index 3a44395..4b324df 100644 --- a/rpxy-lib/src/message_handler/handler_main.rs +++ b/rpxy-lib/src/message_handler/handler_main.rs @@ -121,7 +121,11 @@ where "Redirect to secure connection: {}", <&ServerName as TryInto>::try_into(&backend_app.server_name).unwrap_or_default() ); - return secure_redirection_response(&backend_app.server_name, self.globals.proxy_config.https_redirection_port, &req); + return secure_redirection_response( + &backend_app.server_name, + self.globals.proxy_config.https_redirection_port, + &req, + ); } // Find reverse proxy for given path and choose one of upstream host