Merge pull request #180 from junkurihara/https-redirection

feat: https redirection
2024-09-06 18:18:38 +09:00 · 2024-09-06 18:18:38 +09:00 · 725d8c8cdf
commit 725d8c8cdf
parent 90ac176361 6f7119c933
5 changed files with 29 additions and 2 deletions
--- a/config-example.toml
+++ b/config-example.toml
@ -10,6 +10,11 @@
 listen_port = 8080
 listen_port_tls = 8443

+# Optional. If you listen on a custom port like 8443 but redirect with firewall to 443
+# When you specify this, the server sends a redirection response 301 with specified port to the client for plaintext http request.
+# Otherwise, the server sends 301 with the same port as `listen_port_tls`.
+# https_redirection_port = 443
+
 # Optional for h2 and http1.1
 tcp_listen_backlog = 1024

--- a/rpxy-bin/src/config/parse.rs
+++ b/rpxy-bin/src/config/parse.rs
@ -59,6 +59,13 @@ pub fn build_settings(config: &ConfigToml) -> std::result::Result<(ProxyConfig,
      "Some apps serves only plaintext HTTP"
    );
  }
+  // https redirection port must be configured only when both http_port and https_port are configured.
+  if proxy_config.https_redirection_port.is_some() {
+    ensure!(
+      proxy_config.https_port.is_some() && proxy_config.http_port.is_some(),
+      "https_redirection_port can be specified only when both http_port and https_port are specified"
+    );
+  }
  // https redirection can be configured if both ports are active
  if !(proxy_config.https_port.is_some() && proxy_config.http_port.is_some()) {
    ensure!(
--- a/rpxy-bin/src/config/toml.rs
+++ b/rpxy-bin/src/config/toml.rs
@ -13,6 +13,7 @@ pub struct ConfigToml {
  pub listen_port: Option<u16>,
  pub listen_port_tls: Option<u16>,
  pub listen_ipv6: Option<bool>,
+  pub https_redirection_port: Option<u16>,
  pub tcp_listen_backlog: Option<u32>,
  pub max_concurrent_streams: Option<u32>,
  pub max_clients: Option<u32>,
@ -107,6 +108,11 @@ impl TryInto<ProxyConfig> for &ConfigToml {
      // listen port and socket
      http_port: self.listen_port,
      https_port: self.listen_port_tls,
+      https_redirection_port: if self.https_redirection_port.is_some() {
+        self.https_redirection_port
+      } else {
+        self.listen_port_tls
+      },
      ..Default::default()
    };
    ensure!(
--- a/rpxy-lib/src/globals.rs
+++ b/rpxy-lib/src/globals.rs
@ -30,8 +30,12 @@ pub struct ProxyConfig {
  pub listen_sockets: Vec<SocketAddr>,
  /// http port
  pub http_port: Option<u16>,
-  /// https port
+  /// https port listening for TLS by default
  pub https_port: Option<u16>,
+  /// https redirection port that notifies the client the port to connect to.
+  /// Tis is used when the reverse proxy is behind a middlebox mapping the https port A to the reverse proxy's https port B.
+  /// Typically, it is the container environment. (e.g. the host exposes 443 and the container exposes 8443 for https, then the redirection port is 443)
+  pub https_redirection_port: Option<u16>,
  /// tcp listen backlog
  pub tcp_listen_backlog: u32,

@ -85,6 +89,7 @@ impl Default for ProxyConfig {
      listen_sockets: Vec::new(),
      http_port: None,
      https_port: None,
+      https_redirection_port: None,
      tcp_listen_backlog: TCP_LISTEN_BACKLOG,

      // TODO: Reconsider each timeout values
--- a/rpxy-lib/src/message_handler/handler_main.rs
+++ b/rpxy-lib/src/message_handler/handler_main.rs
@ -121,7 +121,11 @@ where
        "Redirect to secure connection: {}",
        <&ServerName as TryInto<String>>::try_into(&backend_app.server_name).unwrap_or_default()
      );
-      return secure_redirection_response(&backend_app.server_name, self.globals.proxy_config.https_port, &req);
+      return secure_redirection_response(
+        &backend_app.server_name,
+        self.globals.proxy_config.https_redirection_port,
+        &req,
+      );
    }

    // Find reverse proxy for given path and choose one of upstream host