diff --git a/CHANGELOG.md b/CHANGELOG.md index dc1bc3a..8812e9e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,17 @@ ## 0.10.0 (Unreleased) +## 0.9.1 + +### Important Changes + +- Feat: Support `https_redirection_port` option to redirect http requests to https with custom port. + +### Improvement + +- Refactor: lots of minor improvements +- Deps + ## 0.9.0 ### Important Changes diff --git a/Cargo.toml b/Cargo.toml index 01c0263..bc6b043 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,5 @@ [workspace.package] -version = "0.9.0" +version = "0.9.1" authors = ["Jun Kurihara"] homepage = "https://github.com/junkurihara/rust-rpxy" repository = "https://github.com/junkurihara/rust-rpxy" diff --git a/README.md b/README.md index 5e822da..274a096 100644 --- a/README.md +++ b/README.md @@ -315,6 +315,16 @@ The above configuration is common to all ACME enabled domains. Note that the htt ## TIPS +### Set custom port for HTTPS redirection + +Consider a case where `rpxy` is running on a container. Then when the container manager maps port A (e.g., 80/443) of the host to port B (e.g., 8080/8443) of the container for http and https, `rpxy` must be configured with port B for `listen_port` and `listen_port_tls`. However, when you want to set `http_redirection=true` for some backend apps, `rpxy` issues the redirection response 301 with the port B by default, which is not accessible from the outside of the container. To avoid this, you can set a custom port for the redirection response by specifying `https_redirection_port` in `config.toml`. In this case, port A should be set for `https_redirection_port`, then the redirection response 301 will be issued with the port A. + +```toml +listen_port = 8080 +listen_port_tls = 8443 +https_redirection_port = 443 +``` + ### Using Private Key Issued by Let's Encrypt If you obtain certificates and private keys from [Let's Encrypt](https://letsencrypt.org/), you have PKCS1-formatted private keys. So you need to convert such retrieved private keys into PKCS8 format to use in `rpxy`. diff --git a/config-example.toml b/config-example.toml index d279e50..b0a1945 100644 --- a/config-example.toml +++ b/config-example.toml @@ -10,6 +10,11 @@ listen_port = 8080 listen_port_tls = 8443 +# Optional. If you listen on a custom port like 8443 but redirect with firewall to 443 +# When you specify this, the server sends a redirection response 301 with specified port to the client for plaintext http request. +# Otherwise, the server sends 301 with the same port as `listen_port_tls`. +# https_redirection_port = 443 + # Optional for h2 and http1.1 tcp_listen_backlog = 1024 diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml index d2de10a..17e1257 100644 --- a/rpxy-acme/Cargo.toml +++ b/rpxy-acme/Cargo.toml @@ -15,7 +15,7 @@ url = { version = "2.5.2" } rustc-hash = "2.0.0" thiserror = "1.0.63" tracing = "0.1.40" -async-trait = "0.1.81" +async-trait = "0.1.82" base64 = "0.22.1" aws-lc-rs = { version = "1.8.1", default-features = false, features = [ "aws-lc-sys", @@ -25,10 +25,10 @@ rustls = { version = "0.23.12", default-features = false, features = [ "std", "aws_lc_rs", ] } -rustls-platform-verifier = { version = "0.3.3" } +rustls-platform-verifier = { version = "0.3.4" } rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [ "aws-lc-rs", ] } -tokio = { version = "1.39.3", default-features = false } -tokio-util = { version = "0.7.11", default-features = false } -tokio-stream = { version = "0.1.15", default-features = false } +tokio = { version = "1.40.0", default-features = false } +tokio-util = { version = "0.7.12", default-features = false } +tokio-stream = { version = "0.1.16", default-features = false } diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index 426f4f7..c689483 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -31,20 +31,20 @@ rpxy-lib = { path = "../rpxy-lib/", default-features = false, features = [ mimalloc = { version = "*", default-features = false } anyhow = "1.0.86" rustc-hash = "2.0.0" -serde = { version = "1.0.208", default-features = false, features = ["derive"] } -tokio = { version = "1.39.3", default-features = false, features = [ +serde = { version = "1.0.209", default-features = false, features = ["derive"] } +tokio = { version = "1.40.0", default-features = false, features = [ "net", "rt-multi-thread", "time", "sync", "macros", ] } -tokio-util = { version = "0.7.11", default-features = false } -async-trait = "0.1.81" +tokio-util = { version = "0.7.12", default-features = false } +async-trait = "0.1.82" futures-util = { version = "0.3.30", default-features = false } # config -clap = { version = "4.5.16", features = ["std", "cargo", "wrap_help"] } +clap = { version = "4.5.17", features = ["std", "cargo", "wrap_help"] } toml = { version = "0.8.19", default-features = false, features = ["parse"] } hot_reload = "0.1.6" diff --git a/rpxy-bin/src/config/parse.rs b/rpxy-bin/src/config/parse.rs index a591c40..7292b58 100644 --- a/rpxy-bin/src/config/parse.rs +++ b/rpxy-bin/src/config/parse.rs @@ -59,6 +59,13 @@ pub fn build_settings(config: &ConfigToml) -> std::result::Result<(ProxyConfig, "Some apps serves only plaintext HTTP" ); } + // https redirection port must be configured only when both http_port and https_port are configured. + if proxy_config.https_redirection_port.is_some() { + ensure!( + proxy_config.https_port.is_some() && proxy_config.http_port.is_some(), + "https_redirection_port can be specified only when both http_port and https_port are specified" + ); + } // https redirection can be configured if both ports are active if !(proxy_config.https_port.is_some() && proxy_config.http_port.is_some()) { ensure!( diff --git a/rpxy-bin/src/config/toml.rs b/rpxy-bin/src/config/toml.rs index b2a70bb..9befc19 100644 --- a/rpxy-bin/src/config/toml.rs +++ b/rpxy-bin/src/config/toml.rs @@ -13,6 +13,7 @@ pub struct ConfigToml { pub listen_port: Option, pub listen_port_tls: Option, pub listen_ipv6: Option, + pub https_redirection_port: Option, pub tcp_listen_backlog: Option, pub max_concurrent_streams: Option, pub max_clients: Option, @@ -107,6 +108,11 @@ impl TryInto for &ConfigToml { // listen port and socket http_port: self.listen_port, https_port: self.listen_port_tls, + https_redirection_port: if self.https_redirection_port.is_some() { + self.https_redirection_port + } else { + self.listen_port_tls + }, ..Default::default() }; ensure!( diff --git a/rpxy-certs/Cargo.toml b/rpxy-certs/Cargo.toml index 1df2ad8..233a4ef 100644 --- a/rpxy-certs/Cargo.toml +++ b/rpxy-certs/Cargo.toml @@ -17,23 +17,23 @@ http3 = [] [dependencies] rustc-hash = { version = "2.0.0" } tracing = { version = "0.1.40" } -derive_builder = { version = "0.20.0" } +derive_builder = { version = "0.20.1" } thiserror = { version = "1.0.63" } hot_reload = { version = "0.1.6" } -async-trait = { version = "0.1.81" } +async-trait = { version = "0.1.82" } rustls = { version = "0.23.12", default-features = false, features = [ "std", "aws_lc_rs", ] } rustls-pemfile = { version = "2.1.3" } -rustls-webpki = { version = "0.102.6", default-features = false, features = [ +rustls-webpki = { version = "0.102.7", default-features = false, features = [ "std", "aws_lc_rs", ] } x509-parser = { version = "0.16.0" } [dev-dependencies] -tokio = { version = "1.39.3", default-features = false, features = [ +tokio = { version = "1.40.0", default-features = false, features = [ "rt-multi-thread", "macros", ] } diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index 91f06ae..89c4868 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -33,9 +33,9 @@ acme = ["dep:rpxy-acme"] rand = "0.8.5" rustc-hash = "2.0.0" bytes = "1.7.1" -derive_builder = "0.20.0" +derive_builder = "0.20.1" futures = { version = "0.3.30", features = ["alloc", "async-await"] } -tokio = { version = "1.39.3", default-features = false, features = [ +tokio = { version = "1.40.0", default-features = false, features = [ "net", "rt-multi-thread", "time", @@ -43,9 +43,9 @@ tokio = { version = "1.39.3", default-features = false, features = [ "macros", "fs", ] } -tokio-util = { version = "0.7.11", default-features = false } +tokio-util = { version = "0.7.12", default-features = false } pin-project-lite = "0.2.14" -async-trait = "0.1.81" +async-trait = "0.1.82" # Error handling anyhow = "1.0.86" @@ -64,9 +64,7 @@ hyper-tls = { version = "0.6.0", features = [ "alpn", "vendored", ], optional = true } -# TODO: Work around to enable rustls-platform-verifier feature: https://github.com/rustls/hyper-rustls/pull/276 -# hyper-rustls = { version = "0.27.2", default-features = false, features = [ -hyper-rustls = { git = "https://github.com/junkurihara/hyper-rustls", branch = "main", features = [ +hyper-rustls = { version = "0.27.3", default-features = false, features = [ "aws-lc-rs", "http1", "http2", @@ -86,7 +84,7 @@ rpxy-acme = { path = "../rpxy-acme/", default-features = false, optional = true tracing = { version = "0.1.40" } # http/3 -quinn = { version = "0.11.3", optional = true } +quinn = { version = "0.11.5", optional = true } h3 = { version = "0.0.6", features = ["tracing"], optional = true } h3-quinn = { version = "0.0.7", optional = true } s2n-quic-h3 = { path = "../submodules/s2n-quic-h3/", features = [ diff --git a/rpxy-lib/src/globals.rs b/rpxy-lib/src/globals.rs index 97aadef..82d66c0 100644 --- a/rpxy-lib/src/globals.rs +++ b/rpxy-lib/src/globals.rs @@ -30,8 +30,12 @@ pub struct ProxyConfig { pub listen_sockets: Vec, /// http port pub http_port: Option, - /// https port + /// https port listening for TLS by default pub https_port: Option, + /// https redirection port that notifies the client the port to connect to. + /// Tis is used when the reverse proxy is behind a middlebox mapping the https port A to the reverse proxy's https port B. + /// Typically, it is the container environment. (e.g. the host exposes 443 and the container exposes 8443 for https, then the redirection port is 443) + pub https_redirection_port: Option, /// tcp listen backlog pub tcp_listen_backlog: u32, @@ -85,6 +89,7 @@ impl Default for ProxyConfig { listen_sockets: Vec::new(), http_port: None, https_port: None, + https_redirection_port: None, tcp_listen_backlog: TCP_LISTEN_BACKLOG, // TODO: Reconsider each timeout values diff --git a/rpxy-lib/src/message_handler/handler_main.rs b/rpxy-lib/src/message_handler/handler_main.rs index 9ce63f8..4b324df 100644 --- a/rpxy-lib/src/message_handler/handler_main.rs +++ b/rpxy-lib/src/message_handler/handler_main.rs @@ -121,7 +121,11 @@ where "Redirect to secure connection: {}", <&ServerName as TryInto>::try_into(&backend_app.server_name).unwrap_or_default() ); - return secure_redirection_response(&backend_app.server_name, self.globals.proxy_config.https_port, &req); + return secure_redirection_response( + &backend_app.server_name, + self.globals.proxy_config.https_redirection_port, + &req, + ); } // Find reverse proxy for given path and choose one of upstream host diff --git a/rpxy-lib/src/message_handler/utils_headers.rs b/rpxy-lib/src/message_handler/utils_headers.rs index 9be45e5..d058f88 100644 --- a/rpxy-lib/src/message_handler/utils_headers.rs +++ b/rpxy-lib/src/message_handler/utils_headers.rs @@ -30,16 +30,12 @@ pub(super) fn takeout_sticky_cookie_lb_context( let cookies_iter = entry .iter() .flat_map(|v| v.to_str().unwrap_or("").split(';').map(|v| v.trim())); - let (sticky_cookies, without_sticky_cookies): (Vec<_>, Vec<_>) = cookies_iter - .into_iter() - .partition(|v| v.starts_with(expected_cookie_name)); + let (sticky_cookies, without_sticky_cookies): (Vec<_>, Vec<_>) = + cookies_iter.into_iter().partition(|v| v.starts_with(expected_cookie_name)); if sticky_cookies.is_empty() { return Ok(None); } - ensure!( - sticky_cookies.len() == 1, - "Invalid cookie: Multiple sticky cookie values" - ); + ensure!(sticky_cookies.len() == 1, "Invalid cookie: Multiple sticky cookie values"); let cookies_passed_to_upstream = without_sticky_cookies.join("; "); let cookie_passed_to_lb = sticky_cookies.first().unwrap(); @@ -59,10 +55,7 @@ pub(super) fn takeout_sticky_cookie_lb_context( /// Set-Cookie if LB Sticky is enabled and if cookie is newly created/updated. /// Set-Cookie response header could be in multiple lines. /// https://developer.mozilla.org/ja/docs/Web/HTTP/Headers/Set-Cookie -pub(super) fn set_sticky_cookie_lb_context( - headers: &mut HeaderMap, - context_from_lb: &LoadBalanceContext, -) -> Result<()> { +pub(super) fn set_sticky_cookie_lb_context(headers: &mut HeaderMap, context_from_lb: &LoadBalanceContext) -> Result<()> { let sticky_cookie_string: String = context_from_lb.sticky_cookie.clone().try_into()?; let new_header_val: HeaderValue = sticky_cookie_string.parse()?; let expected_cookie_name = &context_from_lb.sticky_cookie.value.name; @@ -122,7 +115,7 @@ pub(super) fn apply_upstream_options_to_header( // add upgrade-insecure-requests in request header if not exist headers .entry(header::UPGRADE_INSECURE_REQUESTS) - .or_insert(HeaderValue::from_bytes(&[b'1']).unwrap()); + .or_insert(HeaderValue::from_bytes(b"1").unwrap()); } _ => (), } @@ -141,7 +134,7 @@ pub(super) fn append_header_entry_with_comma(headers: &mut HeaderMap, key: &str, // entry.append(value.parse::()?); let mut new_value = Vec::::with_capacity(entry.get().as_bytes().len() + 2 + value.len()); new_value.put_slice(entry.get().as_bytes()); - new_value.put_slice(&[b',', b' ']); + new_value.put_slice(b", "); new_value.put_slice(value.as_bytes()); entry.insert(HeaderValue::from_bytes(&new_value)?); } diff --git a/rpxy-lib/src/message_handler/utils_request.rs b/rpxy-lib/src/message_handler/utils_request.rs index 8939433..b60835f 100644 --- a/rpxy-lib/src/message_handler/utils_request.rs +++ b/rpxy-lib/src/message_handler/utils_request.rs @@ -16,7 +16,7 @@ impl InspectParseHost for Request { /// Inspect and extract hostname from either the request HOST header or request line fn inspect_parse_host(&self) -> Result> { let drop_port = |v: &[u8]| { - if v.starts_with(&[b'[']) { + if v.starts_with(b"[") { // v6 address with bracket case. if port is specified, always it is in this case. let mut iter = v.split(|ptr| ptr == &b'[' || ptr == &b']'); iter.next().ok_or(anyhow!("Invalid Host header"))?; // first item is always blank