refactor
This commit is contained in:
		
					parent
					
						
							
								62fe6a0b49
							
						
					
				
			
			
				commit
				
					
						8115bbf866
					
				
			
		
					 3 changed files with 37 additions and 31 deletions
				
			
		|  | @ -70,40 +70,46 @@ where | |||
|           // spawns async handshake to avoid blocking thread by sequential handshake.
 | ||||
|           let handshake_fut = async move { | ||||
|             // timeout is introduced to avoid get stuck here.
 | ||||
|             match timeout(Duration::from_secs(TLS_HANDSHAKE_TIMEOUT_SEC), acceptor.accept(raw_stream)).await { | ||||
|               Ok(x) => match x { | ||||
|                 Ok(stream) => { | ||||
|                   // Retrieve SNI
 | ||||
|                   let (_, conn) = stream.get_ref(); | ||||
|                   let server_name = conn.sni_hostname(); | ||||
|                   debug!("HTTP/2 or 1.1: SNI in ClientHello: {:?}", server_name); | ||||
|                   let server_name = server_name.map_or_else(|| None, |v| Some(v.to_server_name_vec())); | ||||
|                   if server_name.is_none(){ | ||||
|                     Err(RpxyError::Proxy("No SNI is given".to_string())) | ||||
|                   } else { | ||||
|                     //////////////////////////////
 | ||||
|                     // Check client certificate
 | ||||
|                     // TODO: consider move this function to the layer of handle_request (L7) to return 403
 | ||||
|                     let client_certs = conn.peer_certificates(); | ||||
|                     let client_certs_setting_for_sni = sni_cc_map.get(&server_name.clone().unwrap()); | ||||
|                     check_client_authentication(client_certs, client_certs_setting_for_sni)?; | ||||
|                     //////////////////////////////
 | ||||
|                     // this immediately spawns another future to actually handle stream. so it is okay to introduce timeout for handshake.
 | ||||
|                     self_inner.client_serve(stream, server_clone, client_addr, server_name); // TODO: don't want to pass copied value...
 | ||||
|                     Ok(()) | ||||
|                   } | ||||
|                 }, | ||||
|                 Err(e) => { | ||||
|                   Err(RpxyError::Proxy(format!("Failed to handshake TLS: {}", e))) | ||||
|                 } | ||||
|               }, | ||||
|             let accepted = match timeout(Duration::from_secs(TLS_HANDSHAKE_TIMEOUT_SEC), acceptor.accept(raw_stream)).await { | ||||
|               Ok(a) => a, | ||||
|               Err(e) => { | ||||
|                 Err(RpxyError::Proxy(format!("Timeout to handshake TLS: {}", e))) | ||||
|                 return Err(RpxyError::Proxy(format!("Timeout to handshake TLS: {}", e))); | ||||
|               } | ||||
|             }; | ||||
|             let stream = match accepted { | ||||
|               Ok(s) => s, | ||||
|               Err(e) => { | ||||
|                 return Err(RpxyError::Proxy(format!("Failed to handshake TLS: {}", e))); | ||||
|               } | ||||
|             }; | ||||
|             // Retrieve SNI
 | ||||
|             let (_, conn) = stream.get_ref(); | ||||
|             let server_name = conn.sni_hostname(); | ||||
|             debug!("HTTP/2 or 1.1: SNI in ClientHello: {:?}", server_name); | ||||
|             let server_name = server_name.map_or_else(|| None, |v| Some(v.to_server_name_vec())); | ||||
|             if server_name.is_none(){ | ||||
|               // conn.send_close_notify();
 | ||||
|               Err(RpxyError::Proxy("No SNI is given".to_string())) | ||||
|             } else { | ||||
|               //////////////////////////////
 | ||||
|               // Check client certificate
 | ||||
|               // TODO: consider move this function to the layer of handle_request (L7) to return 403
 | ||||
|               let client_certs = conn.peer_certificates(); | ||||
|               let client_certs_setting_for_sni = sni_cc_map.get(&server_name.clone().unwrap()); | ||||
|               check_client_authentication(client_certs, client_certs_setting_for_sni)?; | ||||
|               // if let Err(e) = check_client_authentication(client_certs, client_certs_setting_for_sni){
 | ||||
|               //   conn.send_close_notify();
 | ||||
|               //   return Err(e);
 | ||||
|               // }
 | ||||
|               //////////////////////////////
 | ||||
|               // this immediately spawns another future to actually handle stream. so it is okay to introduce timeout for handshake.
 | ||||
|               self_inner.client_serve(stream, server_clone, client_addr, server_name); // TODO: don't want to pass copied value...
 | ||||
|               Ok(()) | ||||
|             } | ||||
|           }; | ||||
|           self.globals.runtime_handle.spawn( async move { | ||||
|             if let Err(e) = handshake_fut.await { | ||||
| 
 | ||||
|               error!("{}", e); | ||||
|             } | ||||
|           }); | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue
	
	 Jun Kurihara
				Jun Kurihara