Merge pull request #181 from junkurihara/develop

0.9.1
This commit is contained in:
Jun Kurihara 2024-09-06 21:08:42 +09:00 committed by GitHub
commit c7bd191ce5
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 90 additions and 51 deletions

View file

@ -2,6 +2,17 @@
## 0.10.0 (Unreleased)
## 0.9.1
### Important Changes
- Feat: Support `https_redirection_port` option to redirect http requests to https with custom port.
### Improvement
- Refactor: lots of minor improvements
- Deps
## 0.9.0
### Important Changes

View file

@ -1,5 +1,5 @@
[workspace.package]
version = "0.9.0"
version = "0.9.1"
authors = ["Jun Kurihara"]
homepage = "https://github.com/junkurihara/rust-rpxy"
repository = "https://github.com/junkurihara/rust-rpxy"

View file

@ -104,7 +104,7 @@ Otherwise, say, a request to `other.example.com` is simply rejected with the sta
If you want to host multiple and distinct domain names in a single IP address/port, simply create multiple `app."<app_name>"` entries in config file like
```toml
default_application = "app1"
default_app = "app1"
[apps.app1]
server_name = "app1.example.com"
@ -115,7 +115,7 @@ server_name = "app2.example.org"
#...
```
Here we note that by specifying `default_application` entry, *HTTP* requests will be served by the specified application if HOST header or URL in Request line doesn't match any `server_name`s in `reverse_proxy` entries. For HTTPS requests, it will be rejected since the secure connection cannot be established for the unknown server name.
Here we note that by specifying `default_app` entry, *HTTP* requests will be served by the specified application if HOST header or URL in Request line doesn't match any `server_name`s in `reverse_proxy` entries. For HTTPS requests, it will be rejected since the secure connection cannot be established for the unknown server name.
#### HTTPS to Backend Application
@ -315,6 +315,16 @@ The above configuration is common to all ACME enabled domains. Note that the htt
## TIPS
### Set custom port for HTTPS redirection
Consider a case where `rpxy` is running on a container. Then when the container manager maps port A (e.g., 80/443) of the host to port B (e.g., 8080/8443) of the container for http and https, `rpxy` must be configured with port B for `listen_port` and `listen_port_tls`. However, when you want to set `http_redirection=true` for some backend apps, `rpxy` issues the redirection response 301 with the port B by default, which is not accessible from the outside of the container. To avoid this, you can set a custom port for the redirection response by specifying `https_redirection_port` in `config.toml`. In this case, port A should be set for `https_redirection_port`, then the redirection response 301 will be issued with the port A.
```toml
listen_port = 8080
listen_port_tls = 8443
https_redirection_port = 443
```
### Using Private Key Issued by Let's Encrypt
If you obtain certificates and private keys from [Let's Encrypt](https://letsencrypt.org/), you have PKCS1-formatted private keys. So you need to convert such retrieved private keys into PKCS8 format to use in `rpxy`.

View file

@ -10,6 +10,11 @@
listen_port = 8080
listen_port_tls = 8443
# Optional. If you listen on a custom port like 8443 but redirect with firewall to 443
# When you specify this, the server sends a redirection response 301 with specified port to the client for plaintext http request.
# Otherwise, the server sends 301 with the same port as `listen_port_tls`.
# https_redirection_port = 443
# Optional for h2 and http1.1
tcp_listen_backlog = 1024

View file

@ -15,7 +15,7 @@ url = { version = "2.5.2" }
rustc-hash = "2.0.0"
thiserror = "1.0.63"
tracing = "0.1.40"
async-trait = "0.1.81"
async-trait = "0.1.82"
base64 = "0.22.1"
aws-lc-rs = { version = "1.8.1", default-features = false, features = [
"aws-lc-sys",
@ -25,10 +25,10 @@ rustls = { version = "0.23.12", default-features = false, features = [
"std",
"aws_lc_rs",
] }
rustls-platform-verifier = { version = "0.3.3" }
rustls-platform-verifier = { version = "0.3.4" }
rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [
"aws-lc-rs",
] }
tokio = { version = "1.39.2", default-features = false }
tokio-util = { version = "0.7.11", default-features = false }
tokio-stream = { version = "0.1.15", default-features = false }
tokio = { version = "1.40.0", default-features = false }
tokio-util = { version = "0.7.12", default-features = false }
tokio-stream = { version = "0.1.16", default-features = false }

View file

@ -31,21 +31,21 @@ rpxy-lib = { path = "../rpxy-lib/", default-features = false, features = [
mimalloc = { version = "*", default-features = false }
anyhow = "1.0.86"
rustc-hash = "2.0.0"
serde = { version = "1.0.204", default-features = false, features = ["derive"] }
tokio = { version = "1.39.2", default-features = false, features = [
serde = { version = "1.0.209", default-features = false, features = ["derive"] }
tokio = { version = "1.40.0", default-features = false, features = [
"net",
"rt-multi-thread",
"time",
"sync",
"macros",
] }
tokio-util = { version = "0.7.11", default-features = false }
async-trait = "0.1.81"
tokio-util = { version = "0.7.12", default-features = false }
async-trait = "0.1.82"
futures-util = { version = "0.3.30", default-features = false }
# config
clap = { version = "4.5.11", features = ["std", "cargo", "wrap_help"] }
toml = { version = "0.8.17", default-features = false, features = ["parse"] }
clap = { version = "4.5.17", features = ["std", "cargo", "wrap_help"] }
toml = { version = "0.8.19", default-features = false, features = ["parse"] }
hot_reload = "0.1.6"
# logging

View file

@ -59,6 +59,13 @@ pub fn build_settings(config: &ConfigToml) -> std::result::Result<(ProxyConfig,
"Some apps serves only plaintext HTTP"
);
}
// https redirection port must be configured only when both http_port and https_port are configured.
if proxy_config.https_redirection_port.is_some() {
ensure!(
proxy_config.https_port.is_some() && proxy_config.http_port.is_some(),
"https_redirection_port can be specified only when both http_port and https_port are specified"
);
}
// https redirection can be configured if both ports are active
if !(proxy_config.https_port.is_some() && proxy_config.http_port.is_some()) {
ensure!(

View file

@ -13,6 +13,7 @@ pub struct ConfigToml {
pub listen_port: Option<u16>,
pub listen_port_tls: Option<u16>,
pub listen_ipv6: Option<bool>,
pub https_redirection_port: Option<u16>,
pub tcp_listen_backlog: Option<u32>,
pub max_concurrent_streams: Option<u32>,
pub max_clients: Option<u32>,
@ -107,6 +108,11 @@ impl TryInto<ProxyConfig> for &ConfigToml {
// listen port and socket
http_port: self.listen_port,
https_port: self.listen_port_tls,
https_redirection_port: if self.https_redirection_port.is_some() {
self.https_redirection_port
} else {
self.listen_port_tls
},
..Default::default()
};
ensure!(

View file

@ -17,23 +17,23 @@ http3 = []
[dependencies]
rustc-hash = { version = "2.0.0" }
tracing = { version = "0.1.40" }
derive_builder = { version = "0.20.0" }
derive_builder = { version = "0.20.1" }
thiserror = { version = "1.0.63" }
hot_reload = { version = "0.1.6" }
async-trait = { version = "0.1.81" }
async-trait = { version = "0.1.82" }
rustls = { version = "0.23.12", default-features = false, features = [
"std",
"aws_lc_rs",
] }
rustls-pemfile = { version = "2.1.2" }
rustls-webpki = { version = "0.102.6", default-features = false, features = [
rustls-pemfile = { version = "2.1.3" }
rustls-webpki = { version = "0.102.7", default-features = false, features = [
"std",
"aws_lc_rs",
] }
x509-parser = { version = "0.16.0" }
[dev-dependencies]
tokio = { version = "1.39.2", default-features = false, features = [
tokio = { version = "1.40.0", default-features = false, features = [
"rt-multi-thread",
"macros",
] }

View file

@ -32,10 +32,10 @@ acme = ["dep:rpxy-acme"]
[dependencies]
rand = "0.8.5"
rustc-hash = "2.0.0"
bytes = "1.7.0"
derive_builder = "0.20.0"
bytes = "1.7.1"
derive_builder = "0.20.1"
futures = { version = "0.3.30", features = ["alloc", "async-await"] }
tokio = { version = "1.39.2", default-features = false, features = [
tokio = { version = "1.40.0", default-features = false, features = [
"net",
"rt-multi-thread",
"time",
@ -43,9 +43,9 @@ tokio = { version = "1.39.2", default-features = false, features = [
"macros",
"fs",
] }
tokio-util = { version = "0.7.11", default-features = false }
tokio-util = { version = "0.7.12", default-features = false }
pin-project-lite = "0.2.14"
async-trait = "0.1.81"
async-trait = "0.1.82"
# Error handling
anyhow = "1.0.86"
@ -55,7 +55,7 @@ thiserror = "1.0.63"
http = "1.1.0"
http-body-util = "0.1.2"
hyper = { version = "1.4.1", default-features = false }
hyper-util = { version = "0.1.6", features = ["full"] }
hyper-util = { version = "0.1.7", features = ["full"] }
futures-util = { version = "0.3.30", default-features = false }
futures-channel = { version = "0.3.30", default-features = false }
@ -64,9 +64,7 @@ hyper-tls = { version = "0.6.0", features = [
"alpn",
"vendored",
], optional = true }
# TODO: Work around to enable rustls-platform-verifier feature: https://github.com/rustls/hyper-rustls/pull/276
# hyper-rustls = { version = "0.27.2", default-features = false, features = [
hyper-rustls = { git = "https://github.com/junkurihara/hyper-rustls", branch = "main", features = [
hyper-rustls = { version = "0.27.3", default-features = false, features = [
"aws-lc-rs",
"http1",
"http2",
@ -86,17 +84,17 @@ rpxy-acme = { path = "../rpxy-acme/", default-features = false, optional = true
tracing = { version = "0.1.40" }
# http/3
quinn = { version = "0.11.2", optional = true }
quinn = { version = "0.11.5", optional = true }
h3 = { version = "0.0.6", features = ["tracing"], optional = true }
h3-quinn = { version = "0.0.7", optional = true }
s2n-quic-h3 = { path = "../submodules/s2n-quic-h3/", features = [
"tracing",
], optional = true }
s2n-quic = { version = "1.43.0", default-features = false, features = [
s2n-quic = { version = "1.45.0", default-features = false, features = [
"provider-tls-rustls",
], optional = true }
s2n-quic-core = { version = "0.43.0", default-features = false, optional = true }
s2n-quic-rustls = { version = "0.43.0", optional = true }
s2n-quic-core = { version = "0.45.0", default-features = false, optional = true }
s2n-quic-rustls = { version = "0.45.0", optional = true }
##########
# for UDP socket wit SO_REUSEADDR when h3 with quinn
socket2 = { version = "0.5.7", features = ["all"], optional = true }

View file

@ -30,8 +30,12 @@ pub struct ProxyConfig {
pub listen_sockets: Vec<SocketAddr>,
/// http port
pub http_port: Option<u16>,
/// https port
/// https port listening for TLS by default
pub https_port: Option<u16>,
/// https redirection port that notifies the client the port to connect to.
/// Tis is used when the reverse proxy is behind a middlebox mapping the https port A to the reverse proxy's https port B.
/// Typically, it is the container environment. (e.g. the host exposes 443 and the container exposes 8443 for https, then the redirection port is 443)
pub https_redirection_port: Option<u16>,
/// tcp listen backlog
pub tcp_listen_backlog: u32,
@ -85,6 +89,7 @@ impl Default for ProxyConfig {
listen_sockets: Vec::new(),
http_port: None,
https_port: None,
https_redirection_port: None,
tcp_listen_backlog: TCP_LISTEN_BACKLOG,
// TODO: Reconsider each timeout values

View file

@ -121,7 +121,11 @@ where
"Redirect to secure connection: {}",
<&ServerName as TryInto<String>>::try_into(&backend_app.server_name).unwrap_or_default()
);
return secure_redirection_response(&backend_app.server_name, self.globals.proxy_config.https_port, &req);
return secure_redirection_response(
&backend_app.server_name,
self.globals.proxy_config.https_redirection_port,
&req,
);
}
// Find reverse proxy for given path and choose one of upstream host

View file

@ -30,16 +30,12 @@ pub(super) fn takeout_sticky_cookie_lb_context(
let cookies_iter = entry
.iter()
.flat_map(|v| v.to_str().unwrap_or("").split(';').map(|v| v.trim()));
let (sticky_cookies, without_sticky_cookies): (Vec<_>, Vec<_>) = cookies_iter
.into_iter()
.partition(|v| v.starts_with(expected_cookie_name));
let (sticky_cookies, without_sticky_cookies): (Vec<_>, Vec<_>) =
cookies_iter.into_iter().partition(|v| v.starts_with(expected_cookie_name));
if sticky_cookies.is_empty() {
return Ok(None);
}
ensure!(
sticky_cookies.len() == 1,
"Invalid cookie: Multiple sticky cookie values"
);
ensure!(sticky_cookies.len() == 1, "Invalid cookie: Multiple sticky cookie values");
let cookies_passed_to_upstream = without_sticky_cookies.join("; ");
let cookie_passed_to_lb = sticky_cookies.first().unwrap();
@ -59,10 +55,7 @@ pub(super) fn takeout_sticky_cookie_lb_context(
/// Set-Cookie if LB Sticky is enabled and if cookie is newly created/updated.
/// Set-Cookie response header could be in multiple lines.
/// https://developer.mozilla.org/ja/docs/Web/HTTP/Headers/Set-Cookie
pub(super) fn set_sticky_cookie_lb_context(
headers: &mut HeaderMap,
context_from_lb: &LoadBalanceContext,
) -> Result<()> {
pub(super) fn set_sticky_cookie_lb_context(headers: &mut HeaderMap, context_from_lb: &LoadBalanceContext) -> Result<()> {
let sticky_cookie_string: String = context_from_lb.sticky_cookie.clone().try_into()?;
let new_header_val: HeaderValue = sticky_cookie_string.parse()?;
let expected_cookie_name = &context_from_lb.sticky_cookie.value.name;
@ -122,7 +115,7 @@ pub(super) fn apply_upstream_options_to_header(
// add upgrade-insecure-requests in request header if not exist
headers
.entry(header::UPGRADE_INSECURE_REQUESTS)
.or_insert(HeaderValue::from_bytes(&[b'1']).unwrap());
.or_insert(HeaderValue::from_bytes(b"1").unwrap());
}
_ => (),
}
@ -141,7 +134,7 @@ pub(super) fn append_header_entry_with_comma(headers: &mut HeaderMap, key: &str,
// entry.append(value.parse::<HeaderValue>()?);
let mut new_value = Vec::<u8>::with_capacity(entry.get().as_bytes().len() + 2 + value.len());
new_value.put_slice(entry.get().as_bytes());
new_value.put_slice(&[b',', b' ']);
new_value.put_slice(b", ");
new_value.put_slice(value.as_bytes());
entry.insert(HeaderValue::from_bytes(&new_value)?);
}

View file

@ -16,7 +16,7 @@ impl<B> InspectParseHost for Request<B> {
/// Inspect and extract hostname from either the request HOST header or request line
fn inspect_parse_host(&self) -> Result<Vec<u8>> {
let drop_port = |v: &[u8]| {
if v.starts_with(&[b'[']) {
if v.starts_with(b"[") {
// v6 address with bracket case. if port is specified, always it is in this case.
let mut iter = v.split(|ptr| ptr == &b'[' || ptr == &b']');
iter.next().ok_or(anyhow!("Invalid Host header"))?; // first item is always blank

@ -1 +1 @@
Subproject commit 43719fb04cc522c039c9e7420567a38416f9fec7
Subproject commit af2d016b6aa4e09586253a0459efc4af6635c79b

View file

@ -15,8 +15,8 @@ futures = { version = "0.3", default-features = false }
h3 = { version = "0.0.6", features = ["tracing"] }
# s2n-quic = { path = "../s2n-quic" }
# s2n-quic-core = { path = "../s2n-quic-core" }
s2n-quic = { version = "1.43.0" }
s2n-quic-core = { version = "0.43.0" }
s2n-quic = { version = "1.45.0" }
s2n-quic-core = { version = "0.45.0" }
tracing = { version = "0.1.40", optional = true }
[features]