totally refine sni inspection mechanism using rustls
This commit is contained in:
Jun Kurihara
parent
68591cf265
commit
d7d782499a
4 changed files with 65 additions and 234 deletions
118
src/backend.rs
118
src/backend.rs
|
|
@ -1,8 +1,6 @@
|
|||
use crate::{backend_opt::UpstreamOption, log::*};
|
||||
use h3::server;
|
||||
use rand::Rng;
|
||||
use rustc_hash::{FxHashMap as HashMap, FxHashSet as HashSet};
|
||||
use rustls::server::ResolvesServerCert;
|
||||
use std::{
|
||||
borrow::Cow,
|
||||
fs::File,
|
||||
|
|
@ -15,7 +13,7 @@ use std::{
|
|||
};
|
||||
use tokio_rustls::rustls::{
|
||||
server::ResolvesServerCertUsingSni,
|
||||
sign::{any_supported_type, CertifiedKey, SigningKey},
|
||||
sign::{any_supported_type, CertifiedKey},
|
||||
Certificate, PrivateKey, ServerConfig,
|
||||
};
|
||||
|
||||
|
|
@ -131,112 +129,6 @@ impl Upstream {
|
|||
}
|
||||
|
||||
impl Backend {
|
||||
pub async fn update_server_config(&self) -> io::Result<ServerConfig> {
|
||||
debug!("Update TLS server config");
|
||||
let (certs_path, certs_keys_path) =
|
||||
if let (Some(c), Some(k)) = (self.tls_cert_path.as_ref(), self.tls_cert_key_path.as_ref()) {
|
||||
(c, k)
|
||||
} else {
|
||||
return Err(io::Error::new(
|
||||
io::ErrorKind::Other,
|
||||
"Invalid certs and keys paths",
|
||||
));
|
||||
};
|
||||
let certs: Vec<_> = {
|
||||
let certs_path_str = certs_path.display().to_string();
|
||||
let mut reader = BufReader::new(File::open(certs_path).map_err(|e| {
|
||||
io::Error::new(
|
||||
e.kind(),
|
||||
format!(
|
||||
"Unable to load the certificates [{}]: {}",
|
||||
certs_path_str, e
|
||||
),
|
||||
)
|
||||
})?);
|
||||
rustls_pemfile::certs(&mut reader).map_err(|_| {
|
||||
io::Error::new(
|
||||
io::ErrorKind::InvalidInput,
|
||||
"Unable to parse the certificates",
|
||||
)
|
||||
})?
|
||||
}
|
||||
.drain(..)
|
||||
.map(Certificate)
|
||||
.collect();
|
||||
let certs_keys: Vec<_> = {
|
||||
let certs_keys_path_str = certs_keys_path.display().to_string();
|
||||
let encoded_keys = {
|
||||
let mut encoded_keys = vec![];
|
||||
File::open(certs_keys_path)
|
||||
.map_err(|e| {
|
||||
io::Error::new(
|
||||
e.kind(),
|
||||
format!(
|
||||
"Unable to load the certificate keys [{}]: {}",
|
||||
certs_keys_path_str, e
|
||||
),
|
||||
)
|
||||
})?
|
||||
.read_to_end(&mut encoded_keys)?;
|
||||
encoded_keys
|
||||
};
|
||||
let mut reader = Cursor::new(encoded_keys);
|
||||
let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader).map_err(|_| {
|
||||
io::Error::new(
|
||||
io::ErrorKind::InvalidInput,
|
||||
"Unable to parse the certificates private keys (PKCS8)",
|
||||
)
|
||||
})?;
|
||||
reader.set_position(0);
|
||||
let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader)?;
|
||||
let mut keys = pkcs8_keys;
|
||||
keys.append(&mut rsa_keys);
|
||||
if keys.is_empty() {
|
||||
return Err(io::Error::new(
|
||||
io::ErrorKind::InvalidInput,
|
||||
"No private keys found - Make sure that they are in PKCS#8/PEM format",
|
||||
));
|
||||
}
|
||||
keys.drain(..).map(PrivateKey).collect()
|
||||
};
|
||||
|
||||
let mut server_config = certs_keys
|
||||
.into_iter()
|
||||
.find_map(|certs_key| {
|
||||
let server_config_builder = ServerConfig::builder()
|
||||
.with_safe_defaults()
|
||||
.with_no_client_auth();
|
||||
if let Ok(found_config) = server_config_builder.with_single_cert(certs.clone(), certs_key) {
|
||||
Some(found_config)
|
||||
} else {
|
||||
None
|
||||
}
|
||||
})
|
||||
.ok_or_else(|| {
|
||||
io::Error::new(
|
||||
io::ErrorKind::InvalidInput,
|
||||
"Unable to find a valid certificate and key",
|
||||
)
|
||||
})?;
|
||||
|
||||
#[cfg(feature = "h3")]
|
||||
{
|
||||
server_config.alpn_protocols = vec![
|
||||
b"h3".to_vec(),
|
||||
b"hq-29".to_vec(), // quinn draft example TODO: remove later
|
||||
b"h2".to_vec(),
|
||||
b"http/1.1".to_vec(),
|
||||
];
|
||||
}
|
||||
#[cfg(not(feature = "h3"))]
|
||||
{
|
||||
server_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
|
||||
}
|
||||
|
||||
// server_config;
|
||||
Ok(server_config)
|
||||
}
|
||||
|
||||
pub fn read_certs_and_key(&self) -> io::Result<CertifiedKey> {
|
||||
debug!("Read TLS server certificates and private key");
|
||||
let (certs_path, certs_keys_path) =
|
||||
|
|
@ -330,6 +222,7 @@ impl Backends {
|
|||
) -> Result<ServerConfig, anyhow::Error> {
|
||||
let mut resolver = ResolvesServerCertUsingSni::new();
|
||||
|
||||
let mut cnt = 0;
|
||||
for (_, backend) in self.apps.iter() {
|
||||
if backend.tls_cert_key_path.is_some() && backend.tls_cert_path.is_some() {
|
||||
match backend.read_certs_and_key() {
|
||||
|
|
@ -340,6 +233,12 @@ impl Backends {
|
|||
backend.server_name.as_str(),
|
||||
e
|
||||
)
|
||||
} else {
|
||||
debug!(
|
||||
"Add certificate for server_name: {}",
|
||||
backend.server_name.as_str()
|
||||
);
|
||||
cnt += 1;
|
||||
}
|
||||
}
|
||||
Err(e) => {
|
||||
|
|
@ -352,6 +251,7 @@ impl Backends {
|
|||
}
|
||||
}
|
||||
}
|
||||
debug!("Load certificate chain for {} server_name's", cnt);
|
||||
|
||||
let mut server_config = ServerConfig::builder()
|
||||
.with_safe_defaults()
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue