Merge pull request #171 from junkurihara/develop

0.9.0
2024-08-01 01:02:10 +09:00 · 2024-08-01 01:02:10 +09:00 · d85b70f689
commit d85b70f689
parent 03ea24c7ff 9ca81e96e7
32 changed files with 978 additions and 190 deletions
--- a/.github/workflows/release_docker.yml
+++ b/.github/workflows/release_docker.yml
@ -45,7 +45,7 @@ jobs:
          - target: "s2n"
            dockerfile: ./docker/Dockerfile
            build-args: |
-              "CARGO_FEATURES=--no-default-features --features=http3-s2n,cache,rustls-backend"
+              "CARGO_FEATURES=--no-default-features --features=http3-s2n,cache,rustls-backend,acme"
              "ADDITIONAL_DEPS=pkg-config libssl-dev cmake libclang1 gcc g++"
            platforms: linux/amd64,linux/arm64
            tags-suffix: "-s2n"
@ -58,7 +58,7 @@ jobs:
            dockerfile: ./docker/Dockerfile
            platforms: linux/amd64,linux/arm64
            build-args: |
-              "CARGO_FEATURES=--no-default-features --features=http3-quinn,cache,webpki-roots"
+              "CARGO_FEATURES=--no-default-features --features=http3-quinn,cache,webpki-roots,acme"
            tags-suffix: "-webpki-roots"
            # Aliases must be used only for release builds
            aliases: |
@ -68,7 +68,7 @@ jobs:
          - target: "slim-webpki-roots"
            dockerfile: ./docker/Dockerfile-slim
            build-args: |
-              "CARGO_FEATURES=--no-default-features --features=http3-quinn,cache,webpki-roots"
+              "CARGO_FEATURES=--no-default-features --features=http3-quinn,cache,webpki-roots,acme"
            build-contexts: |
              messense/rust-musl-cross:amd64-musl=docker-image://messense/rust-musl-cross:x86_64-musl
              messense/rust-musl-cross:arm64-musl=docker-image://messense/rust-musl-cross:aarch64-musl
@ -82,7 +82,7 @@ jobs:
          - target: "s2n-webpki-roots"
            dockerfile: ./docker/Dockerfile
            build-args: |
-              "CARGO_FEATURES=--no-default-features --features=http3-s2n,cache,webpki-roots"
+              "CARGO_FEATURES=--no-default-features --features=http3-s2n,cache,webpki-roots,acme"
              "ADDITIONAL_DEPS=pkg-config libssl-dev cmake libclang1 gcc g++"
            platforms: linux/amd64,linux/arm64
            tags-suffix: "-s2n-webpki-roots"
--- a/.gitmodules
+++ b/.gitmodules
@ -1,3 +1,6 @@
 [submodule "submodules/rusty-http-cache-semantics"]
 	path = submodules/rusty-http-cache-semantics
 	url = git@github.com:junkurihara/rusty-http-cache-semantics.git
 [submodule "submodules/rustls-acme"]
 	path = submodules/rustls-acme
 	url = git@github.com:junkurihara/rustls-acme.git
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,21 @@
 # CHANGELOG
-## 0.9.0 (Unreleased)
+## 0.10.0 (Unreleased)
 ## 0.9.0
 ### Important Changes
 - Breaking: Experimental ACME support is added. Check the new configuration options and README.md for ACME support. Note that it is still under development and may have some issues.
 ### Improvement
 - Refactor: lots of minor improvements
 - Deps
 ### Bugfix
 - Fix the bug that the dynamic config reload does not work properly.
 ## 0.8.1
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,5 +1,5 @@
 [workspace.package]
-version = "0.8.1"
+version = "0.9.0"
 authors = ["Jun Kurihara"]
 homepage = "https://github.com/junkurihara/rust-rpxy"
 repository = "https://github.com/junkurihara/rust-rpxy"
@ -9,7 +9,7 @@ edition = "2021"
 publish = false
 [workspace]
-members = ["rpxy-bin", "rpxy-lib", "rpxy-certs"]
+members = ["rpxy-bin", "rpxy-lib", "rpxy-certs", "rpxy-acme"]
 exclude = ["submodules"]
 resolver = "2"
--- a/README.md
+++ b/README.md
@ -1,4 +1,4 @@
-# rpxy: A simple and ultrafast reverse-proxy serving multiple domain names with TLS termination, written in pure Rust
+# rpxy: A simple and ultrafast reverse-proxy serving multiple domain names with TLS termination, written in Rust
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
 ![Unit Test](https://github.com/junkurihara/rust-rpxy/actions/workflows/ci.yml/badge.svg)
@ -10,9 +10,11 @@
 ## Introduction
-`rpxy` [ahr-pik-see] is an implementation of simple and lightweight reverse-proxy with some additional features. The implementation is based on [`hyper`](https://github.com/hyperium/hyper), [`rustls`](https://github.com/rustls/rustls) and [`tokio`](https://github.com/tokio-rs/tokio), i.e., written in pure Rust. Our `rpxy` routes multiple host names to appropriate backend application servers while serving TLS connections.
+`rpxy` [ahr-pik-see] is an implementation of simple and lightweight reverse-proxy with some additional features. The implementation is based on [`hyper`](https://github.com/hyperium/hyper), [`rustls`](https://github.com/rustls/rustls) and [`tokio`](https://github.com/tokio-rs/tokio), i.e., written in Rust [^pure_rust]. Our `rpxy` routes multiple host names to appropriate backend application servers while serving TLS connections.
- As default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib]
+[^pure_rust]: Doubtfully can be claimed to be written in pure Rust since current `rpxy` is based on `aws-lc-rs` for cryptographic operations.
 By default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib] Furthermore, `rpxy` supports the automatic issuance and renewal of certificates via [TLS-ALPN-01 (RFC8737)](https://www.rfc-editor.org/rfc/rfc8737) of [ACME protocol (RFC8555)](https://www.rfc-editor.org/rfc/rfc8555) thanks to [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme).
 [^h3lib]: HTTP/3 libraries are mutually exclusive. You need to explicitly specify `s2n-quic` with `--no-default-features` flag. Also note that if you build `rpxy` with `s2n-quic`, then it requires `openssl` just for building the package.
@ -236,20 +238,7 @@ Since it is currently a work-in-progress project, we are frequently adding new o
 ## Using Docker Image
-You can also use `docker` image hosted on [Docker Hub](https://hub.docker.com/r/jqtype/rpxy) and [GitHub Container Registry](https://github.com/junkurihara/rust-rpxy/pkgs/container/rust-rpxy) instead of directly executing the binary. See [`./docker/README.md`](./docker/README.md) for the differences on image tags.
+You can also use `docker` image hosted on [Docker Hub](https://hub.docker.com/r/jqtype/rpxy) and [GitHub Container Registry](https://github.com/junkurihara/rust-rpxy/pkgs/container/rust-rpxy) instead of directly executing the binary. See [`./docker`](./docker/README.md) directory for more details.
 There are only several docker-specific environment variables.
 - `HOST_USER` (default: `user`): User name executing `rpxy` inside the container.
 - `HOST_UID` (default: `900`): `UID` of `HOST_USER`.
 - `HOST_GID` (default: `900`): `GID` of `HOST_USER`
 - `LOG_LEVEL=debug|info|warn|error`: Log level
 - `LOG_TO_FILE=true|false`: Enable logging to the log file `/rpxy/log/rpxy.log` using `logrotate`. You should mount `/rpxy/log` via docker volume option if enabled. The log dir and file will be owned by the `HOST_USER` with `HOST_UID:HOST_GID` on the host machine. Hence, `HOST_USER`, `HOST_UID` and `HOST_GID` should be the same as ones of the user who executes the `rpxy` docker container on the host.
 - `WATCH=true|false` (default: `false`): Activate continuous watching of the config file if true.
 Then, all you need is to mount your `config.toml` as `/etc/rpxy.toml` and certificates/private keys as you like through the docker volume option. **If `WATCH=true`, You need to mount a directory, e.g., `./rpxy-config/`, including `rpxy.toml` on `/rpxy/config` instead of a file to correctly track file changes**. This is a docker limitation. Even if `WATCH=false`, you can mount the dir onto `/rpxy/config` rather than `/etc/rpxy.toml`. A file mounted on `/etc/rpxy` is prioritized over a dir mounted on `/rpxy/config`.
 See [`docker/docker-compose.yml`](./docker/docker-compose.yml) for the detailed configuration. Note that the file path of keys and certificates must be ones in your docker container.
 ## Example
@ -298,6 +287,32 @@ max_cache_each_size_on_memory = 4096 # optional. default is 4k if 0, it is alway
 A *storable* (in the context of an HTTP message) response is stored if its size is less than or equal to `max_cache_each_size` in bytes. If it is also less than or equal to `max_cache_each_size_on_memory`, it is stored as an on-memory object. Otherwise, it is stored as a temporary file. Note that `max_cache_each_size` must be larger or equal to `max_cache_each_size_on_memory`. Also note that once `rpxy` restarts or the config is updated, the cache is totally eliminated not only from the on-memory table but also from the file system.
 ### Automated Certificate Issuance and Renewal via TLS-ALPN-01 ACME protocol
 This is a brand-new feature and maybe still unstable. Thanks to the [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme), the automatic issuance and renewal of certificates are finally available in `rpxy`. To enable this feature, you need to specify the following entries in `config.toml`.
 ```toml
 # ACME enabled domain name.
 # ACME will be used to get a certificate for the server_name with ACME tls-alpn-01 protocol.
 # Note that acme option must be specified in the experimental section.
 [apps.localhost_with_acme]
 server_name = 'example.org'
 reverse_proxy = [{ upstream = [{ location = 'example.com', tls = true }] }]
 tls = { https_redirection = true, acme = true } # do not specify tls_cert_path and/or tls_cert_key_path
 ```
 For the ACME enabled domain, the following settings are referred to acquire a certificate.
 ```toml
 # Global ACME settings. Unless specified, ACME is disabled.
 [experimental.acme]
 dir_url = "https://localhost:14000/dir" # optional. default is "https://acme-v02.api.letsencrypt.org/directory"
 email = "test@example.com"
 registry_path = "./acme_registry"       # optional. default is "./acme_registry" relative to the current working directory
 ```
 The above configuration is common to all ACME enabled domains. Note that the https port must be open to the public to verify the domain ownership.
 ## TIPS
 ### Using Private Key Issued by Let's Encrypt
@ -379,6 +394,10 @@ However, we found that if you want to use the brand-new UDP-based protocol, HTTP
 Your docker container can receive only TCP-based connection, i.e., HTTP/2 or before, unless you manually manage the port. We see that this is weird and expect that it is a kind of bug (of docker? ubuntu? or something else?). But at least for Ubuntu 22.04LTS, you need to handle it as above.
 ### Managing `rpxy` via web interface
 Check a third party project [`Gamerboy59/rpxy-webui`](https://github.com/Gamerboy59/rpxy-webui) to manage `rpxy` via web interface.
 ### Other TIPS
 todo!
--- a/TODO.md
+++ b/TODO.md
@ -1,6 +1,5 @@
 # TODO List
 - Support of `rustls-0.22`.
 - We need more sophistication on `Forwarder` struct to handle `h2c`.
 - Cache using `lru` crate might be inefficient in terms of the speed.
  - Consider more sophisticated architecture for cache
--- a/config-example.toml
+++ b/config-example.toml
@ -89,6 +89,14 @@ server_name = 'localhost.localdomain'
 reverse_proxy = [{ upstream = [{ location = 'www.google.com', tls = true }] }]
 ######################################################################
 ######################################################################
 # ACME enabled example. ACME will be used to get a certificate for the server_name with ACME tls-alpn-01 protocol.
 # Note that acme option must be specified in the experimental section.
 [apps.localhost_with_acme]
 server_name = 'kubernetes.docker.internal'
 reverse_proxy = [{ upstream = [{ location = 'example.com', tls = true }] }]
 tls = { https_redirection = true, acme = true }
 ###################################
 #      Experimantal settings      #
 ###################################
@ -119,3 +127,9 @@ cache_dir = './cache'                # optional. default is "./cache" relative t
 max_cache_entry = 1000               # optional. default is 1k
 max_cache_each_size = 65535          # optional. default is 64k
 max_cache_each_size_on_memory = 4096 # optional. default is 4k if 0, it is always file cache.
 # ACME settings. Unless specified, ACME is disabled.
 [experimental.acme]
 dir_url = "https://localhost:14000/dir" # optional. default is "https://acme-v02.api.letsencrypt.org/directory"
 email = "test@example.com"
 registry_path = "./acme_registry"       # optional. default is "./acme_registry" relative to the current working directory
--- a/docker/README.md
+++ b/docker/README.md
@ -1,14 +1,33 @@
 # Docker Images of `rpxy`
-The `rpxy` docker images are hosted both on [Docker Hub](https://hub.docker.com/r/jqtype/rpxy) and [GitHub Container Registry](https://github.com/junkurihara/rust-rpxy/pkgs/container/rust-rpxy). Differences among tags are summarized as follows.
+The `rpxy` docker images are hosted both on [Docker Hub](https://hub.docker.com/r/jqtype/rpxy) and [GitHub Container Registry](https://github.com/junkurihara/rust-rpxy/pkgs/container/rust-rpxy).
-## Latest Builds
+## Usage
 There are several docker-specific environment variables.
 - `HOST_USER` (default: `user`): User name executing `rpxy` inside the container.
 - `HOST_UID` (default: `900`): `UID` of `HOST_USER`.
 - `HOST_GID` (default: `900`): `GID` of `HOST_USER`
 - `LOG_LEVEL=debug|info|warn|error`: Log level
 - `LOG_TO_FILE=true|false`: Enable logging to the log file `/rpxy/log/rpxy.log` using `logrotate`. You should mount `/rpxy/log` via docker volume option if enabled. The log dir and file will be owned by the `HOST_USER` with `HOST_UID:HOST_GID` on the host machine. Hence, `HOST_USER`, `HOST_UID` and `HOST_GID` should be the same as ones of the user who executes the `rpxy` docker container on the host.
 - `WATCH=true|false` (default: `false`): Activate continuous watching of the config file if true.
 Then, all you need is to mount your `config.toml` as `/etc/rpxy.toml` and certificates/private keys as you like through the docker volume option. **If `WATCH=true`, You need to mount a directory, e.g., `./rpxy-config/`, including `rpxy.toml` on `/rpxy/config` instead of a file to correctly track file changes**. This is a docker limitation. Even if `WATCH=false`, you can mount the dir onto `/rpxy/config` rather than `/etc/rpxy.toml`. A file mounted on `/etc/rpxy` is prioritized over a dir mounted on `/rpxy/config`.
 See [`docker-compose.yml`](./docker-compose.yml) for the detailed configuration. Note that the file path of keys and certificates must be ones in your docker container.
 ## Differences among image tags of Docker Hub and GitHub Container Registry
 Differences among tags are summarized as follows.
 ### Latest Builds
 - `latest`: Built from the `main` branch with default features, running on Ubuntu.
 - `latest-slim`, `slim`: Built by `musl` from the `main` branch with default features, running on Alpine.
 - `latest-s2n`, `s2n`: Built from the `main` branch with the `http3-s2n` feature, running on Ubuntu.
-## Nightly Builds
+### Nightly Builds
 - `nightly`: Built from the `develop` branch with default features, running on Ubuntu.
 - `nightly-slim`: Built by `musl` from the `develop` branch with default features, running on Alpine.
@ -17,3 +36,5 @@ The `rpxy` docker images are hosted both on [Docker Hub](https://hub.docker.com/
 ## Caveats
 Due to some compile errors of `s2n-quic` subpackages with `musl`, `nightly-s2n-slim` or `latest-s2n-slim` are not yet provided.
 See [`./docker/README.md`](./docker/README.md) for the differences on image tags.
--- a/docker/docker-compose-slim.yml
+++ b/docker/docker-compose-slim.yml
@ -31,6 +31,7 @@ services:
    volumes:
      - ./log:/rpxy/log:rw
      - ./cache:/rpxy/cache:rw
      - ./acme_registry:/rpxy/acme_registry:rw
      - ../example-certs/server.crt:/certs/server.crt:ro
      - ../example-certs/server.key:/certs/server.key:ro
      - ../config-example.toml:/etc/rpxy.toml:ro
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -31,6 +31,7 @@ services:
    volumes:
      - ./log:/rpxy/log:rw
      - ./cache:/rpxy/cache:rw
      - ./acme_registry:/rpxy/acme_registry:rw
      - ../example-certs/server.crt:/certs/server.crt:ro
      - ../example-certs/server.key:/certs/server.key:ro
      - ../config-example.toml:/etc/rpxy.toml:ro
--- a/rpxy-acme/Cargo.toml
+++ b/rpxy-acme/Cargo.toml
@ -0,0 +1,34 @@
 [package]
 name = "rpxy-acme"
 description = "ACME manager library for `rpxy`"
 version.workspace = true
 authors.workspace = true
 homepage.workspace = true
 repository.workspace = true
 license.workspace = true
 readme.workspace = true
 edition.workspace = true
 publish.workspace = true
 [dependencies]
 url = { version = "2.5.2" }
 rustc-hash = "2.0.0"
 thiserror = "1.0.63"
 tracing = "0.1.40"
 async-trait = "0.1.81"
 base64 = "0.22.1"
 aws-lc-rs = { version = "1.8.1", default-features = false, features = [
  "aws-lc-sys",
 ] }
 blocking = "1.6.1"
 rustls = { version = "0.23.12", default-features = false, features = [
  "std",
  "aws_lc_rs",
 ] }
 rustls-platform-verifier = { version = "0.3.3" }
 rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [
  "aws-lc-rs",
 ] }
 tokio = { version = "1.39.2", default-features = false }
 tokio-util = { version = "0.7.11", default-features = false }
 tokio-stream = { version = "0.1.15", default-features = false }
--- a/rpxy-acme/src/constants.rs
+++ b/rpxy-acme/src/constants.rs
@ -0,0 +1,8 @@
 /// ACME directory url
 pub const ACME_DIR_URL: &str = "https://acme-v02.api.letsencrypt.org/directory";
 /// ACME registry path that stores account key and certificate
 pub const ACME_REGISTRY_PATH: &str = "./acme_registry";
 /// ACME accounts directory, subdirectory of ACME_REGISTRY_PATH
 pub(crate) const ACME_ACCOUNT_SUBDIR: &str = "accounts";
--- a/rpxy-acme/src/dir_cache.rs
+++ b/rpxy-acme/src/dir_cache.rs
@ -0,0 +1,107 @@
 use crate::constants::ACME_ACCOUNT_SUBDIR;
 use async_trait::async_trait;
 use aws_lc_rs as crypto;
 use base64::prelude::*;
 use blocking::unblock;
 use crypto::digest::{Context, SHA256};
 use rustls_acme::{AccountCache, CertCache};
 use std::{
  io::ErrorKind,
  path::{Path, PathBuf},
 };
 enum FileType {
  Account,
  Cert,
 }
 #[derive(Debug, PartialEq, Eq, Clone)]
 pub struct DirCache {
  pub(super) account_dir: PathBuf,
  pub(super) cert_dir: PathBuf,
 }
 impl DirCache {
  pub fn new<P>(dir: P, server_name: &str) -> Self
  where
    P: AsRef<Path>,
  {
    Self {
      account_dir: dir.as_ref().join(ACME_ACCOUNT_SUBDIR),
      cert_dir: dir.as_ref().join(server_name),
    }
  }
  async fn read_if_exist(&self, file: impl AsRef<Path>, file_type: FileType) -> Result<Option<Vec<u8>>, std::io::Error> {
    let subdir = match file_type {
      FileType::Account => &self.account_dir,
      FileType::Cert => &self.cert_dir,
    };
    let file_path = subdir.join(file);
    match unblock(move || std::fs::read(file_path)).await {
      Ok(content) => Ok(Some(content)),
      Err(err) => match err.kind() {
        ErrorKind::NotFound => Ok(None),
        _ => Err(err),
      },
    }
  }
  async fn write(&self, file: impl AsRef<Path>, contents: impl AsRef<[u8]>, file_type: FileType) -> Result<(), std::io::Error> {
    let subdir = match file_type {
      FileType::Account => &self.account_dir,
      FileType::Cert => &self.cert_dir,
    }
    .clone();
    let subdir_clone = subdir.clone();
    unblock(move || std::fs::create_dir_all(subdir_clone)).await?;
    let file_path = subdir.join(file);
    let contents = contents.as_ref().to_owned();
    unblock(move || std::fs::write(file_path, contents)).await
  }
  pub fn cached_account_file_name(contact: &[String], directory_url: impl AsRef<str>) -> String {
    let mut ctx = Context::new(&SHA256);
    for el in contact {
      ctx.update(el.as_ref());
      ctx.update(&[0])
    }
    ctx.update(directory_url.as_ref().as_bytes());
    let hash = BASE64_URL_SAFE_NO_PAD.encode(ctx.finish());
    format!("cached_account_{}", hash)
  }
  pub fn cached_cert_file_name(domains: &[String], directory_url: impl AsRef<str>) -> String {
    let mut ctx = Context::new(&SHA256);
    for domain in domains {
      ctx.update(domain.as_ref());
      ctx.update(&[0])
    }
    ctx.update(directory_url.as_ref().as_bytes());
    let hash = BASE64_URL_SAFE_NO_PAD.encode(ctx.finish());
    format!("cached_cert_{}", hash)
  }
 }
 #[async_trait]
 impl CertCache for DirCache {
  type EC = std::io::Error;
  async fn load_cert(&self, domains: &[String], directory_url: &str) -> Result<Option<Vec<u8>>, Self::EC> {
    let file_name = Self::cached_cert_file_name(domains, directory_url);
    self.read_if_exist(file_name, FileType::Cert).await
  }
  async fn store_cert(&self, domains: &[String], directory_url: &str, cert: &[u8]) -> Result<(), Self::EC> {
    let file_name = Self::cached_cert_file_name(domains, directory_url);
    self.write(file_name, cert, FileType::Cert).await
  }
 }
 #[async_trait]
 impl AccountCache for DirCache {
  type EA = std::io::Error;
  async fn load_account(&self, contact: &[String], directory_url: &str) -> Result<Option<Vec<u8>>, Self::EA> {
    let file_name = Self::cached_account_file_name(contact, directory_url);
    self.read_if_exist(file_name, FileType::Account).await
  }
  async fn store_account(&self, contact: &[String], directory_url: &str, account: &[u8]) -> Result<(), Self::EA> {
    let file_name = Self::cached_account_file_name(contact, directory_url);
    self.write(file_name, account, FileType::Account).await
  }
 }
--- a/rpxy-acme/src/error.rs
+++ b/rpxy-acme/src/error.rs
@ -0,0 +1,15 @@
 use thiserror::Error;
 #[derive(Error, Debug)]
 /// Error type for rpxy-acme
 pub enum RpxyAcmeError {
  /// Invalid acme registry path
  #[error("Invalid acme registry path")]
  InvalidAcmeRegistryPath,
  /// Invalid url
  #[error("Invalid url: {0}")]
  InvalidUrl(#[from] url::ParseError),
  /// IO error
  #[error("IO error: {0}")]
  Io(#[from] std::io::Error),
 }
--- a/rpxy-acme/src/lib.rs
+++ b/rpxy-acme/src/lib.rs
@ -0,0 +1,18 @@
 mod constants;
 mod dir_cache;
 mod error;
 mod manager;
 #[allow(unused_imports)]
 mod log {
  pub(super) use tracing::{debug, error, info, warn};
 }
 pub use constants::{ACME_DIR_URL, ACME_REGISTRY_PATH};
 pub use dir_cache::DirCache;
 pub use error::RpxyAcmeError;
 pub use manager::AcmeManager;
 pub mod reexports {
  pub use rustls_acme::is_tls_alpn_challenge;
 }
--- a/rpxy-acme/src/manager.rs
+++ b/rpxy-acme/src/manager.rs
@ -0,0 +1,171 @@
 use crate::{
  constants::{ACME_DIR_URL, ACME_REGISTRY_PATH},
  dir_cache::DirCache,
  error::RpxyAcmeError,
  log::*,
 };
 use rustc_hash::FxHashMap as HashMap;
 use rustls::ServerConfig;
 use rustls_acme::AcmeConfig;
 use std::{path::PathBuf, sync::Arc};
 use tokio::runtime::Handle;
 use tokio_stream::StreamExt;
 use url::Url;
 #[derive(Debug, Clone)]
 /// ACME settings
 pub struct AcmeManager {
  /// ACME directory url
  acme_dir_url: Url,
  // /// ACME registry directory
  // acme_registry_dir: PathBuf,
  /// ACME contacts
  contacts: Vec<String>,
  /// ACME directly cache information
  inner: HashMap<String, DirCache>,
  /// Tokio runtime handle
  runtime_handle: Handle,
 }
 impl AcmeManager {
  /// Create a new instance. Note that for each domain, a new AcmeConfig is created.
  /// This means that for each domain, a distinct operation will be dispatched and separated certificates will be generated.
  pub fn try_new(
    acme_dir_url: Option<&str>,
    acme_registry_dir: Option<&str>,
    contacts: &[String],
    domains: &[String],
    runtime_handle: Handle,
  ) -> Result<Self, RpxyAcmeError> {
    // Install aws_lc_rs as default crypto provider for rustls
    let _ = rustls::crypto::CryptoProvider::install_default(rustls::crypto::aws_lc_rs::default_provider());
    let acme_registry_dir = acme_registry_dir
      .map(|v| v.to_ascii_lowercase())
      .map_or_else(|| PathBuf::from(ACME_REGISTRY_PATH), PathBuf::from);
    if acme_registry_dir.exists() && !acme_registry_dir.is_dir() {
      return Err(RpxyAcmeError::InvalidAcmeRegistryPath);
    }
    let acme_dir_url = acme_dir_url
      .map(|v| v.to_ascii_lowercase())
      .as_deref()
      .map_or_else(|| Url::parse(ACME_DIR_URL), Url::parse)?;
    let contacts = contacts.iter().map(|email| format!("mailto:{email}")).collect::<Vec<_>>();
    let inner = domains
      .iter()
      .map(|domain| {
        let domain = domain.to_ascii_lowercase();
        let dir_cache = DirCache::new(&acme_registry_dir, &domain);
        (domain, dir_cache)
      })
      .collect::<HashMap<_, _>>();
    Ok(Self {
      acme_dir_url,
      // acme_registry_dir,
      contacts,
      inner,
      runtime_handle,
    })
  }
  /// Start ACME manager to manage certificates for each domain.
  /// Returns a Vec<JoinHandle<()>> as a tasks handles and a map of domain to ServerConfig for challenge.
  pub fn spawn_manager_tasks(
    &self,
    cancel_token: Option<tokio_util::sync::CancellationToken>,
  ) -> (Vec<tokio::task::JoinHandle<()>>, HashMap<String, Arc<ServerConfig>>) {
    let rustls_client_config = rustls::ClientConfig::builder()
      .dangerous() // The `Verifier` we're using is actually safe
      .with_custom_certificate_verifier(Arc::new(rustls_platform_verifier::Verifier::new()))
      .with_no_client_auth();
    let rustls_client_config = Arc::new(rustls_client_config);
    let mut server_configs_for_challenge: HashMap<String, Arc<ServerConfig>> = HashMap::default();
    let join_handles = self
      .inner
      .clone()
      .into_iter()
      .map(|(domain, dir_cache)| {
        let config = AcmeConfig::new([&domain])
          .contact(&self.contacts)
          .cache(dir_cache.to_owned())
          .directory(self.acme_dir_url.as_str())
          .client_tls_config(rustls_client_config.clone());
        let mut state = config.state();
        server_configs_for_challenge.insert(domain.to_ascii_lowercase(), state.challenge_rustls_config());
        self.runtime_handle.spawn({
          let cancel_token = cancel_token.clone();
          async move {
            info!("rpxy ACME manager task for {domain} started");
            // infinite loop unless the return value is None
            let task = async {
              loop {
                let Some(res) = state.next().await else {
                  error!("rpxy ACME manager task for {domain} exited");
                  break;
                };
                match res {
                  Ok(ok) => info!("rpxy ACME event: {ok:?}"),
                  Err(err) => error!("rpxy ACME error: {err:?}"),
                }
              }
            };
            if let Some(cancel_token) = cancel_token.as_ref() {
              tokio::select! {
                _ = task => {},
                _ = cancel_token.cancelled() => { debug!("rpxy ACME manager task for {domain} terminated") }
              }
            } else {
              task.await;
            }
          }
        })
      })
      .collect::<Vec<_>>();
    (join_handles, server_configs_for_challenge)
  }
 }
 #[cfg(test)]
 mod tests {
  use crate::constants::ACME_ACCOUNT_SUBDIR;
  use super::*;
  #[tokio::test]
  async fn test_try_new() {
    let acme_dir_url = "https://acme.example.com/directory";
    let acme_registry_dir = "/tmp/acme";
    let contacts = vec!["test@example.com".to_string()];
    let handle = Handle::current();
    let acme_contexts: AcmeManager = AcmeManager::try_new(
      Some(acme_dir_url),
      Some(acme_registry_dir),
      &contacts,
      &["example.com".to_string(), "example.org".to_string()],
      handle,
    )
    .unwrap();
    assert_eq!(acme_contexts.inner.len(), 2);
    assert_eq!(acme_contexts.contacts, vec!["mailto:test@example.com".to_string()]);
    assert_eq!(acme_contexts.acme_dir_url.as_str(), acme_dir_url);
    // assert_eq!(acme_contexts.acme_registry_dir, PathBuf::from(acme_registry_dir));
    assert_eq!(
      acme_contexts.inner["example.com"],
      DirCache {
        account_dir: PathBuf::from(acme_registry_dir).join(ACME_ACCOUNT_SUBDIR),
        cert_dir: PathBuf::from(acme_registry_dir).join("example.com"),
      }
    );
    assert_eq!(
      acme_contexts.inner["example.org"],
      DirCache {
        account_dir: PathBuf::from(acme_registry_dir).join(ACME_ACCOUNT_SUBDIR),
        cert_dir: PathBuf::from(acme_registry_dir).join("example.org"),
      }
    );
  }
 }
--- a/rpxy-bin/Cargo.toml
+++ b/rpxy-bin/Cargo.toml
@ -13,14 +13,15 @@ publish.workspace = true
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [features]
-default = ["http3-quinn", "cache", "rustls-backend"]
+default = ["http3-quinn", "cache", "rustls-backend", "acme"]
-# default = ["http3-s2n", "cache", "rustls-backend"]
+# default = ["http3-s2n", "cache", "rustls-backend", "acme"]
 http3-quinn = ["rpxy-lib/http3-quinn"]
 http3-s2n = ["rpxy-lib/http3-s2n"]
 native-tls-backend = ["rpxy-lib/native-tls-backend"]
 rustls-backend = ["rpxy-lib/rustls-backend"]
 webpki-roots = ["rpxy-lib/webpki-roots"]
 cache = ["rpxy-lib/cache"]
 acme = ["rpxy-lib/acme", "rpxy-acme"]
 [dependencies]
 rpxy-lib = { path = "../rpxy-lib/", default-features = false, features = [
@ -31,20 +32,21 @@ mimalloc = { version = "*", default-features = false }
 anyhow = "1.0.86"
 rustc-hash = "2.0.0"
 serde = { version = "1.0.204", default-features = false, features = ["derive"] }
-tokio = { version = "1.38.0", default-features = false, features = [
+tokio = { version = "1.39.2", default-features = false, features = [
  "net",
  "rt-multi-thread",
  "time",
  "sync",
  "macros",
 ] }
 tokio-util = { version = "0.7.11", default-features = false }
 async-trait = "0.1.81"
-
+futures-util = { version = "0.3.30", default-features = false }
 # config
-clap = { version = "4.5.9", features = ["std", "cargo", "wrap_help"] }
+clap = { version = "4.5.11", features = ["std", "cargo", "wrap_help"] }
-toml = { version = "0.8.14", default-features = false, features = ["parse"] }
+toml = { version = "0.8.17", default-features = false, features = ["parse"] }
-hot_reload = "0.1.5"
+hot_reload = "0.1.6"
 # logging
 tracing = { version = "0.1.40" }
@ -56,4 +58,6 @@ rpxy-certs = { path = "../rpxy-certs/", default-features = false, features = [
  "http3",
 ] }
 rpxy-acme = { path = "../rpxy-acme/", default-features = false, optional = true }
 [dev-dependencies]
--- a/rpxy-bin/src/config/mod.rs
+++ b/rpxy-bin/src/config/mod.rs
@ -3,7 +3,10 @@ mod service;
 mod toml;
 pub use {
  self::toml::ConfigToml,
  parse::{build_cert_manager, build_settings, parse_opts},
  service::ConfigTomlReloader,
  toml::ConfigToml,
 };
 #[cfg(feature = "acme")]
 pub use parse::build_acme_manager;
--- a/rpxy-bin/src/config/parse.rs
+++ b/rpxy-bin/src/config/parse.rs
@ -6,6 +6,9 @@ use rpxy_certs::{build_cert_reloader, CryptoFileSourceBuilder, CryptoReloader, S
 use rpxy_lib::{AppConfig, AppConfigList, ProxyConfig};
 use rustc_hash::FxHashMap as HashMap;
 #[cfg(feature = "acme")]
 use rpxy_acme::{AcmeManager, ACME_DIR_URL, ACME_REGISTRY_PATH};
 /// Parsed options
 pub struct Opts {
  pub config_file_path: String,
@ -103,11 +106,43 @@ pub async fn build_cert_manager(
  if config.listen_port_tls.is_none() {
    return Ok(None);
  }
  #[cfg(feature = "acme")]
  let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone());
  #[cfg(feature = "acme")]
  let acme_dir_url = acme_option
    .as_ref()
    .and_then(|v| v.dir_url.as_deref())
    .unwrap_or(ACME_DIR_URL);
  #[cfg(feature = "acme")]
  let acme_registry_path = acme_option
    .as_ref()
    .and_then(|v| v.registry_path.as_deref())
    .unwrap_or(ACME_REGISTRY_PATH);
  let mut crypto_source_map = HashMap::default();
  for app in apps.0.values() {
    if let Some(tls) = app.tls.as_ref() {
      ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
      let server_name = app.server_name.as_ref().ok_or(anyhow!("No server name"))?;
      #[cfg(not(feature = "acme"))]
      ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
      #[cfg(feature = "acme")]
      let tls = {
        let mut tls = tls.clone();
        if let Some(true) = tls.acme {
          ensure!(acme_option.is_some() && tls.tls_cert_key_path.is_none() && tls.tls_cert_path.is_none());
          // Both of tls_cert_key_path and tls_cert_path must be the same for ACME since it's a single file
          let subdir = format!("{}/{}", acme_registry_path, server_name.to_ascii_lowercase());
          let file_name =
            rpxy_acme::DirCache::cached_cert_file_name(&[server_name.to_ascii_lowercase()], acme_dir_url.to_ascii_lowercase());
          tls.tls_cert_key_path = Some(format!("{}/{}", subdir, file_name));
          tls.tls_cert_path = Some(format!("{}/{}", subdir, file_name));
        }
        tls
      };
      let crypto_file_source = CryptoFileSourceBuilder::default()
        .tls_cert_path(tls.tls_cert_path.as_ref().unwrap())
        .tls_cert_key_path(tls.tls_cert_key_path.as_ref().unwrap())
@ -119,3 +154,48 @@ pub async fn build_cert_manager(
  let res = build_cert_reloader(&crypto_source_map, None).await?;
  Ok(Some(res))
 }
 /* ----------------------- */
 #[cfg(feature = "acme")]
 /// Build acme manager
 pub async fn build_acme_manager(
  config: &ConfigToml,
  runtime_handle: tokio::runtime::Handle,
 ) -> Result<Option<AcmeManager>, anyhow::Error> {
  let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone());
  if acme_option.is_none() {
    return Ok(None);
  }
  let acme_option = acme_option.unwrap();
  let domains = config
    .apps
    .as_ref()
    .unwrap()
    .0
    .values()
    .filter_map(|app| {
      //
      if let Some(tls) = app.tls.as_ref() {
        if let Some(true) = tls.acme {
          return Some(app.server_name.as_ref().unwrap().to_owned());
        }
      }
      None
    })
    .collect::<Vec<_>>();
  if domains.is_empty() {
    return Ok(None);
  }
  let acme_manager = AcmeManager::try_new(
    acme_option.dir_url.as_deref(),
    acme_option.registry_path.as_deref(),
    &[acme_option.email],
    domains.as_slice(),
    runtime_handle,
  )?;
  Ok(Some(acme_manager))
 }
--- a/rpxy-bin/src/config/toml.rs
+++ b/rpxy-bin/src/config/toml.rs
@ -41,12 +41,25 @@ pub struct CacheOption {
  pub max_cache_each_size_on_memory: Option<usize>,
 }
 #[cfg(feature = "acme")]
 #[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)]
 pub struct AcmeOption {
  pub dir_url: Option<String>,
  pub email: String,
  pub registry_path: Option<String>,
 }
 #[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)]
 pub struct Experimental {
  #[cfg(any(feature = "http3-quinn", feature = "http3-s2n"))]
  pub h3: Option<Http3Option>,
  #[cfg(feature = "cache")]
  pub cache: Option<CacheOption>,
  #[cfg(feature = "acme")]
  pub acme: Option<AcmeOption>,
  pub ignore_sni_consistency: Option<bool>,
  pub connection_handling_timeout: Option<u64>,
 }
@ -67,6 +80,8 @@ pub struct TlsOption {
  pub tls_cert_key_path: Option<String>,
  pub https_redirection: Option<bool>,
  pub client_ca_cert_path: Option<String>,
  #[cfg(feature = "acme")]
  pub acme: Option<bool>,
 }
 #[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)]
@ -222,8 +237,19 @@ impl Application {
    // tls settings
    let tls_config = if self.tls.is_some() {
      let tls = self.tls.as_ref().unwrap();
      #[cfg(not(feature = "acme"))]
      ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
      #[cfg(feature = "acme")]
      {
        if tls.acme.unwrap_or(false) {
          ensure!(tls.tls_cert_key_path.is_none() && tls.tls_cert_path.is_none());
        } else {
          ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
        }
      }
      let https_redirection = if tls.https_redirection.is_none() {
        true // Default true
      } else {
@ -233,6 +259,8 @@ impl Application {
      Some(TlsConfig {
        mutual_tls: tls.client_ca_cert_path.is_some(),
        https_redirection,
        #[cfg(feature = "acme")]
        acme: tls.acme.unwrap_or(false),
      })
    } else {
      None
--- a/rpxy-bin/src/constants.rs
+++ b/rpxy-bin/src/constants.rs
@ -1,6 +1,6 @@
 pub const LISTEN_ADDRESSES_V4: &[&str] = &["0.0.0.0"];
 pub const LISTEN_ADDRESSES_V6: &[&str] = &["[::]"];
-pub const CONFIG_WATCH_DELAY_SECS: u32 = 20;
+pub const CONFIG_WATCH_DELAY_SECS: u32 = 15;
 #[cfg(feature = "cache")]
 // Cache directory
--- a/rpxy-bin/src/main.rs
+++ b/rpxy-bin/src/main.rs
@ -6,6 +6,8 @@ mod constants;
 mod error;
 mod log;
 #[cfg(feature = "acme")]
 use crate::config::build_acme_manager;
 use crate::{
  config::{build_cert_manager, build_settings, parse_opts, ConfigToml, ConfigTomlReloader},
  constants::CONFIG_WATCH_DELAY_SECS,
@ -13,7 +15,9 @@ use crate::{
  log::*,
 };
 use hot_reload::{ReloaderReceiver, ReloaderService};
-use rpxy_lib::entrypoint;
+use rpxy_lib::{entrypoint, RpxyOptions, RpxyOptionsBuilder};
 use std::sync::Arc;
 use tokio_util::sync::CancellationToken;
 fn main() {
  init_logger();
@ -42,37 +46,203 @@ fn main() {
          .unwrap();
      tokio::select! {
-        Err(e) = config_service.start() => {
+        config_res = config_service.start() => {
-          error!("config reloader service exited: {e}");
+          if let Err(e) = config_res {
-          std::process::exit(1);
+            error!("config reloader service exited: {e}");
            std::process::exit(1);
          }
        }
-        Err(e) = rpxy_service_with_watcher(config_rx, runtime.handle().clone()) => {
+        rpxy_res = rpxy_service_with_watcher(config_rx, runtime.handle().clone()) => {
-          error!("rpxy service existed: {e}");
+          if let Err(e) = rpxy_res {
-          std::process::exit(1);
+            error!("rpxy service existed: {e}");
-        }
+            std::process::exit(1);
-        else => {
+          }
          std::process::exit(0);
        }
      }
      std::process::exit(0);
    }
  });
 }
 /// rpxy service definition
 struct RpxyService {
  runtime_handle: tokio::runtime::Handle,
  proxy_conf: rpxy_lib::ProxyConfig,
  app_conf: rpxy_lib::AppConfigList,
  cert_service: Option<Arc<ReloaderService<rpxy_certs::CryptoReloader, rpxy_certs::ServerCryptoBase>>>,
  cert_rx: Option<ReloaderReceiver<rpxy_certs::ServerCryptoBase>>,
  #[cfg(feature = "acme")]
  acme_manager: Option<rpxy_acme::AcmeManager>,
 }
 impl RpxyService {
  async fn new(config_toml: &ConfigToml, runtime_handle: tokio::runtime::Handle) -> Result<Self, anyhow::Error> {
    let (proxy_conf, app_conf) = build_settings(config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?;
    let (cert_service, cert_rx) = build_cert_manager(config_toml)
      .await
      .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?
      .map(|(s, r)| (Some(Arc::new(s)), Some(r)))
      .unwrap_or((None, None));
    Ok(RpxyService {
      runtime_handle: runtime_handle.clone(),
      proxy_conf,
      app_conf,
      cert_service,
      cert_rx,
      #[cfg(feature = "acme")]
      acme_manager: build_acme_manager(config_toml, runtime_handle.clone()).await?,
    })
  }
  async fn start(&self, cancel_token: Option<CancellationToken>) -> Result<(), anyhow::Error> {
    let RpxyService {
      runtime_handle,
      proxy_conf,
      app_conf,
      cert_service: _,
      cert_rx,
      #[cfg(feature = "acme")]
      acme_manager,
    } = self;
    #[cfg(feature = "acme")]
    {
      let (acme_join_handles, server_config_acme_challenge) = acme_manager
        .as_ref()
        .map(|m| m.spawn_manager_tasks(cancel_token.as_ref().map(|t| t.child_token())))
        .unwrap_or((vec![], Default::default()));
      let rpxy_opts = RpxyOptionsBuilder::default()
        .proxy_config(proxy_conf.clone())
        .app_config_list(app_conf.clone())
        .cert_rx(cert_rx.clone())
        .runtime_handle(runtime_handle.clone())
        .cancel_token(cancel_token.as_ref().map(|t| t.child_token()))
        .server_configs_acme_challenge(Arc::new(server_config_acme_challenge))
        .build()?;
      self.start_inner(rpxy_opts, acme_join_handles).await.map_err(|e| anyhow!(e))
    }
    #[cfg(not(feature = "acme"))]
    {
      let rpxy_opts = RpxyOptionsBuilder::default()
        .proxy_config(proxy_conf.clone())
        .app_config_list(app_conf.clone())
        .cert_rx(cert_rx.clone())
        .runtime_handle(runtime_handle.clone())
        .cancel_token(cancel_token.as_ref().map(|t| t.child_token()))
        .build()?;
      self.start_inner(rpxy_opts).await.map_err(|e| anyhow!(e))
    }
  }
  /// Wrapper of entry point for rpxy service with certificate management service
  async fn start_inner(
    &self,
    rpxy_opts: RpxyOptions,
    #[cfg(feature = "acme")] acme_task_handles: Vec<tokio::task::JoinHandle<()>>,
  ) -> Result<(), anyhow::Error> {
    let cancel_token = rpxy_opts.cancel_token.clone();
    let runtime_handle = rpxy_opts.runtime_handle.clone();
    // spawn rpxy entrypoint, where cancellation token is possibly contained inside the service
    let cancel_token_clone = cancel_token.clone();
    let rpxy_handle = runtime_handle.spawn(async move {
      if let Err(e) = entrypoint(&rpxy_opts).await {
        error!("rpxy entrypoint exited on error: {e}");
        if let Some(cancel_token) = cancel_token_clone {
          cancel_token.cancel();
        }
        return Err(anyhow!(e));
      }
      Ok(())
    });
    if self.cert_service.is_none() {
      return rpxy_handle.await?;
    }
    // spawn certificate reloader service, where cert service does not have cancellation token inside the service
    let cert_service = self.cert_service.as_ref().unwrap().clone();
    let cancel_token_clone = cancel_token.clone();
    let child_cancel_token = cancel_token.as_ref().map(|c| c.child_token());
    let cert_handle = runtime_handle.spawn(async move {
      if let Some(child_cancel_token) = child_cancel_token {
        tokio::select! {
          cert_res = cert_service.start() => {
            if let Err(ref e) = cert_res {
              error!("cert reloader service exited on error: {e}");
            }
            cancel_token_clone.unwrap().cancel();
            cert_res.map_err(|e| anyhow!(e))
          }
          _ = child_cancel_token.cancelled() => {
            debug!("cert reloader service terminated");
            Ok(())
          }
        }
      } else {
        cert_service.start().await.map_err(|e| anyhow!(e))
      }
    });
    #[cfg(not(feature = "acme"))]
    {
      let (rpxy_res, cert_res) = tokio::join!(rpxy_handle, cert_handle);
      let (rpxy_res, cert_res) = (rpxy_res?, cert_res?);
      match (rpxy_res, cert_res) {
        (Ok(()), Ok(())) => Ok(()),
        (Err(e), _) => Err(e),
        (_, Err(e)) => Err(e),
      }
    }
    #[cfg(feature = "acme")]
    {
      if acme_task_handles.is_empty() {
        let (rpxy_res, cert_res) = tokio::join!(rpxy_handle, cert_handle);
        let (rpxy_res, cert_res) = (rpxy_res?, cert_res?);
        return match (rpxy_res, cert_res) {
          (Ok(()), Ok(())) => Ok(()),
          (Err(e), _) => Err(e),
          (_, Err(e)) => Err(e),
        };
      }
      // spawn acme manager tasks, where cancellation token is possibly contained inside the service
      let select_all = futures_util::future::select_all(acme_task_handles);
      let cancel_token_clone = cancel_token.clone();
      let acme_handle = runtime_handle.spawn(async move {
        let (acme_res, _, _) = select_all.await;
        if let Err(ref e) = acme_res {
          error!("acme manager exited on error: {e}");
        }
        if let Some(cancel_token) = cancel_token_clone {
          cancel_token.cancel();
        }
        acme_res.map_err(|e| anyhow!(e))
      });
      let (rpxy_res, cert_res, acme_res) = tokio::join!(rpxy_handle, cert_handle, acme_handle);
      let (rpxy_res, cert_res, acme_res) = (rpxy_res?, cert_res?, acme_res?);
      match (rpxy_res, cert_res, acme_res) {
        (Ok(()), Ok(()), Ok(())) => Ok(()),
        (Err(e), _, _) => Err(e),
        (_, Err(e), _) => Err(e),
        (_, _, Err(e)) => Err(e),
      }
    }
  }
 }
 async fn rpxy_service_without_watcher(
  config_file_path: &str,
  runtime_handle: tokio::runtime::Handle,
 ) -> Result<(), anyhow::Error> {
  info!("Start rpxy service");
  let config_toml = ConfigToml::new(config_file_path).map_err(|e| anyhow!("Invalid toml file: {e}"))?;
-  let (proxy_conf, app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?;
+  let service = RpxyService::new(&config_toml, runtime_handle).await?;
-
+  service.start(None).await
  let cert_service_and_rx = build_cert_manager(&config_toml)
    .await
    .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?;
  rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), &runtime_handle, None)
    .await
    .map_err(|e| anyhow!(e))
 }
 async fn rpxy_service_with_watcher(
@ -86,82 +256,41 @@ async fn rpxy_service_with_watcher(
    .borrow()
    .clone()
    .ok_or(anyhow!("Something wrong in config reloader receiver"))?;
-  let (mut proxy_conf, mut app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?;
+  let mut service = RpxyService::new(&config_toml, runtime_handle.clone()).await?;
  let mut cert_service_and_rx = build_cert_manager(&config_toml)
    .await
    .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?;
  // Notifier for proxy service termination
  let term_notify = std::sync::Arc::new(tokio::sync::Notify::new());
  // Continuous monitoring
  loop {
    // Notifier for proxy service termination
    let cancel_token = tokio_util::sync::CancellationToken::new();
    tokio::select! {
-      rpxy_res = rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), &runtime_handle, Some(term_notify.clone())) => {
+      /* ---------- */
-        error!("rpxy entrypoint or cert service exited");
+      rpxy_res = service.start(Some(cancel_token.clone())) => {
        if let Err(ref e) = rpxy_res {
          error!("rpxy service exited on error: {e}");
        } else {
          error!("rpxy service exited");
        }
        return rpxy_res.map_err(|e| anyhow!(e));
      }
      /* ---------- */
      _ = config_rx.changed() => {
-        let Some(config_toml) = config_rx.borrow().clone() else {
+        let Some(new_config_toml) = config_rx.borrow().clone() else {
          error!("Something wrong in config reloader receiver");
          return Err(anyhow!("Something wrong in config reloader receiver"));
        };
-        match build_settings(&config_toml) {
+        match RpxyService::new(&new_config_toml, runtime_handle.clone()).await {
-          Ok((p, a)) => {
+          Ok(new_service) => {
-            (proxy_conf, app_conf) = (p, a)
+            info!("Configuration updated.");
            service = new_service;
          },
          Err(e) => {
-            error!("Invalid configuration. Configuration does not updated: {e}");
+            error!("rpxy failed to be ready. Configuration does not updated: {e}");
            continue;
          }
        };
-        match build_cert_manager(&config_toml).await {
+        info!("Terminate all spawned services and force to re-bind TCP/UDP sockets");
-          Ok(c) => {
+        cancel_token.cancel();
            cert_service_and_rx = c;
          },
          Err(e) => {
            error!("Invalid cert configuration. Configuration does not updated: {e}");
            continue;
          }
        };
        info!("Configuration updated. Terminate all spawned proxy services and force to re-bind TCP/UDP sockets");
        term_notify.notify_waiters();
        // tokio::time::sleep(tokio::time::Duration::from_secs(1)).await;
      }
      else => break
    }
  }
  Ok(())
 }
 /// Wrapper of entry point for rpxy service with certificate management service
 async fn rpxy_entrypoint(
  proxy_config: &rpxy_lib::ProxyConfig,
  app_config_list: &rpxy_lib::AppConfigList,
  cert_service_and_rx: Option<&(
    ReloaderService<rpxy_certs::CryptoReloader, rpxy_certs::ServerCryptoBase>,
    ReloaderReceiver<rpxy_certs::ServerCryptoBase>,
  )>, // TODO:
  runtime_handle: &tokio::runtime::Handle,
  term_notify: Option<std::sync::Arc<tokio::sync::Notify>>,
 ) -> Result<(), anyhow::Error> {
  if let Some((cert_service, cert_rx)) = cert_service_and_rx {
    tokio::select! {
      rpxy_res = entrypoint(proxy_config, app_config_list, Some(cert_rx), runtime_handle, term_notify) => {
        error!("rpxy entrypoint exited");
        rpxy_res.map_err(|e| anyhow!(e))
      }
      cert_res = cert_service.start() => {
        error!("cert reloader service exited");
        cert_res.map_err(|e| anyhow!(e))
      }
    }
  } else {
    entrypoint(proxy_config, app_config_list, None, runtime_handle, term_notify)
      .await
      .map_err(|e| anyhow!(e))
  }
 }
--- a/rpxy-certs/Cargo.toml
+++ b/rpxy-certs/Cargo.toml
@ -18,22 +18,22 @@ http3 = []
 rustc-hash = { version = "2.0.0" }
 tracing = { version = "0.1.40" }
 derive_builder = { version = "0.20.0" }
-thiserror = { version = "1.0.61" }
+thiserror = { version = "1.0.63" }
-hot_reload = { version = "0.1.5" }
+hot_reload = { version = "0.1.6" }
 async-trait = { version = "0.1.81" }
-rustls = { version = "0.23.11", default-features = false, features = [
+rustls = { version = "0.23.12", default-features = false, features = [
  "std",
  "aws_lc_rs",
 ] }
 rustls-pemfile = { version = "2.1.2" }
-rustls-webpki = { version = "0.102.5", default-features = false, features = [
+rustls-webpki = { version = "0.102.6", default-features = false, features = [
  "std",
  "aws_lc_rs",
 ] }
 x509-parser = { version = "0.16.0" }
 [dev-dependencies]
-tokio = { version = "1.38.0", default-features = false, features = [
+tokio = { version = "1.39.2", default-features = false, features = [
  "rt-multi-thread",
  "macros",
 ] }
--- a/rpxy-certs/src/reloader_service.rs
+++ b/rpxy-certs/src/reloader_service.rs
@ -46,10 +46,13 @@ impl Reload<ServerCryptoBase> for CryptoReloader {
    let mut server_crypto_base = ServerCryptoBase::default();
    for (server_name_bytes, crypto_source) in self.inner.iter() {
-      let certs_keys = crypto_source.read().await.map_err(|e| {
+      let certs_keys = match crypto_source.read().await {
-        error!("Failed to reload cert, key or ca cert: {e}");
+        Ok(certs_keys) => certs_keys,
-        ReloaderError::<ServerCryptoBase>::Reload("Failed to reload cert, key or ca cert")
+        Err(e) => {
-      })?;
+          error!("Failed to read certs and keys, skip at this time: {}", e);
          continue;
        }
      };
      server_crypto_base.inner.insert(server_name_bytes.clone(), certs_keys);
    }
--- a/rpxy-lib/Cargo.toml
+++ b/rpxy-lib/Cargo.toml
@ -13,8 +13,6 @@ publish.workspace = true
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [features]
 # default = ["http3-s2n", "sticky-cookie", "cache", "rustls-backend"]
 default = ["http3-quinn", "sticky-cookie", "cache", "rustls-backend"]
 http3-quinn = ["socket2", "quinn", "h3", "h3-quinn", "rpxy-certs/http3"]
 http3-s2n = [
  "s2n-quic",
@ -29,14 +27,15 @@ sticky-cookie = ["base64", "sha2", "chrono"]
 native-tls-backend = ["hyper-tls"]
 rustls-backend = ["hyper-rustls"]
 webpki-roots = ["rustls-backend", "hyper-rustls/webpki-tokio"]
 acme = ["dep:rpxy-acme"]
 [dependencies]
 rand = "0.8.5"
 rustc-hash = "2.0.0"
-bytes = "1.6.0"
+bytes = "1.7.0"
 derive_builder = "0.20.0"
 futures = { version = "0.3.30", features = ["alloc", "async-await"] }
-tokio = { version = "1.38.0", default-features = false, features = [
+tokio = { version = "1.39.2", default-features = false, features = [
  "net",
  "rt-multi-thread",
  "time",
@ -44,12 +43,13 @@ tokio = { version = "1.38.0", default-features = false, features = [
  "macros",
  "fs",
 ] }
 tokio-util = { version = "0.7.11", default-features = false }
 pin-project-lite = "0.2.14"
 async-trait = "0.1.81"
 # Error handling
 anyhow = "1.0.86"
-thiserror = "1.0.61"
+thiserror = "1.0.63"
 # http for both server and client
 http = "1.1.0"
@ -75,10 +75,13 @@ hyper-rustls = { git = "https://github.com/junkurihara/hyper-rustls", branch = "
 # tls and cert management for server
 rpxy-certs = { path = "../rpxy-certs/", default-features = false }
-hot_reload = "0.1.5"
+hot_reload = "0.1.6"
-rustls = { version = "0.23.11", default-features = false }
+rustls = { version = "0.23.12", default-features = false }
 tokio-rustls = { version = "0.26.0", features = ["early-data"] }
 # acme
 rpxy-acme = { path = "../rpxy-acme/", default-features = false, optional = true }
 # logging
 tracing = { version = "0.1.40" }
@ -89,18 +92,18 @@ h3-quinn = { version = "0.0.7", optional = true }
 s2n-quic-h3 = { path = "../submodules/s2n-quic-h3/", features = [
  "tracing",
 ], optional = true }
-s2n-quic = { version = "1.42.0", default-features = false, features = [
+s2n-quic = { version = "1.43.0", default-features = false, features = [
  "provider-tls-rustls",
 ], optional = true }
-s2n-quic-core = { version = "0.42.0", default-features = false, optional = true }
+s2n-quic-core = { version = "0.43.0", default-features = false, optional = true }
-s2n-quic-rustls = { version = "0.42.0", optional = true }
+s2n-quic-rustls = { version = "0.43.0", optional = true }
 ##########
 # for UDP socket wit SO_REUSEADDR when h3 with quinn
 socket2 = { version = "0.5.7", features = ["all"], optional = true }
 # cache
 http-cache-semantics = { path = "../submodules/rusty-http-cache-semantics", default-features = false, optional = true }
-lru = { version = "0.12.3", optional = true }
+lru = { version = "0.12.4", optional = true }
 sha2 = { version = "0.10.8", default-features = false, optional = true }
 # cookie handling for sticky cookie
--- a/rpxy-lib/src/error.rs
+++ b/rpxy-lib/src/error.rs
@ -105,4 +105,9 @@ pub enum RpxyError {
  // Others
  #[error("Infallible")]
  Infallible(#[from] std::convert::Infallible),
  /// No Acme server config for Acme challenge
  #[cfg(feature = "acme")]
  #[error("No Acme server config")]
  NoAcmeServerConfig,
 }
--- a/rpxy-lib/src/forwarder/client.rs
+++ b/rpxy-lib/src/forwarder/client.rs
@ -204,18 +204,18 @@ where
  /// Build forwarder
  pub async fn try_new(_globals: &Arc<Globals>) -> RpxyResult<Self> {
    // build hyper client with rustls and webpki, only https is allowed
-    #[cfg(feature = "rustls-backend-webpki")]
+    #[cfg(feature = "webpki-roots")]
    let builder = hyper_rustls::HttpsConnectorBuilder::new().with_webpki_roots();
-    #[cfg(feature = "rustls-backend-webpki")]
+    #[cfg(feature = "webpki-roots")]
    let builder_h2 = hyper_rustls::HttpsConnectorBuilder::new().with_webpki_roots();
-    #[cfg(feature = "rustls-backend-webpki")]
+    #[cfg(feature = "webpki-roots")]
    info!("Mozilla WebPKI root certs with rustls is used for the connection to backend applications");
-    #[cfg(not(feature = "rustls-backend-webpki"))]
+    #[cfg(not(feature = "webpki-roots"))]
    let builder = hyper_rustls::HttpsConnectorBuilder::new().with_platform_verifier();
-    #[cfg(not(feature = "rustls-backend-webpki"))]
+    #[cfg(not(feature = "webpki-roots"))]
    let builder_h2 = hyper_rustls::HttpsConnectorBuilder::new().with_platform_verifier();
-    #[cfg(not(feature = "rustls-backend-webpki"))]
+    #[cfg(not(feature = "webpki-roots"))]
    info!("Platform verifier with rustls is used for the connection to backend applications");
    let mut http = HttpConnector::new();
--- a/rpxy-lib/src/globals.rs
+++ b/rpxy-lib/src/globals.rs
@ -1,7 +1,8 @@
 use crate::{constants::*, count::RequestCount};
 use hot_reload::ReloaderReceiver;
 use rpxy_certs::ServerCryptoBase;
-use std::{net::SocketAddr, sync::Arc, time::Duration};
+use std::{net::SocketAddr, time::Duration};
 use tokio_util::sync::CancellationToken;
 /// Global object containing proxy configurations and shared object like counters.
 /// But note that in Globals, we do not have Mutex and RwLock. It is indeed, the context shared among async tasks.
@ -13,9 +14,13 @@ pub struct Globals {
  /// Shared context - Async task runtime handler
  pub runtime_handle: tokio::runtime::Handle,
  /// Shared context - Notify object to stop async tasks
-  pub term_notify: Option<Arc<tokio::sync::Notify>>,
+  pub cancel_token: Option<CancellationToken>,
  /// Shared context - Certificate reloader service receiver // TODO: newer one
  pub cert_reloader_rx: Option<ReloaderReceiver<ServerCryptoBase>>,
  #[cfg(feature = "acme")]
  /// ServerConfig used for only ACME challenge for ACME domains
  pub server_configs_acme_challenge: std::sync::Arc<rustc_hash::FxHashMap<String, std::sync::Arc<rustls::ServerConfig>>>,
 }
 /// Configuration parameters for proxy transport and request handlers
@ -159,4 +164,6 @@ pub struct UpstreamUri {
 pub struct TlsConfig {
  pub mutual_tls: bool,
  pub https_redirection: bool,
  #[cfg(feature = "acme")]
  pub acme: bool,
 }
--- a/rpxy-lib/src/lib.rs
+++ b/rpxy-lib/src/lib.rs
@ -19,10 +19,11 @@ use crate::{
  message_handler::HttpMessageHandlerBuilder,
  proxy::Proxy,
 };
-use futures::future::select_all;
+use futures::future::join_all;
 use hot_reload::ReloaderReceiver;
 use rpxy_certs::ServerCryptoBase;
 use std::sync::Arc;
 use tokio_util::sync::CancellationToken;
 /* ------------------------------------------------ */
 pub use crate::globals::{AppConfig, AppConfigList, ProxyConfig, ReverseProxyConfig, TlsConfig, UpstreamUri};
@ -30,13 +31,36 @@ pub mod reexports {
  pub use hyper::Uri;
 }
 #[derive(derive_builder::Builder)]
 /// rpxy entrypoint args
 pub struct RpxyOptions {
  /// Configuration parameters for proxy transport and request handlers
  pub proxy_config: ProxyConfig,
  /// List of application configurations
  pub app_config_list: AppConfigList,
  /// Certificate reloader service receiver
  pub cert_rx: Option<ReloaderReceiver<ServerCryptoBase>>, // TODO:
  /// Async task runtime handler
  pub runtime_handle: tokio::runtime::Handle,
  /// Notify object to stop async tasks
  pub cancel_token: Option<CancellationToken>,
  #[cfg(feature = "acme")]
  /// ServerConfig used for only ACME challenge for ACME domains
  pub server_configs_acme_challenge: Arc<rustc_hash::FxHashMap<String, Arc<rustls::ServerConfig>>>,
 }
 /// Entrypoint that creates and spawns tasks of reverse proxy services
 pub async fn entrypoint(
-  proxy_config: &ProxyConfig,
+  RpxyOptions {
-  app_config_list: &AppConfigList,
+    proxy_config,
-  cert_rx: Option<&ReloaderReceiver<ServerCryptoBase>>, // TODO:
+    app_config_list,
-  runtime_handle: &tokio::runtime::Handle,
+    cert_rx, // TODO:
-  term_notify: Option<Arc<tokio::sync::Notify>>,
+    runtime_handle,
    cancel_token,
    #[cfg(feature = "acme")]
    server_configs_acme_challenge,
  }: &RpxyOptions,
 ) -> RpxyResult<()> {
  #[cfg(all(feature = "http3-quinn", feature = "http3-s2n"))]
  warn!("Both \"http3-quinn\" and \"http3-s2n\" features are enabled. \"http3-quinn\" will be used");
@ -84,8 +108,11 @@ pub async fn entrypoint(
    proxy_config: proxy_config.clone(),
    request_count: Default::default(),
    runtime_handle: runtime_handle.clone(),
-    term_notify: term_notify.clone(),
+    cancel_token: cancel_token.clone(),
-    cert_reloader_rx: cert_rx.cloned(),
+    cert_reloader_rx: cert_rx.clone(),
    #[cfg(feature = "acme")]
    server_configs_acme_challenge: server_configs_acme_challenge.clone(),
  });
  // 3. build message handler containing Arc-ed http_client and backends, and make it contained in Arc as well
@ -104,7 +131,7 @@ pub async fn entrypoint(
  // spawn each proxy for a given socket with copied Arc-ed backend, message_handler and connection builder.
  let addresses = globals.proxy_config.listen_sockets.clone();
-  let futures_iter = addresses.into_iter().map(|listening_on| {
+  let join_handles = addresses.into_iter().map(|listening_on| {
    let mut tls_enabled = false;
    if let Some(https_port) = globals.proxy_config.https_port {
      tls_enabled = https_port == listening_on.port()
@ -116,11 +143,41 @@ pub async fn entrypoint(
      connection_builder: connection_builder.clone(),
      message_handler: message_handler.clone(),
    };
-    globals.runtime_handle.spawn(async move { proxy.start().await })
+
    let cancel_token = globals.cancel_token.as_ref().map(|t| t.child_token());
    let parent_cancel_token_clone = globals.cancel_token.clone();
    globals.runtime_handle.spawn(async move {
      info!("rpxy proxy service for {listening_on} started");
      if let Some(cancel_token) = cancel_token {
        tokio::select! {
          _ = cancel_token.cancelled() => {
            debug!("rpxy proxy service for {listening_on} terminated");
            Ok(())
          },
          proxy_res = proxy.start() => {
            info!("rpxy proxy service for {listening_on} exited");
            // cancel other proxy tasks
            parent_cancel_token_clone.unwrap().cancel();
            proxy_res
          }
        }
      } else {
        proxy.start().await
      }
    })
  });
-  if let (Ok(Err(e)), _, _) = select_all(futures_iter).await {
+  let join_res = join_all(join_handles).await;
-    error!("Some proxy services are down: {}", e);
+  let mut errs = join_res.into_iter().filter_map(|res| {
    if let Ok(Err(e)) = res {
      error!("Some proxy services are down: {}", e);
      Some(e)
    } else {
      None
    }
  });
  // returns the first error as the representative error
  if let Some(e) = errs.next() {
    return Err(e);
  }
--- a/rpxy-lib/src/proxy/proxy_main.rs
+++ b/rpxy-lib/src/proxy/proxy_main.rs
@ -167,6 +167,9 @@ where
    let mut server_crypto_map: Option<Arc<super::SniServerCryptoMap>> = None;
    loop {
      #[cfg(feature = "acme")]
      let server_configs_acme_challenge = self.globals.server_configs_acme_challenge.clone();
      select! {
        tcp_cnx = tcp_listener.accept().fuse() => {
          if tcp_cnx.is_err() || server_crypto_map.is_none() {
@ -190,17 +193,51 @@ where
            if server_name.is_none(){
              return Err(RpxyError::NoServerNameInClientHello);
            }
-            let server_crypto = sc_map_inner.as_ref().unwrap().get(server_name.as_ref().unwrap());
+            #[cfg(feature = "acme")]
-            if server_crypto.is_none() {
+            let mut is_handshake_acme = false; // for shutdown just after TLS handshake
-              return Err(RpxyError::NoTlsServingApp(server_name.as_ref().unwrap().try_into().unwrap_or_default()));
+            /* ------------------ */
-            }
+            // Check for ACME TLS ALPN challenge
-            let stream = match start.into_stream(server_crypto.unwrap().clone()).await {
+            #[cfg(feature = "acme")]
            let server_crypto = {
              if rpxy_acme::reexports::is_tls_alpn_challenge(&client_hello) {
                info!("ACME TLS ALPN challenge received");
                let Some(server_crypto_acme) = server_configs_acme_challenge.get(&sni.unwrap().to_ascii_lowercase()) else {
                  return Err(RpxyError::NoAcmeServerConfig);
                };
                is_handshake_acme = true;
                server_crypto_acme
              } else {
                let server_crypto = sc_map_inner.as_ref().unwrap().get(server_name.as_ref().unwrap());
                let Some(server_crypto) = server_crypto else {
                  return Err(RpxyError::NoTlsServingApp(server_name.as_ref().unwrap().try_into().unwrap_or_default()));
                };
                server_crypto
              }
            };
            /* ------------------ */
            #[cfg(not(feature = "acme"))]
            let server_crypto = {
              let server_crypto = sc_map_inner.as_ref().unwrap().get(server_name.as_ref().unwrap());
              let Some(server_crypto) = server_crypto else {
                return Err(RpxyError::NoTlsServingApp(server_name.as_ref().unwrap().try_into().unwrap_or_default()));
              };
              server_crypto
            };
            /* ------------------ */
            let stream = match start.into_stream(server_crypto.clone()).await {
              Ok(s) => TokioIo::new(s),
              Err(e) => {
                return Err(RpxyError::FailedToTlsHandshake(e.to_string()));
              }
            };
-            Ok((stream, client_addr, server_name))
+            #[cfg(feature = "acme")]
            {
              Ok((stream, client_addr, server_name, is_handshake_acme))
            }
            #[cfg(not(feature="acme"))]
            {
              Ok((stream, client_addr, server_name))
            }
          };
          self.globals.runtime_handle.spawn( async move {
@ -212,14 +249,36 @@ where
              error!("Timeout to handshake TLS");
              return;
            };
-            match v {
+            /* ------------------ */
-              Ok((stream, client_addr, server_name)) => {
+            #[cfg(feature = "acme")]
-                self_inner.serve_connection(stream, client_addr, server_name);
+            {
-              }
+              match v {
-              Err(e) => {
+                Ok((mut stream, client_addr, server_name, is_handshake_acme)) => {
-                error!("{}", e);
+                  if is_handshake_acme {
                    debug!("Shutdown TLS connection after ACME TLS ALPN challenge");
                    use tokio::io::AsyncWriteExt;
                    stream.inner_mut().shutdown().await.ok();
                  }
                  self_inner.serve_connection(stream, client_addr, server_name);
                }
                Err(e) => {
                  error!("{}", e);
                }
              }
            }
            /* ------------------ */
            #[cfg(not(feature = "acme"))]
            {
              match v {
                Ok((stream, client_addr, server_name)) => {
                  self_inner.serve_connection(stream, client_addr, server_name);
                }
                Err(e) => {
                  error!("{}", e);
                }
              }
            }
            /* ------------------ */
          });
        }
        _ = server_crypto_rx.changed().fuse() => {
@ -253,23 +312,6 @@ where
      }
    };
-    match &self.globals.term_notify {
+    proxy_service.await
      Some(term) => {
        select! {
          _ = proxy_service.fuse() => {
            warn!("Proxy service got down");
          }
          _ = term.notified().fuse() => {
            info!("Proxy service listening on {} receives term signal", self.listening_on);
          }
        }
      }
      None => {
        proxy_service.await?;
        warn!("Proxy service got down");
      }
    }
    Ok(())
  }
 }
--- a/submodules/rustls-acme
+++ b/submodules/rustls-acme
@ -0,0 +1 @@
 Subproject commit 43719fb04cc522c039c9e7420567a38416f9fec7
--- a/submodules/s2n-quic-h3/Cargo.toml
+++ b/submodules/s2n-quic-h3/Cargo.toml
@ -15,8 +15,8 @@ futures = { version = "0.3", default-features = false }
 h3 = { version = "0.0.6", features = ["tracing"] }
 # s2n-quic = { path = "../s2n-quic" }
 # s2n-quic-core = { path = "../s2n-quic-core" }
-s2n-quic = { version = "1.42.0" }
+s2n-quic = { version = "1.43.0" }
-s2n-quic-core = { version = "0.42.0" }
+s2n-quic-core = { version = "0.43.0" }
 tracing = { version = "0.1.40", optional = true }
 [features]
		`@ -0,0 +1 @@`
							`Subproject commit 43719fb04cc522c039c9e7420567a38416f9fec7`