tuxmain/rust-rpxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update features of hyper-rutstls with aws-lc-rs and platform-verifier

Browse source
This commit is contained in:
Jun Kurihara 2024-06-07 14:18:09 +09:00
commit dfe764f41e
No known key found for this signature in database
GPG key ID: 48ADFD173ED22B03
5 changed files with 17 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -10,6 +10,7 @@
### Improvement
- Refactor: lots of minor improvements
- Change the certificate verifier from `rustls-native-certs` to `rustls-platform-verifier` to use the system's default root cert store for better client (forwarder) performance in `hyper-rustls`.
## 0.7.1

2
Cargo.toml
View file

@ -1,5 +1,5 @@
[workspace.package]
version = "0.8.0-alpha.0"
version = "0.8.0-alpha.1"
authors = ["Jun Kurihara"]
homepage = "https://github.com/junkurihara/rust-rpxy"
repository = "https://github.com/junkurihara/rust-rpxy"

6
rpxy-bin/Cargo.toml
View file

@ -13,8 +13,8 @@ publish.workspace = true
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[features]
# default = ["http3-quinn", "cache", "rustls-backend"]
default = ["http3-s2n", "cache", "rustls-backend"]
default = ["http3-quinn", "cache", "rustls-backend"]
# default = ["http3-s2n", "cache", "rustls-backend"]
http3-quinn = ["rpxy-lib/http3-quinn"]
http3-s2n = ["rpxy-lib/http3-s2n"]
native-tls-backend = ["rpxy-lib/native-tls-backend"]
@ -42,7 +42,7 @@ async-trait = "0.1.80"
# config
clap = { version = "4.5.4", features = ["std", "cargo", "wrap_help"] }
clap = { version = "4.5.6", features = ["std", "cargo", "wrap_help"] }
toml = { version = "0.8.14", default-features = false, features = ["parse"] }
hot_reload = "0.1.5"

12
rpxy-lib/Cargo.toml
View file

@ -13,8 +13,8 @@ publish.workspace = true
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[features]
default = ["http3-s2n", "sticky-cookie", "cache", "rustls-backend"]
# default = ["http3-quinn", "sticky-cookie", "cache", "rustls-backend"]
# default = ["http3-s2n", "sticky-cookie", "cache", "rustls-backend"]
default = ["http3-quinn", "sticky-cookie", "cache", "rustls-backend"]
http3-quinn = ["socket2", "quinn", "h3", "h3-quinn", "rpxy-certs/http3"]
http3-s2n = [
"h3",
@ -64,11 +64,13 @@ hyper-tls = { version = "0.6.0", features = [
"alpn",
"vendored",
], optional = true }
hyper-rustls = { version = "0.27.2", default-features = false, features = [
"ring",
"native-tokio",
# TODO: Work around to enable rustls-platform-verifier feature: https://github.com/rustls/hyper-rustls/pull/276
# hyper-rustls = { version = "0.27.2", default-features = false, features = [
hyper-rustls = { git = "https://github.com/junkurihara/hyper-rustls", branch = "fix/builder-feature-platform-verifier", features = [
"aws-lc-rs",
"http1",
"http2",
"rustls-platform-verifier",
], optional = true }
# tls and cert management for server

16
rpxy-lib/src/forwarder/client.rs
View file

@ -212,21 +212,18 @@ where
info!("Mozilla WebPKI root certs with rustls is used for the connection to backend applications");
#[cfg(not(feature = "rustls-backend-webpki"))]
let builder = hyper_rustls::HttpsConnectorBuilder::new().with_native_roots()?;
let builder = hyper_rustls::HttpsConnectorBuilder::new().with_platform_verifier();
#[cfg(not(feature = "rustls-backend-webpki"))]
let builder_h2 = hyper_rustls::HttpsConnectorBuilder::new().with_native_roots()?;
let builder_h2 = hyper_rustls::HttpsConnectorBuilder::new().with_platform_verifier();
#[cfg(not(feature = "rustls-backend-webpki"))]
info!("Native cert store with rustls is used for the connection to backend applications");
info!("Platform verifier with rustls is used for the connection to backend applications");
let mut http = HttpConnector::new();
http.enforce_http(false);
http.set_reuse_address(true);
http.set_keepalive(Some(_globals.proxy_config.upstream_idle_timeout));
let connector = builder
.https_or_http()
.enable_all_versions()
.wrap_connector(http.clone());
let connector = builder.https_or_http().enable_all_versions().wrap_connector(http.clone());
let connector_h2 = builder_h2.https_or_http().enable_http2().wrap_connector(http);
let inner = Client::builder(LocalExecutor::new(_globals.runtime_handle.clone())).build::<_, B1>(connector);
let inner_h2 = Client::builder(LocalExecutor::new(_globals.runtime_handle.clone())).build::<_, B1>(connector_h2);
@ -243,10 +240,7 @@ where
#[cfg(feature = "cache")]
/// Build synthetic request to cache
fn build_synth_req_for_cache<T>(req: &Request<T>) -> Request<()> {
let mut builder = Request::builder()
.method(req.method())
.uri(req.uri())
.version(req.version());
let mut builder = Request::builder().method(req.method()).uri(req.uri()).version(req.version());
// TODO: omit extensions. is this approach correct?
for (header_key, header_value) in req.headers() {
builder = builder.header(header_key, header_value);