tuxmain/rust-rpxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #168 from junkurihara/feat/acme

Browse source 
feat: Support for TLS-ALPN-01 ACME protocol
This commit is contained in:
Jun Kurihara 2024-07-24 01:18:54 +09:00 committed by GitHub
commit f1eb2f32fe
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
27 changed files with 830 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitmodules vendored
View file

@ -1,3 +1,6 @@
[submodule "submodules/rusty-http-cache-semantics"]
path = submodules/rusty-http-cache-semantics
url = git@github.com:junkurihara/rusty-http-cache-semantics.git
[submodule "submodules/rustls-acme"]
path = submodules/rustls-acme
url = git@github.com:junkurihara/rustls-acme.git

13
CHANGELOG.md
View file

@ -1,6 +1,17 @@
# CHANGELOG
## 0.9.0 (Unreleased)
## 0.10.0 (Unreleased)
## 0.9.0
### Important Changes
- Breaking: Experimental ACME support is added. Check the new configuration options and README.md for ACME support. Note that it is still under development and may have some issues.
### Improvement
- Refactor: lots of minor improvements
- Deps
## 0.8.1

4
Cargo.toml
View file

@ -1,5 +1,5 @@
[workspace.package]
version = "0.8.1"
version = "0.9.0-alpha.1"
authors = ["Jun Kurihara"]
homepage = "https://github.com/junkurihara/rust-rpxy"
repository = "https://github.com/junkurihara/rust-rpxy"
@ -9,7 +9,7 @@ edition = "2021"
publish = false
[workspace]
members = ["rpxy-bin", "rpxy-lib", "rpxy-certs"]
members = ["rpxy-bin", "rpxy-lib", "rpxy-certs", "rpxy-acme"]
exclude = ["submodules"]
resolver = "2"

34
README.md
View file

@ -1,4 +1,4 @@
# rpxy: A simple and ultrafast reverse-proxy serving multiple domain names with TLS termination, written in pure Rust
# rpxy: A simple and ultrafast reverse-proxy serving multiple domain names with TLS termination, written in Rust
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
![Unit Test](https://github.com/junkurihara/rust-rpxy/actions/workflows/ci.yml/badge.svg)
@ -10,9 +10,11 @@
## Introduction
`rpxy` [ahr-pik-see] is an implementation of simple and lightweight reverse-proxy with some additional features. The implementation is based on [`hyper`](https://github.com/hyperium/hyper), [`rustls`](https://github.com/rustls/rustls) and [`tokio`](https://github.com/tokio-rs/tokio), i.e., written in pure Rust. Our `rpxy` routes multiple host names to appropriate backend application servers while serving TLS connections.
`rpxy` [ahr-pik-see] is an implementation of simple and lightweight reverse-proxy with some additional features. The implementation is based on [`hyper`](https://github.com/hyperium/hyper), [`rustls`](https://github.com/rustls/rustls) and [`tokio`](https://github.com/tokio-rs/tokio), i.e., written in Rust [^pure_rust]. Our `rpxy` routes multiple host names to appropriate backend application servers while serving TLS connections.
As default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib]
[^pure_rust]: Doubtfully can be claimed to be written in pure Rust since current `rpxy` is based on `aws-lc-rs` for cryptographic operations.
By default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib] Furthermore, `rpxy` supports the automatic issuance and renewal of certificates via [TLS-ALPN-01 (RFC8737)](https://www.rfc-editor.org/rfc/rfc8737) of [ACME protocol (RFC8555)](https://www.rfc-editor.org/rfc/rfc8555) thanks to [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme).
[^h3lib]: HTTP/3 libraries are mutually exclusive. You need to explicitly specify `s2n-quic` with `--no-default-features` flag. Also note that if you build `rpxy` with `s2n-quic`, then it requires `openssl` just for building the package.
@ -298,6 +300,32 @@ max_cache_each_size_on_memory = 4096 # optional. default is 4k if 0, it is alway
A *storable* (in the context of an HTTP message) response is stored if its size is less than or equal to `max_cache_each_size` in bytes. If it is also less than or equal to `max_cache_each_size_on_memory`, it is stored as an on-memory object. Otherwise, it is stored as a temporary file. Note that `max_cache_each_size` must be larger or equal to `max_cache_each_size_on_memory`. Also note that once `rpxy` restarts or the config is updated, the cache is totally eliminated not only from the on-memory table but also from the file system.
### Automated Certificate Issuance and Renewal via TLS-ALPN-01 ACME protocol
This is a brand-new feature and maybe still unstable. Thanks to the [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme), the automatic issuance and renewal of certificates are finally available in `rpxy`. To enable this feature, you need to specify the following entries in `config.toml`.
```toml
# ACME enabled domain name.
# ACME will be used to get a certificate for the server_name with ACME tls-alpn-01 protocol.
# Note that acme option must be specified in the experimental section.
[apps.localhost_with_acme]
server_name = 'example.org'
reverse_proxy = [{ upstream = [{ location = 'example.com', tls = true }] }]
tls = { https_redirection = true, acme = true } # do not specify tls_cert_path and/or tls_cert_key_path
```
For the ACME enabled domain, the following settings are referred to acquire a certificate.
```toml
# Global ACME settings. Unless specified, ACME is disabled.
[experimental.acme]
dir_url = "https://localhost:14000/dir" # optional. default is "https://acme-v02.api.letsencrypt.org/directory"
email = "test@example.com"
registry_path = "./acme_registry" # optional. default is "./acme_registry" relative to the current working directory
```
The above configuration is common to all ACME enabled domains. Note that the https port must be open to the public to verify the domain ownership.
## TIPS
### Using Private Key Issued by Let's Encrypt

14
config-example.toml
View file

@ -89,6 +89,14 @@ server_name = 'localhost.localdomain'
reverse_proxy = [{ upstream = [{ location = 'www.google.com', tls = true }] }]
######################################################################
######################################################################
# ACME enabled example. ACME will be used to get a certificate for the server_name with ACME tls-alpn-01 protocol.
# Note that acme option must be specified in the experimental section.
[apps.localhost_with_acme]
server_name = 'kubernetes.docker.internal'
reverse_proxy = [{ upstream = [{ location = 'example.com', tls = true }] }]
tls = { https_redirection = true, acme = true }
###################################
# Experimantal settings #
###################################
@ -119,3 +127,9 @@ cache_dir = './cache' # optional. default is "./cache" relative t
max_cache_entry = 1000 # optional. default is 1k
max_cache_each_size = 65535 # optional. default is 64k
max_cache_each_size_on_memory = 4096 # optional. default is 4k if 0, it is always file cache.
# ACME settings. Unless specified, ACME is disabled.
[experimental.acme]
dir_url = "https://localhost:14000/dir" # optional. default is "https://acme-v02.api.letsencrypt.org/directory"
email = "test@example.com"
registry_path = "./acme_registry" # optional. default is "./acme_registry" relative to the current working directory

1
docker/docker-compose-slim.yml
View file

@ -31,6 +31,7 @@ services:
volumes:
- ./log:/rpxy/log:rw
- ./cache:/rpxy/cache:rw
- ./acme_registry:/rpxy/acme_registry:rw
- ../example-certs/server.crt:/certs/server.crt:ro
- ../example-certs/server.key:/certs/server.key:ro
- ../config-example.toml:/etc/rpxy.toml:ro

1
docker/docker-compose.yml
View file

@ -31,6 +31,7 @@ services:
volumes:
- ./log:/rpxy/log:rw
- ./cache:/rpxy/cache:rw
- ./acme_registry:/rpxy/acme_registry:rw
- ../example-certs/server.crt:/certs/server.crt:ro
- ../example-certs/server.key:/certs/server.key:ro
- ../config-example.toml:/etc/rpxy.toml:ro

33
rpxy-acme/Cargo.toml Normal file
View file

@ -0,0 +1,33 @@
[package]
name = "rpxy-acme"
description = "ACME manager library for `rpxy`"
version.workspace = true
authors.workspace = true
homepage.workspace = true
repository.workspace = true
license.workspace = true
readme.workspace = true
edition.workspace = true
publish.workspace = true
[dependencies]
url = { version = "2.5.2" }
rustc-hash = "2.0.0"
thiserror = "1.0.63"
tracing = "0.1.40"
async-trait = "0.1.81"
base64 = "0.22.1"
aws-lc-rs = { version = "1.8.1", default-features = false, features = [
"aws-lc-sys",
] }
blocking = "1.6.1"
rustls = { version = "0.23.12", default-features = false, features = [
"std",
"aws_lc_rs",
] }
rustls-platform-verifier = { version = "0.3.2" }
rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [
"aws-lc-rs",
] }
tokio = { version = "1.39.0", default-features = false }
tokio-stream = { version = "0.1.15", default-features = false }

8
rpxy-acme/src/constants.rs Normal file
View file

@ -0,0 +1,8 @@
/// ACME directory url
pub const ACME_DIR_URL: &str = "https://acme-v02.api.letsencrypt.org/directory";
/// ACME registry path that stores account key and certificate
pub const ACME_REGISTRY_PATH: &str = "./acme_registry";
/// ACME accounts directory, subdirectory of ACME_REGISTRY_PATH
pub(crate) const ACME_ACCOUNT_SUBDIR: &str = "accounts";

107
rpxy-acme/src/dir_cache.rs Normal file
View file

@ -0,0 +1,107 @@
use crate::constants::ACME_ACCOUNT_SUBDIR;
use async_trait::async_trait;
use aws_lc_rs as crypto;
use base64::prelude::*;
use blocking::unblock;
use crypto::digest::{Context, SHA256};
use rustls_acme::{AccountCache, CertCache};
use std::{
io::ErrorKind,
path::{Path, PathBuf},
};
enum FileType {
Account,
Cert,
}
#[derive(Debug, PartialEq, Eq, Clone)]
pub struct DirCache {
pub(super) account_dir: PathBuf,
pub(super) cert_dir: PathBuf,
}
impl DirCache {
pub fn new<P>(dir: P, server_name: &str) -> Self
where
P: AsRef<Path>,
{
Self {
account_dir: dir.as_ref().join(ACME_ACCOUNT_SUBDIR),
cert_dir: dir.as_ref().join(server_name),
}
}
async fn read_if_exist(&self, file: impl AsRef<Path>, file_type: FileType) -> Result<Option<Vec<u8>>, std::io::Error> {
let subdir = match file_type {
FileType::Account => &self.account_dir,
FileType::Cert => &self.cert_dir,
};
let file_path = subdir.join(file);
match unblock(move || std::fs::read(file_path)).await {
Ok(content) => Ok(Some(content)),
Err(err) => match err.kind() {
ErrorKind::NotFound => Ok(None),
_ => Err(err),
},
}
}
async fn write(&self, file: impl AsRef<Path>, contents: impl AsRef<[u8]>, file_type: FileType) -> Result<(), std::io::Error> {
let subdir = match file_type {
FileType::Account => &self.account_dir,
FileType::Cert => &self.cert_dir,
}
.clone();
let subdir_clone = subdir.clone();
unblock(move || std::fs::create_dir_all(subdir_clone)).await?;
let file_path = subdir.join(file);
let contents = contents.as_ref().to_owned();
unblock(move || std::fs::write(file_path, contents)).await
}
pub fn cached_account_file_name(contact: &[String], directory_url: impl AsRef<str>) -> String {
let mut ctx = Context::new(&SHA256);
for el in contact {
ctx.update(el.as_ref());
ctx.update(&[0])
}
ctx.update(directory_url.as_ref().as_bytes());
let hash = BASE64_URL_SAFE_NO_PAD.encode(ctx.finish());
format!("cached_account_{}", hash)
}
pub fn cached_cert_file_name(domains: &[String], directory_url: impl AsRef<str>) -> String {
let mut ctx = Context::new(&SHA256);
for domain in domains {
ctx.update(domain.as_ref());
ctx.update(&[0])
}
ctx.update(directory_url.as_ref().as_bytes());
let hash = BASE64_URL_SAFE_NO_PAD.encode(ctx.finish());
format!("cached_cert_{}", hash)
}
}
#[async_trait]
impl CertCache for DirCache {
type EC = std::io::Error;
async fn load_cert(&self, domains: &[String], directory_url: &str) -> Result<Option<Vec<u8>>, Self::EC> {
let file_name = Self::cached_cert_file_name(domains, directory_url);
self.read_if_exist(file_name, FileType::Cert).await
}
async fn store_cert(&self, domains: &[String], directory_url: &str, cert: &[u8]) -> Result<(), Self::EC> {
let file_name = Self::cached_cert_file_name(domains, directory_url);
self.write(file_name, cert, FileType::Cert).await
}
}
#[async_trait]
impl AccountCache for DirCache {
type EA = std::io::Error;
async fn load_account(&self, contact: &[String], directory_url: &str) -> Result<Option<Vec<u8>>, Self::EA> {
let file_name = Self::cached_account_file_name(contact, directory_url);
self.read_if_exist(file_name, FileType::Account).await
}
async fn store_account(&self, contact: &[String], directory_url: &str, account: &[u8]) -> Result<(), Self::EA> {
let file_name = Self::cached_account_file_name(contact, directory_url);
self.write(file_name, account, FileType::Account).await
}
}

15
rpxy-acme/src/error.rs Normal file
View file

@ -0,0 +1,15 @@
use thiserror::Error;
#[derive(Error, Debug)]
/// Error type for rpxy-acme
pub enum RpxyAcmeError {
/// Invalid acme registry path
#[error("Invalid acme registry path")]
InvalidAcmeRegistryPath,
/// Invalid url
#[error("Invalid url: {0}")]
InvalidUrl(#[from] url::ParseError),
/// IO error
#[error("IO error: {0}")]
Io(#[from] std::io::Error),
}

18
rpxy-acme/src/lib.rs Normal file
View file

@ -0,0 +1,18 @@
mod constants;
mod dir_cache;
mod error;
mod manager;
#[allow(unused_imports)]
mod log {
pub(super) use tracing::{debug, error, info, warn};
}
pub use constants::{ACME_DIR_URL, ACME_REGISTRY_PATH};
pub use dir_cache::DirCache;
pub use error::RpxyAcmeError;
pub use manager::AcmeManager;
pub mod reexports {
pub use rustls_acme::is_tls_alpn_challenge;
}

171
rpxy-acme/src/manager.rs Normal file
View file

@ -0,0 +1,171 @@
use crate::{
constants::{ACME_DIR_URL, ACME_REGISTRY_PATH},
dir_cache::DirCache,
error::RpxyAcmeError,
log::*,
};
use rustc_hash::FxHashMap as HashMap;
use rustls::ServerConfig;
use rustls_acme::AcmeConfig;
use std::{path::PathBuf, sync::Arc};
use tokio::runtime::Handle;
use tokio_stream::StreamExt;
use url::Url;
#[derive(Debug, Clone)]
/// ACME settings
pub struct AcmeManager {
/// ACME directory url
acme_dir_url: Url,
// /// ACME registry directory
// acme_registry_dir: PathBuf,
/// ACME contacts
contacts: Vec<String>,
/// ACME directly cache information
inner: HashMap<String, DirCache>,
/// Tokio runtime handle
runtime_handle: Handle,
}
impl AcmeManager {
/// Create a new instance. Note that for each domain, a new AcmeConfig is created.
/// This means that for each domain, a distinct operation will be dispatched and separated certificates will be generated.
pub fn try_new(
acme_dir_url: Option<&str>,
acme_registry_dir: Option<&str>,
contacts: &[String],
domains: &[String],
runtime_handle: Handle,
) -> Result<Self, RpxyAcmeError> {
// Install aws_lc_rs as default crypto provider for rustls
let _ = rustls::crypto::CryptoProvider::install_default(rustls::crypto::aws_lc_rs::default_provider());
let acme_registry_dir = acme_registry_dir
.map(|v| v.to_ascii_lowercase())
.map_or_else(|| PathBuf::from(ACME_REGISTRY_PATH), PathBuf::from);
if acme_registry_dir.exists() && !acme_registry_dir.is_dir() {
return Err(RpxyAcmeError::InvalidAcmeRegistryPath);
}
let acme_dir_url = acme_dir_url
.map(|v| v.to_ascii_lowercase())
.as_deref()
.map_or_else(|| Url::parse(ACME_DIR_URL), Url::parse)?;
let contacts = contacts.iter().map(|email| format!("mailto:{email}")).collect::<Vec<_>>();
let inner = domains
.iter()
.map(|domain| {
let domain = domain.to_ascii_lowercase();
let dir_cache = DirCache::new(&acme_registry_dir, &domain);
(domain, dir_cache)
})
.collect::<HashMap<_, _>>();
Ok(Self {
acme_dir_url,
// acme_registry_dir,
contacts,
inner,
runtime_handle,
})
}
/// Start ACME manager to manage certificates for each domain.
/// Returns a Vec<JoinHandle<()>> as a tasks handles and a map of domain to ServerConfig for challenge.
pub fn spawn_manager_tasks(
&self,
term_notify: Option<Arc<tokio::sync::Notify>>,
) -> (Vec<tokio::task::JoinHandle<()>>, HashMap<String, Arc<ServerConfig>>) {
let rustls_client_config = rustls::ClientConfig::builder()
.dangerous() // The `Verifier` we're using is actually safe
.with_custom_certificate_verifier(Arc::new(rustls_platform_verifier::Verifier::new()))
.with_no_client_auth();
let rustls_client_config = Arc::new(rustls_client_config);
let mut server_configs_for_challenge: HashMap<String, Arc<ServerConfig>> = HashMap::default();
let join_handles = self
.inner
.clone()
.into_iter()
.map(|(domain, dir_cache)| {
let config = AcmeConfig::new([&domain])
.contact(&self.contacts)
.cache(dir_cache.to_owned())
.directory(self.acme_dir_url.as_str())
.client_tls_config(rustls_client_config.clone());
let mut state = config.state();
server_configs_for_challenge.insert(domain.to_ascii_lowercase(), state.challenge_rustls_config());
self.runtime_handle.spawn({
let term_notify = term_notify.clone();
async move {
info!("rpxy ACME manager task for {domain} started");
// infinite loop unless the return value is None
let task = async {
loop {
let Some(res) = state.next().await else {
error!("rpxy ACME manager task for {domain} exited");
break;
};
match res {
Ok(ok) => info!("rpxy ACME event: {ok:?}"),
Err(err) => error!("rpxy ACME error: {err:?}"),
}
}
};
if let Some(notify) = term_notify.as_ref() {
tokio::select! {
_ = task => {},
_ = notify.notified() => { info!("rpxy ACME manager task for {domain} terminated") }
}
} else {
task.await;
}
}
})
})
.collect::<Vec<_>>();
(join_handles, server_configs_for_challenge)
}
}
#[cfg(test)]
mod tests {
use crate::constants::ACME_ACCOUNT_SUBDIR;
use super::*;
#[tokio::test]
async fn test_try_new() {
let acme_dir_url = "https://acme.example.com/directory";
let acme_registry_dir = "/tmp/acme";
let contacts = vec!["test@example.com".to_string()];
let handle = Handle::current();
let acme_contexts: AcmeManager = AcmeManager::try_new(
Some(acme_dir_url),
Some(acme_registry_dir),
&contacts,
&["example.com".to_string(), "example.org".to_string()],
handle,
)
.unwrap();
assert_eq!(acme_contexts.inner.len(), 2);
assert_eq!(acme_contexts.contacts, vec!["mailto:test@example.com".to_string()]);
assert_eq!(acme_contexts.acme_dir_url.as_str(), acme_dir_url);
// assert_eq!(acme_contexts.acme_registry_dir, PathBuf::from(acme_registry_dir));
assert_eq!(
acme_contexts.inner["example.com"],
DirCache {
account_dir: PathBuf::from(acme_registry_dir).join(ACME_ACCOUNT_SUBDIR),
cert_dir: PathBuf::from(acme_registry_dir).join("example.com"),
}
);
assert_eq!(
acme_contexts.inner["example.org"],
DirCache {
account_dir: PathBuf::from(acme_registry_dir).join(ACME_ACCOUNT_SUBDIR),
cert_dir: PathBuf::from(acme_registry_dir).join("example.org"),
}
);
}
}

17
rpxy-bin/Cargo.toml
View file

@ -13,14 +13,15 @@ publish.workspace = true
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[features]
default = ["http3-quinn", "cache", "rustls-backend"]
# default = ["http3-s2n", "cache", "rustls-backend"]
default = ["http3-quinn", "cache", "rustls-backend", "acme"]
# default = ["http3-s2n", "cache", "rustls-backend", "acme"]
http3-quinn = ["rpxy-lib/http3-quinn"]
http3-s2n = ["rpxy-lib/http3-s2n"]
native-tls-backend = ["rpxy-lib/native-tls-backend"]
rustls-backend = ["rpxy-lib/rustls-backend"]
webpki-roots = ["rpxy-lib/webpki-roots"]
cache = ["rpxy-lib/cache"]
acme = ["rpxy-lib/acme", "rpxy-acme"]
[dependencies]
rpxy-lib = { path = "../rpxy-lib/", default-features = false, features = [
@ -31,7 +32,7 @@ mimalloc = { version = "*", default-features = false }
anyhow = "1.0.86"
rustc-hash = "2.0.0"
serde = { version = "1.0.204", default-features = false, features = ["derive"] }
tokio = { version = "1.38.0", default-features = false, features = [
tokio = { version = "1.39.0", default-features = false, features = [
"net",
"rt-multi-thread",
"time",
@ -39,12 +40,12 @@ tokio = { version = "1.38.0", default-features = false, features = [
"macros",
] }
async-trait = "0.1.81"
futures-util = { version = "0.3.30", default-features = false }
# config
clap = { version = "4.5.9", features = ["std", "cargo", "wrap_help"] }
toml = { version = "0.8.14", default-features = false, features = ["parse"] }
hot_reload = "0.1.5"
clap = { version = "4.5.10", features = ["std", "cargo", "wrap_help"] }
toml = { version = "0.8.15", default-features = false, features = ["parse"] }
hot_reload = "0.1.6"
# logging
tracing = { version = "0.1.40" }
@ -56,4 +57,6 @@ rpxy-certs = { path = "../rpxy-certs/", default-features = false, features = [
"http3",
] }
rpxy-acme = { path = "../rpxy-acme/", default-features = false, optional = true }
[dev-dependencies]

5
rpxy-bin/src/config/mod.rs
View file

@ -3,7 +3,10 @@ mod service;
mod toml;
pub use {
self::toml::ConfigToml,
parse::{build_cert_manager, build_settings, parse_opts},
service::ConfigTomlReloader,
toml::ConfigToml,
};
#[cfg(feature = "acme")]
pub use parse::build_acme_manager;

82
rpxy-bin/src/config/parse.rs
View file

@ -6,6 +6,9 @@ use rpxy_certs::{build_cert_reloader, CryptoFileSourceBuilder, CryptoReloader, S
use rpxy_lib::{AppConfig, AppConfigList, ProxyConfig};
use rustc_hash::FxHashMap as HashMap;
#[cfg(feature = "acme")]
use rpxy_acme::{AcmeManager, ACME_DIR_URL, ACME_REGISTRY_PATH};
/// Parsed options
pub struct Opts {
pub config_file_path: String,
@ -103,11 +106,43 @@ pub async fn build_cert_manager(
if config.listen_port_tls.is_none() {
return Ok(None);
}
#[cfg(feature = "acme")]
let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone());
#[cfg(feature = "acme")]
let acme_dir_url = acme_option
.as_ref()
.and_then(|v| v.dir_url.as_deref())
.unwrap_or(ACME_DIR_URL);
#[cfg(feature = "acme")]
let acme_registry_path = acme_option
.as_ref()
.and_then(|v| v.registry_path.as_deref())
.unwrap_or(ACME_REGISTRY_PATH);
let mut crypto_source_map = HashMap::default();
for app in apps.0.values() {
if let Some(tls) = app.tls.as_ref() {
ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
let server_name = app.server_name.as_ref().ok_or(anyhow!("No server name"))?;
#[cfg(not(feature = "acme"))]
ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
#[cfg(feature = "acme")]
let tls = {
let mut tls = tls.clone();
if let Some(true) = tls.acme {
ensure!(acme_option.is_some() && tls.tls_cert_key_path.is_none() && tls.tls_cert_path.is_none());
// Both of tls_cert_key_path and tls_cert_path must be the same for ACME since it's a single file
let subdir = format!("{}/{}", acme_registry_path, server_name.to_ascii_lowercase());
let file_name =
rpxy_acme::DirCache::cached_cert_file_name(&[server_name.to_ascii_lowercase()], acme_dir_url.to_ascii_lowercase());
tls.tls_cert_key_path = Some(format!("{}/{}", subdir, file_name));
tls.tls_cert_path = Some(format!("{}/{}", subdir, file_name));
}
tls
};
let crypto_file_source = CryptoFileSourceBuilder::default()
.tls_cert_path(tls.tls_cert_path.as_ref().unwrap())
.tls_cert_key_path(tls.tls_cert_key_path.as_ref().unwrap())
@ -119,3 +154,48 @@ pub async fn build_cert_manager(
let res = build_cert_reloader(&crypto_source_map, None).await?;
Ok(Some(res))
}
/* ----------------------- */
#[cfg(feature = "acme")]
/// Build acme manager
pub async fn build_acme_manager(
config: &ConfigToml,
runtime_handle: tokio::runtime::Handle,
) -> Result<Option<AcmeManager>, anyhow::Error> {
let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone());
if acme_option.is_none() {
return Ok(None);
}
let acme_option = acme_option.unwrap();
let domains = config
.apps
.as_ref()
.unwrap()
.0
.values()
.filter_map(|app| {
//
if let Some(tls) = app.tls.as_ref() {
if let Some(true) = tls.acme {
return Some(app.server_name.as_ref().unwrap().to_owned());
}
}
None
})
.collect::<Vec<_>>();
if domains.is_empty() {
return Ok(None);
}
let acme_manager = AcmeManager::try_new(
acme_option.dir_url.as_deref(),
acme_option.registry_path.as_deref(),
&[acme_option.email],
domains.as_slice(),
runtime_handle,
)?;
Ok(Some(acme_manager))
}

28
rpxy-bin/src/config/toml.rs
View file

@ -41,12 +41,25 @@ pub struct CacheOption {
pub max_cache_each_size_on_memory: Option<usize>,
}
#[cfg(feature = "acme")]
#[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)]
pub struct AcmeOption {
pub dir_url: Option<String>,
pub email: String,
pub registry_path: Option<String>,
}
#[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)]
pub struct Experimental {
#[cfg(any(feature = "http3-quinn", feature = "http3-s2n"))]
pub h3: Option<Http3Option>,
#[cfg(feature = "cache")]
pub cache: Option<CacheOption>,
#[cfg(feature = "acme")]
pub acme: Option<AcmeOption>,
pub ignore_sni_consistency: Option<bool>,
pub connection_handling_timeout: Option<u64>,
}
@ -67,6 +80,8 @@ pub struct TlsOption {
pub tls_cert_key_path: Option<String>,
pub https_redirection: Option<bool>,
pub client_ca_cert_path: Option<String>,
#[cfg(feature = "acme")]
pub acme: Option<bool>,
}
#[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)]
@ -222,8 +237,19 @@ impl Application {
// tls settings
let tls_config = if self.tls.is_some() {
let tls = self.tls.as_ref().unwrap();
#[cfg(not(feature = "acme"))]
ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
#[cfg(feature = "acme")]
{
if tls.acme.unwrap_or(false) {
ensure!(tls.tls_cert_key_path.is_none() && tls.tls_cert_path.is_none());
} else {
ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some());
}
}
let https_redirection = if tls.https_redirection.is_none() {
true // Default true
} else {
@ -233,6 +259,8 @@ impl Application {
Some(TlsConfig {
mutual_tls: tls.client_ca_cert_path.is_some(),
https_redirection,
#[cfg(feature = "acme")]
acme: tls.acme.unwrap_or(false),
})
} else {
None

169
rpxy-bin/src/main.rs
View file

@ -6,6 +6,8 @@ mod constants;
mod error;
mod log;
#[cfg(feature = "acme")]
use crate::config::build_acme_manager;
use crate::{
config::{build_cert_manager, build_settings, parse_opts, ConfigToml, ConfigTomlReloader},
constants::CONFIG_WATCH_DELAY_SECS,
@ -13,7 +15,7 @@ use crate::{
log::*,
};
use hot_reload::{ReloaderReceiver, ReloaderService};
use rpxy_lib::entrypoint;
use rpxy_lib::{entrypoint, RpxyOptions, RpxyOptionsBuilder};
fn main() {
init_logger();
@ -66,13 +68,43 @@ async fn rpxy_service_without_watcher(
let config_toml = ConfigToml::new(config_file_path).map_err(|e| anyhow!("Invalid toml file: {e}"))?;
let (proxy_conf, app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?;
let cert_service_and_rx = build_cert_manager(&config_toml)
let (cert_service, cert_rx) = build_cert_manager(&config_toml)
.await
.map_err(|e| anyhow!("Invalid cert configuration: {e}"))?;
.map_err(|e| anyhow!("Invalid cert configuration: {e}"))?
.map(|(s, r)| (Some(s), Some(r)))
.unwrap_or((None, None));
rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), &runtime_handle, None)
.await
.map_err(|e| anyhow!(e))
#[cfg(feature = "acme")]
{
let acme_manager = build_acme_manager(&config_toml, runtime_handle.clone()).await?;
let (acme_join_handles, server_config_acme_challenge) = acme_manager
.as_ref()
.map(|m| m.spawn_manager_tasks(None))
.unwrap_or((vec![], Default::default()));
let rpxy_opts = RpxyOptionsBuilder::default()
.proxy_config(proxy_conf)
.app_config_list(app_conf)
.cert_rx(cert_rx)
.runtime_handle(runtime_handle.clone())
.server_configs_acme_challenge(std::sync::Arc::new(server_config_acme_challenge))
.build()?;
rpxy_entrypoint(&rpxy_opts, cert_service.as_ref(), acme_join_handles) //, &runtime_handle)
.await
.map_err(|e| anyhow!(e))
}
#[cfg(not(feature = "acme"))]
{
let rpxy_opts = RpxyOptionsBuilder::default()
.proxy_config(proxy_conf.clone())
.app_config_list(app_conf.clone())
.cert_rx(cert_rx.clone())
.runtime_handle(runtime_handle.clone())
.build()?;
rpxy_entrypoint(&rpxy_opts, cert_service.as_ref()) //, &runtime_handle)
.await
.map_err(|e| anyhow!(e))
}
}
async fn rpxy_service_with_watcher(
@ -88,6 +120,9 @@ async fn rpxy_service_with_watcher(
.ok_or(anyhow!("Something wrong in config reloader receiver"))?;
let (mut proxy_conf, mut app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?;
#[cfg(feature = "acme")]
let mut acme_manager = build_acme_manager(&config_toml, runtime_handle.clone()).await?;
let mut cert_service_and_rx = build_cert_manager(&config_toml)
.await
.map_err(|e| anyhow!("Invalid cert configuration: {e}"))?;
@ -97,8 +132,50 @@ async fn rpxy_service_with_watcher(
// Continuous monitoring
loop {
let (cert_service, cert_rx) = cert_service_and_rx
.as_ref()
.map(|(s, r)| (Some(s), Some(r)))
.unwrap_or((None, None));
#[cfg(feature = "acme")]
let (acme_join_handles, server_config_acme_challenge) = acme_manager
.as_ref()
.map(|m| m.spawn_manager_tasks(Some(term_notify.clone())))
.unwrap_or((vec![], Default::default()));
let rpxy_opts = {
#[cfg(feature = "acme")]
let res = RpxyOptionsBuilder::default()
.proxy_config(proxy_conf.clone())
.app_config_list(app_conf.clone())
.cert_rx(cert_rx.cloned())
.runtime_handle(runtime_handle.clone())
.term_notify(Some(term_notify.clone()))
.server_configs_acme_challenge(std::sync::Arc::new(server_config_acme_challenge))
.build();
#[cfg(not(feature = "acme"))]
let res = RpxyOptionsBuilder::default()
.proxy_config(proxy_conf.clone())
.app_config_list(app_conf.clone())
.cert_rx(cert_rx.cloned())
.runtime_handle(runtime_handle.clone())
.term_notify(Some(term_notify.clone()))
.build();
res
}?;
tokio::select! {
rpxy_res = rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), &runtime_handle, Some(term_notify.clone())) => {
rpxy_res = {
#[cfg(feature = "acme")]
{
rpxy_entrypoint(&rpxy_opts, cert_service, acme_join_handles)//, &runtime_handle)
}
#[cfg(not(feature = "acme"))]
{
rpxy_entrypoint(&rpxy_opts, cert_service)//, &runtime_handle)
}
} => {
error!("rpxy entrypoint or cert service exited");
return rpxy_res.map_err(|e| anyhow!(e));
}
@ -125,8 +202,20 @@ async fn rpxy_service_with_watcher(
continue;
}
};
#[cfg(feature = "acme")]
{
match build_acme_manager(&config_toml, runtime_handle.clone()).await {
Ok(m) => {
acme_manager = m;
},
Err(e) => {
error!("Invalid acme configuration. Configuration does not updated: {e}");
continue;
}
}
}
info!("Configuration updated. Terminate all spawned proxy services and force to re-bind TCP/UDP sockets");
info!("Configuration updated. Terminate all spawned services and force to re-bind TCP/UDP sockets");
term_notify.notify_waiters();
// tokio::time::sleep(tokio::time::Duration::from_secs(1)).await;
}
@ -137,20 +226,17 @@ async fn rpxy_service_with_watcher(
Ok(())
}
#[cfg(not(feature = "acme"))]
/// Wrapper of entry point for rpxy service with certificate management service
async fn rpxy_entrypoint(
proxy_config: &rpxy_lib::ProxyConfig,
app_config_list: &rpxy_lib::AppConfigList,
cert_service_and_rx: Option<&(
ReloaderService<rpxy_certs::CryptoReloader, rpxy_certs::ServerCryptoBase>,
ReloaderReceiver<rpxy_certs::ServerCryptoBase>,
)>, // TODO:
runtime_handle: &tokio::runtime::Handle,
term_notify: Option<std::sync::Arc<tokio::sync::Notify>>,
rpxy_opts: &RpxyOptions,
cert_service: Option<&ReloaderService<rpxy_certs::CryptoReloader, rpxy_certs::ServerCryptoBase>>,
// runtime_handle: &tokio::runtime::Handle,
) -> Result<(), anyhow::Error> {
if let Some((cert_service, cert_rx)) = cert_service_and_rx {
// TODO: refactor: update routine
if let Some(cert_service) = cert_service {
tokio::select! {
rpxy_res = entrypoint(proxy_config, app_config_list, Some(cert_rx), runtime_handle, term_notify) => {
rpxy_res = entrypoint(rpxy_opts) => {
error!("rpxy entrypoint exited");
rpxy_res.map_err(|e| anyhow!(e))
}
@ -160,8 +246,49 @@ async fn rpxy_entrypoint(
}
}
} else {
entrypoint(proxy_config, app_config_list, None, runtime_handle, term_notify)
.await
.map_err(|e| anyhow!(e))
entrypoint(rpxy_opts).await.map_err(|e| anyhow!(e))
}
}
#[cfg(feature = "acme")]
/// Wrapper of entry point for rpxy service with certificate management service
async fn rpxy_entrypoint(
rpxy_opts: &RpxyOptions,
cert_service: Option<&ReloaderService<rpxy_certs::CryptoReloader, rpxy_certs::ServerCryptoBase>>,
acme_task_handles: Vec<tokio::task::JoinHandle<()>>,
// runtime_handle: &tokio::runtime::Handle,
) -> Result<(), anyhow::Error> {
// TODO: refactor: update routine
if let Some(cert_service) = cert_service {
if acme_task_handles.is_empty() {
tokio::select! {
rpxy_res = entrypoint(rpxy_opts) => {
error!("rpxy entrypoint exited");
rpxy_res.map_err(|e| anyhow!(e))
}
cert_res = cert_service.start() => {
error!("cert reloader service exited");
cert_res.map_err(|e| anyhow!(e))
}
}
} else {
let select_all = futures_util::future::select_all(acme_task_handles);
tokio::select! {
rpxy_res = entrypoint(rpxy_opts) => {
error!("rpxy entrypoint exited");
rpxy_res.map_err(|e| anyhow!(e))
}
(acme_res, _, _) = select_all => {
error!("acme manager exited");
acme_res.map_err(|e| anyhow!(e))
}
cert_res = cert_service.start() => {
error!("cert reloader service exited");
cert_res.map_err(|e| anyhow!(e))
}
}
}
} else {
entrypoint(rpxy_opts).await.map_err(|e| anyhow!(e))
}
}

10
rpxy-certs/Cargo.toml
View file

@ -18,22 +18,22 @@ http3 = []
rustc-hash = { version = "2.0.0" }
tracing = { version = "0.1.40" }
derive_builder = { version = "0.20.0" }
thiserror = { version = "1.0.62" }
hot_reload = { version = "0.1.5" }
thiserror = { version = "1.0.63" }
hot_reload = { version = "0.1.6" }
async-trait = { version = "0.1.81" }
rustls = { version = "0.23.11", default-features = false, features = [
rustls = { version = "0.23.12", default-features = false, features = [
"std",
"aws_lc_rs",
] }
rustls-pemfile = { version = "2.1.2" }
rustls-webpki = { version = "0.102.5", default-features = false, features = [
rustls-webpki = { version = "0.102.6", default-features = false, features = [
"std",
"aws_lc_rs",
] }
x509-parser = { version = "0.16.0" }
[dev-dependencies]
tokio = { version = "1.38.0", default-features = false, features = [
tokio = { version = "1.39.0", default-features = false, features = [
"rt-multi-thread",
"macros",
] }

11
rpxy-certs/src/reloader_service.rs
View file

@ -46,10 +46,13 @@ impl Reload<ServerCryptoBase> for CryptoReloader {
let mut server_crypto_base = ServerCryptoBase::default();
for (server_name_bytes, crypto_source) in self.inner.iter() {
let certs_keys = crypto_source.read().await.map_err(|e| {
error!("Failed to reload cert, key or ca cert: {e}");
ReloaderError::<ServerCryptoBase>::Reload("Failed to reload cert, key or ca cert")
})?;
let certs_keys = match crypto_source.read().await {
Ok(certs_keys) => certs_keys,
Err(e) => {
error!("Failed to read certs and keys, skip at this time: {}", e);
continue;
}
};
server_crypto_base.inner.insert(server_name_bytes.clone(), certs_keys);
}

24
rpxy-lib/Cargo.toml
View file

@ -13,8 +13,8 @@ publish.workspace = true
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[features]
# default = ["http3-s2n", "sticky-cookie", "cache", "rustls-backend"]
default = ["http3-quinn", "sticky-cookie", "cache", "rustls-backend"]
# default = ["http3-s2n", "sticky-cookie", "cache", "rustls-backend", "acme"]
# default = ["http3-quinn", "sticky-cookie", "cache", "rustls-backend", "acme"]
http3-quinn = ["socket2", "quinn", "h3", "h3-quinn", "rpxy-certs/http3"]
http3-s2n = [
"s2n-quic",
@ -29,14 +29,15 @@ sticky-cookie = ["base64", "sha2", "chrono"]
native-tls-backend = ["hyper-tls"]
rustls-backend = ["hyper-rustls"]
webpki-roots = ["rustls-backend", "hyper-rustls/webpki-tokio"]
acme = ["dep:rpxy-acme"]
[dependencies]
rand = "0.8.5"
rustc-hash = "2.0.0"
bytes = "1.6.0"
bytes = "1.6.1"
derive_builder = "0.20.0"
futures = { version = "0.3.30", features = ["alloc", "async-await"] }
tokio = { version = "1.38.0", default-features = false, features = [
tokio = { version = "1.39.0", default-features = false, features = [
"net",
"rt-multi-thread",
"time",
@ -49,7 +50,7 @@ async-trait = "0.1.81"
# Error handling
anyhow = "1.0.86"
thiserror = "1.0.62"
thiserror = "1.0.63"
# http for both server and client
http = "1.1.0"
@ -75,10 +76,13 @@ hyper-rustls = { git = "https://github.com/junkurihara/hyper-rustls", branch = "
# tls and cert management for server
rpxy-certs = { path = "../rpxy-certs/", default-features = false }
hot_reload = "0.1.5"
rustls = { version = "0.23.11", default-features = false }
hot_reload = "0.1.6"
rustls = { version = "0.23.12", default-features = false }
tokio-rustls = { version = "0.26.0", features = ["early-data"] }
# acme
rpxy-acme = { path = "../rpxy-acme/", default-features = false, optional = true }
# logging
tracing = { version = "0.1.40" }
@ -89,11 +93,11 @@ h3-quinn = { version = "0.0.7", optional = true }
s2n-quic-h3 = { path = "../submodules/s2n-quic-h3/", features = [
"tracing",
], optional = true }
s2n-quic = { version = "1.42.0", default-features = false, features = [
s2n-quic = { version = "1.43.0", default-features = false, features = [
"provider-tls-rustls",
], optional = true }
s2n-quic-core = { version = "0.42.0", default-features = false, optional = true }
s2n-quic-rustls = { version = "0.42.0", optional = true }
s2n-quic-core = { version = "0.43.0", default-features = false, optional = true }
s2n-quic-rustls = { version = "0.43.0", optional = true }
##########
# for UDP socket wit SO_REUSEADDR when h3 with quinn
socket2 = { version = "0.5.7", features = ["all"], optional = true }

5
rpxy-lib/src/error.rs
View file

@ -105,4 +105,9 @@ pub enum RpxyError {
// Others
#[error("Infallible")]
Infallible(#[from] std::convert::Infallible),
/// No Acme server config for Acme challenge
#[cfg(feature = "acme")]
#[error("No Acme server config")]
NoAcmeServerConfig,
}

6
rpxy-lib/src/globals.rs
View file

@ -16,6 +16,10 @@ pub struct Globals {
pub term_notify: Option<Arc<tokio::sync::Notify>>,
/// Shared context - Certificate reloader service receiver // TODO: newer one
pub cert_reloader_rx: Option<ReloaderReceiver<ServerCryptoBase>>,
#[cfg(feature = "acme")]
/// ServerConfig used for only ACME challenge for ACME domains
pub server_configs_acme_challenge: Arc<rustc_hash::FxHashMap<String, Arc<rustls::ServerConfig>>>,
}
/// Configuration parameters for proxy transport and request handlers
@ -159,4 +163,6 @@ pub struct UpstreamUri {
pub struct TlsConfig {
pub mutual_tls: bool,
pub https_redirection: bool,
#[cfg(feature = "acme")]
pub acme: bool,
}

38
rpxy-lib/src/lib.rs
View file

@ -30,13 +30,36 @@ pub mod reexports {
pub use hyper::Uri;
}
#[derive(derive_builder::Builder)]
/// rpxy entrypoint args
pub struct RpxyOptions {
/// Configuration parameters for proxy transport and request handlers
pub proxy_config: ProxyConfig,
/// List of application configurations
pub app_config_list: AppConfigList,
/// Certificate reloader service receiver
pub cert_rx: Option<ReloaderReceiver<ServerCryptoBase>>, // TODO:
/// Async task runtime handler
pub runtime_handle: tokio::runtime::Handle,
/// Notify object to stop async tasks
pub term_notify: Option<Arc<tokio::sync::Notify>>,
#[cfg(feature = "acme")]
/// ServerConfig used for only ACME challenge for ACME domains
pub server_configs_acme_challenge: Arc<rustc_hash::FxHashMap<String, Arc<rustls::ServerConfig>>>,
}
/// Entrypoint that creates and spawns tasks of reverse proxy services
pub async fn entrypoint(
proxy_config: &ProxyConfig,
app_config_list: &AppConfigList,
cert_rx: Option<&ReloaderReceiver<ServerCryptoBase>>, // TODO:
runtime_handle: &tokio::runtime::Handle,
term_notify: Option<Arc<tokio::sync::Notify>>,
RpxyOptions {
proxy_config,
app_config_list,
cert_rx, // TODO:
runtime_handle,
term_notify,
#[cfg(feature = "acme")]
server_configs_acme_challenge,
}: &RpxyOptions,
) -> RpxyResult<()> {
#[cfg(all(feature = "http3-quinn", feature = "http3-s2n"))]
warn!("Both \"http3-quinn\" and \"http3-s2n\" features are enabled. \"http3-quinn\" will be used");
@ -85,7 +108,10 @@ pub async fn entrypoint(
request_count: Default::default(),
runtime_handle: runtime_handle.clone(),
term_notify: term_notify.clone(),
cert_reloader_rx: cert_rx.cloned(),
cert_reloader_rx: cert_rx.clone(),
#[cfg(feature = "acme")]
server_configs_acme_challenge: server_configs_acme_challenge.clone(),
});
// 3. build message handler containing Arc-ed http_client and backends, and make it contained in Arc as well

83
rpxy-lib/src/proxy/proxy_main.rs
View file

@ -167,6 +167,9 @@ where
let mut server_crypto_map: Option<Arc<super::SniServerCryptoMap>> = None;
loop {
#[cfg(feature = "acme")]
let server_configs_acme_challenge = self.globals.server_configs_acme_challenge.clone();
select! {
tcp_cnx = tcp_listener.accept().fuse() => {
if tcp_cnx.is_err() || server_crypto_map.is_none() {
@ -190,17 +193,51 @@ where
if server_name.is_none(){
return Err(RpxyError::NoServerNameInClientHello);
}
let server_crypto = sc_map_inner.as_ref().unwrap().get(server_name.as_ref().unwrap());
if server_crypto.is_none() {
return Err(RpxyError::NoTlsServingApp(server_name.as_ref().unwrap().try_into().unwrap_or_default()));
}
let stream = match start.into_stream(server_crypto.unwrap().clone()).await {
#[cfg(feature = "acme")]
let mut is_handshake_acme = false; // for shutdown just after TLS handshake
/* ------------------ */
// Check for ACME TLS ALPN challenge
#[cfg(feature = "acme")]
let server_crypto = {
if rpxy_acme::reexports::is_tls_alpn_challenge(&client_hello) {
info!("ACME TLS ALPN challenge received");
let Some(server_crypto_acme) = server_configs_acme_challenge.get(&sni.unwrap().to_ascii_lowercase()) else {
return Err(RpxyError::NoAcmeServerConfig);
};
is_handshake_acme = true;
server_crypto_acme
} else {
let server_crypto = sc_map_inner.as_ref().unwrap().get(server_name.as_ref().unwrap());
let Some(server_crypto) = server_crypto else {
return Err(RpxyError::NoTlsServingApp(server_name.as_ref().unwrap().try_into().unwrap_or_default()));
};
server_crypto
}
};
/* ------------------ */
#[cfg(not(feature = "acme"))]
let server_crypto = {
let server_crypto = sc_map_inner.as_ref().unwrap().get(server_name.as_ref().unwrap());
let Some(server_crypto) = server_crypto else {
return Err(RpxyError::NoTlsServingApp(server_name.as_ref().unwrap().try_into().unwrap_or_default()));
};
server_crypto
};
/* ------------------ */
let stream = match start.into_stream(server_crypto.clone()).await {
Ok(s) => TokioIo::new(s),
Err(e) => {
return Err(RpxyError::FailedToTlsHandshake(e.to_string()));
}
};
Ok((stream, client_addr, server_name))
#[cfg(feature = "acme")]
{
Ok((stream, client_addr, server_name, is_handshake_acme))
}
#[cfg(not(feature="acme"))]
{
Ok((stream, client_addr, server_name))
}
};
self.globals.runtime_handle.spawn( async move {
@ -212,14 +249,36 @@ where
error!("Timeout to handshake TLS");
return;
};
match v {
Ok((stream, client_addr, server_name)) => {
self_inner.serve_connection(stream, client_addr, server_name);
}
Err(e) => {
error!("{}", e);
/* ------------------ */
#[cfg(feature = "acme")]
{
match v {
Ok((mut stream, client_addr, server_name, is_handshake_acme)) => {
if is_handshake_acme {
debug!("Shutdown TLS connection after ACME TLS ALPN challenge");
use tokio::io::AsyncWriteExt;
stream.inner_mut().shutdown().await.ok();
}
self_inner.serve_connection(stream, client_addr, server_name);
}
Err(e) => {
error!("{}", e);
}
}
}
/* ------------------ */
#[cfg(not(feature = "acme"))]
{
match v {
Ok((stream, client_addr, server_name)) => {
self_inner.serve_connection(stream, client_addr, server_name);
}
Err(e) => {
error!("{}", e);
}
}
}
/* ------------------ */
});
}
_ = server_crypto_rx.changed().fuse() => {

1
submodules/rustls-acme Submodule

@ -0,0 +1 @@
Subproject commit 43719fb04cc522c039c9e7420567a38416f9fec7

4
submodules/s2n-quic-h3/Cargo.toml
View file

@ -15,8 +15,8 @@ futures = { version = "0.3", default-features = false }
h3 = { version = "0.0.6", features = ["tracing"] }
# s2n-quic = { path = "../s2n-quic" }
# s2n-quic-core = { path = "../s2n-quic-core" }
s2n-quic = { version = "1.42.0" }
s2n-quic-core = { version = "0.42.0" }
s2n-quic = { version = "1.43.0" }
s2n-quic-core = { version = "0.43.0" }
tracing = { version = "0.1.40", optional = true }
[features]