exp

chore(deps): bump rustls-webpki from 0.103.6 to 0.103.7

.github/workflows/release_docker.yml

@@ -212,7 +212,7 @@ jobs:
     needs: build_and_push
     steps:
       - name: Repository dispatch for release
-        uses: peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@v4
         with:
           event-type: release-event
           client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "pull_request": { "title": "${{ github.event.pull_request.title }}", "body": ${{ toJson(github.event.pull_request.body) }}, "number": "${{ github.event.pull_request.number }}", "head": "${{ github.event.pull_request.head.ref }}", "base": "${{ github.event.pull_request.base.ref}}"}}'

rpxy-bin/Cargo.toml

@@ -14,12 +14,13 @@ publish.workspace = true
 
 [features]
 default = [
-  "http3-quinn",
+  "provider-ring",
+#  "http3-quinn",
   "cache",
   "rustls-backend",
   "sticky-cookie",
-  "acme",
+#  "acme",
-  "post-quantum",
+#  "post-quantum",
 ]
 # default = [
 #   "http3-s2n",
@@ -29,6 +30,12 @@ default = [
 #   "acme",
 #   "post-quantum",
 # ]
+provider-aws-lc-rs = ["rpxy-lib/rustls-backend-aws-lc-rs"]
+provider-boring = ["rpxy-lib/rustls-backend-boring"]
+provider-openssl = ["rpxy-lib/rustls-backend-openssl"]
+provider-ring = ["rpxy-lib/rustls-backend-ring"]
+provider-symcrypt = ["rpxy-lib/rustls-backend-symcrypt"]
+provider-wolfcrypt = ["rpxy-lib/rustls-backend-wolfcrypt"]
 http3-quinn = ["rpxy-lib/http3-quinn"]
 http3-s2n = ["rpxy-lib/http3-s2n"]
 native-tls-backend = ["rpxy-lib/native-tls-backend"]
@@ -59,7 +66,7 @@ futures-util = { version = "0.3.31", default-features = false }
 
 # config
 clap = { version = "4.5.48", features = ["std", "cargo", "wrap_help"] }
-toml = { version = "0.9.7", default-features = false, features = [
+toml = { version = "0.9.8", default-features = false, features = [
   "parse",
   "serde",
 ] }

rpxy-bin/src/config/toml.rs

@@ -173,6 +173,7 @@ pub struct ReverseProxyOption {
   pub upstream: Vec<UpstreamParams>,
   pub upstream_options: Option<Vec<String>>,
   pub load_balance: Option<String>,
+  pub set_host: Option<String>,
 }
 
 #[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)]
@@ -398,6 +399,7 @@ impl TryInto<Vec<ReverseProxyConfig>> for &Application {
         upstream,
         upstream_options: rpo.upstream_options.clone(),
         load_balance: rpo.load_balance.clone(),
+        set_host: rpo.set_host.clone(),
       })
     }
 

rpxy-certs/Cargo.toml

@@ -26,8 +26,7 @@ rustls = { version = "0.23.32", default-features = false, features = [
   "std",
   "aws_lc_rs",
 ] }
-rustls-pemfile = { version = "2.2.0" }
+rustls-webpki = { version = "0.103.7", default-features = false, features = [
-rustls-webpki = { version = "0.103.6", default-features = false, features = [
   "std",
   "aws-lc-rs",
 ] }

rpxy-certs/src/crypto_source.rs

@@ -1,6 +1,7 @@
 use crate::{certs::SingleServerCertsKeys, error::*, log::*};
 use async_trait::async_trait;
 use derive_builder::Builder;
+use rustls::pki_types::{self, pem::PemObject};
 use std::{
   fs::File,
   io::{self, BufReader, Cursor, Read},
@@ -88,7 +89,7 @@ fn read_certs_and_keys(
       format!("Unable to load the certificates [{}]: {e}", cert_path.display()),
     )
   })?);
-  let raw_certs = rustls_pemfile::certs(&mut reader)
+  let raw_certs = pki_types::CertificateDer::pem_reader_iter(&mut reader)
     .collect::<Result<Vec<_>, _>>()
     .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the certificates"))?;
 
@@ -104,8 +105,8 @@ fn read_certs_and_keys(
     })?
     .read_to_end(&mut encoded_keys)?;
   let mut reader = Cursor::new(encoded_keys);
-  let pkcs8_keys = rustls_pemfile::pkcs8_private_keys(&mut reader)
+  let pkcs8_keys = pki_types::PrivatePkcs8KeyDer::pem_reader_iter(&mut reader)
-    .map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs8))
+    .map(|v| v.map(pki_types::PrivateKeyDer::Pkcs8))
     .collect::<Result<Vec<_>, _>>()
     .map_err(|_| {
       io::Error::new(
@@ -114,9 +115,15 @@ fn read_certs_and_keys(
       )
     })?;
   reader.set_position(0);
-  let mut rsa_keys = rustls_pemfile::rsa_private_keys(&mut reader)
+  let mut rsa_keys = pki_types::PrivatePkcs1KeyDer::pem_reader_iter(&mut reader)
-    .map(|v| v.map(rustls::pki_types::PrivateKeyDer::Pkcs1))
+    .map(|v| v.map(pki_types::PrivateKeyDer::Pkcs1))
-    .collect::<Result<Vec<_>, _>>()?;
+    .collect::<Result<Vec<_>, _>>()
+    .map_err(|_| {
+      io::Error::new(
+        io::ErrorKind::InvalidInput,
+        "Unable to parse the certificates private keys (RSA)",
+      )
+    })?;
   let mut raw_cert_keys = pkcs8_keys;
   raw_cert_keys.append(&mut rsa_keys);
   if raw_cert_keys.is_empty() {
@@ -139,7 +146,7 @@ fn read_certs_and_keys(
         )
       })?;
       let mut reader = BufReader::new(inner);
-      rustls_pemfile::certs(&mut reader)
+      pki_types::CertificateDer::pem_reader_iter(&mut reader)
         .collect::<Result<Vec<_>, _>>()
         .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "Unable to parse the client certificates"))
     })

rpxy-lib/Cargo.toml

@@ -13,6 +13,8 @@ publish.workspace = true
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [features]
+#default = ["rustls-backend", "rustls-backend-aws-lc-rs"]
+
 http3-quinn = ["socket2", "quinn", "h3", "h3-quinn", "rpxy-certs/http3"]
 http3-s2n = [
   "s2n-quic",
@@ -26,6 +28,12 @@ cache = ["http-cache-semantics", "lru", "sha2", "base64"]
 sticky-cookie = ["base64", "sha2", "chrono"]
 native-tls-backend = ["hyper-tls"]
 rustls-backend = ["hyper-rustls"]
+rustls-backend-aws-lc-rs = ["hyper-rustls/aws-lc-rs"]
+rustls-backend-boring = ["hyper-rustls/aws-lc-rs", "boring-rustls-provider"]
+rustls-backend-openssl = ["hyper-rustls/aws-lc-rs", "rustls-openssl"]
+rustls-backend-ring = ["hyper-rustls/ring"]
+rustls-backend-symcrypt = ["hyper-rustls/aws-lc-rs", "rustls-symcrypt"]
+rustls-backend-wolfcrypt = ["hyper-rustls/aws-lc-rs", "rustls-wolfcrypt-provider"]
 webpki-roots = ["rustls-backend", "hyper-rustls/webpki-tokio"]
 acme = ["dep:rpxy-acme"]
 post-quantum = [
@@ -71,7 +79,6 @@ hyper-tls = { version = "0.6.0", features = [
   "vendored",
 ], optional = true }
 hyper-rustls = { version = "0.27.7", default-features = false, features = [
-  "aws-lc-rs",
   "http1",
   "http2",
   "rustls-platform-verifier",
@@ -81,7 +88,11 @@ hyper-rustls = { version = "0.27.7", default-features = false, features = [
 rpxy-certs = { path = "../rpxy-certs/", default-features = false }
 hot_reload = "0.2.0"
 rustls = { version = "0.23.32", default-features = false }
+boring-rustls-provider = { git = "https://github.com/janrueth/boring-rustls-provider.git", rev = "490340afa77e2c08fc45853124f99d49f4f9f8a0", optional = true }
+rustls-openssl = { version = "0.3.0", default-features = false, optional = true }
 rustls-post-quantum = { version = "0.2.4", optional = true }
+rustls-symcrypt = { version = "0.2.1", optional = true, features = ["chacha", "x25519"] }
+rustls-wolfcrypt-provider = { git = "https://github.com/wolfSSL/rustls-wolfcrypt-provider.git", rev = "dfcdbfdba3a988494503886151f732ee0bd56c7d", optional = true }
 tokio-rustls = { version = "0.26.4", features = ["early-data"] }
 
 # acme
@@ -94,11 +105,11 @@ tracing = { version = "0.1.41" }
 quinn = { version = "0.11.9", optional = true }
 h3 = { version = "0.0.8", features = ["tracing"], optional = true }
 h3-quinn = { version = "0.0.10", optional = true }
-s2n-quic = { version = "1.66.0", path = "../submodules/s2n-quic/quic/s2n-quic/", default-features = false, features = [
+s2n-quic = { path = "../submodules/s2n-quic/quic/s2n-quic/", default-features = false, features = [
   "provider-tls-rustls",
 ], optional = true }
-s2n-quic-core = { version = "0.66.0", path = "../submodules/s2n-quic/quic/s2n-quic-core", default-features = false, optional = true }
+s2n-quic-core = { path = "../submodules/s2n-quic/quic/s2n-quic-core", default-features = false, optional = true }
-s2n-quic-rustls = { version = "0.66.0", path = "../submodules/s2n-quic/quic/s2n-quic-rustls", optional = true }
+s2n-quic-rustls = { path = "../submodules/s2n-quic/quic/s2n-quic-rustls", optional = true }
 s2n-quic-h3 = { path = "../submodules/s2n-quic/quic/s2n-quic-h3/", features = [
   "tracing",
 ], optional = true }

rpxy-lib/src/backend/upstream.rs

@@ -40,6 +40,7 @@ impl TryFrom<&AppConfig> for PathManager {
         .replace_path(&rpc.replace_path)
         .load_balance(&rpc.load_balance, &upstream_vec, &app_config.server_name, &rpc.path)
         .options(&rpc.upstream_options)
+        .set_host(&rpc.set_host)
         .build()
         .unwrap();
       inner.insert(elem.path.clone(), elem);
@@ -137,6 +138,9 @@ pub struct UpstreamCandidates {
   #[builder(setter(custom), default)]
   /// Activated upstream options defined in [[UpstreamOption]]
   pub options: HashSet<UpstreamOption>,
+
+  #[builder(setter(custom), default)]
+  pub set_host: Option<String>,
 }
 
 impl UpstreamCandidatesBuilder {
@@ -218,6 +222,10 @@ impl UpstreamCandidatesBuilder {
     self.options = Some(opts);
     self
   }
+  pub fn set_host(&mut self, set_host: &Option<String>) -> &mut Self {
+    self.set_host = Some(set_host.clone());
+    self
+  }
 }
 
 impl UpstreamCandidates {

rpxy-lib/src/forwarder/client.rs

@@ -103,6 +103,7 @@ where
   <B1 as Body>::Error: Into<Box<dyn std::error::Error + Send + Sync + 'static>>,
 {
   async fn request_directly(&self, req: Request<B1>) -> RpxyResult<Response<Incoming>> {
+    debug!("About to send request with Host header: {}", req.headers().get(hyper::header::HOST).unwrap().to_str().unwrap());
     // TODO: This 'match' condition is always evaluated at every 'request' invocation. So, it is inefficient.
     // Needs to be reconsidered. Currently, this is a kind of work around.
     // This possibly relates to https://github.com/hyperium/hyper/issues/2417.
@@ -228,6 +229,7 @@ where
     let inner = Client::builder(LocalExecutor::new(_globals.runtime_handle.clone())).build::<_, B1>(connector);
     let inner_h2 = Client::builder(LocalExecutor::new(_globals.runtime_handle.clone()))
       .http2_only(true)
+      .set_host(false)
       .build::<_, B1>(connector_h2);
 
     Ok(Self {

rpxy-lib/src/globals.rs

@@ -153,6 +153,7 @@ pub struct ReverseProxyConfig {
   pub upstream: Vec<UpstreamUri>,
   pub upstream_options: Option<Vec<String>>,
   pub load_balance: Option<String>,
+  pub set_host: Option<String>,
 }
 
 /// Configuration parameters for single upstream destination from a reverse proxy

rpxy-lib/src/lib.rs

@@ -100,13 +100,43 @@ pub async fn entrypoint(
     info!("Cache is disabled")
   }
 
-  #[cfg(not(feature = "post-quantum"))]
+  // Ensure multiple provider cannot be enabled without compile error.
-  // Install aws_lc_rs as default crypto provider for rustls
+  let _provider;
-  let _ = CryptoProvider::install_default(rustls::crypto::aws_lc_rs::default_provider());
+  #[cfg(feature = "rustls-backend-aws-lc-rs")]
+  {
+    info!("Using RusTLS provider aws-lc-rs");
+    _provider = CryptoProvider::install_default(rustls::crypto::aws_lc_rs::default_provider());
+  }
+  #[cfg(feature = "rustls-backend-boring")]
+  {
+    info!("Using RusTLS provider boring");
+    _provider = CryptoProvider::install_default(boring_rustls_provider::provider());
+  }
+  #[cfg(feature = "rustls-backend-openssl")]
+  {
+    info!("Using RusTLS provider openssl");
+    _provider = CryptoProvider::install_default(rustls_openssl::default_provider());
+  }
   #[cfg(feature = "post-quantum")]
-  let _ = CryptoProvider::install_default(rustls_post_quantum::provider());
+  {
-  #[cfg(feature = "post-quantum")]
+    info!("Using RusTLS provider post_quantum");
-  info!("Post-quantum crypto provider is installed");
+    _provider = CryptoProvider::install_default(rustls_post_quantum::provider());
+  }
+  #[cfg(feature = "rustls-backend-ring")]
+  {
+    info!("Using RusTLS provider ring");
+    _provider = CryptoProvider::install_default(rustls::crypto::ring::default_provider());
+  }
+  #[cfg(feature = "rustls-backend-symcrypt")]
+  {
+    info!("Using RusTLS provider symcrypt");
+    _provider = CryptoProvider::install_default(rustls_symcrypt::default_symcrypt_provider());
+  }
+  #[cfg(feature = "rustls-backend-wolfcrypt")]
+  {
+    info!("Using RusTLS provider wolfcrypt");
+    _provider = CryptoProvider::install_default(rustls_wolfcrypt_provider::provider());
+  }
 
   // 1. build backends, and make it contained in Arc
   let app_manager = Arc::new(backend::BackendAppManager::try_from(app_config_list)?);

rpxy-lib/src/message_handler/handler_manipulate_messages.rs

@@ -168,6 +168,12 @@ where
       // can update request line i.e., http version, only if not upgrade (http 1.1)
       update_request_line(req, upstream_chosen, upstream_candidates)?;
     }
+    
+    if let Some(set_host) = &upstream_candidates.set_host {
+      if let Some(host) = req.headers_mut().get_mut(&header::HOST) {
+        *host = HeaderValue::from_str(set_host).unwrap();
+      }
+    }
 
     Ok(context)
   }

rpxy-lib/src/message_handler/utils_headers.rs

@@ -371,7 +371,8 @@ pub(super) fn host_from_uri_or_host_header(uri: &Uri, host_header_value: Option<
   // Prioritize uri host over host header
   let uri_host = uri.host().map(|host| {
     if let Some(port) = uri.port_u16() {
-      format!("{}:{}", host, port)
+      //format!("{}:{}", host, port)
+      host.to_string()
     } else {
       host.to_string()
     }