From 63ee953912f6f00ce50ee07ed76682d1573ce3c6 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Fri, 12 Jul 2024 15:52:23 +0900 Subject: [PATCH 01/30] chore: deps --- rpxy-certs/Cargo.toml | 2 +- rpxy-lib/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rpxy-certs/Cargo.toml b/rpxy-certs/Cargo.toml index 1370e0b4..cd308156 100644 --- a/rpxy-certs/Cargo.toml +++ b/rpxy-certs/Cargo.toml @@ -18,7 +18,7 @@ http3 = [] rustc-hash = { version = "2.0.0" } tracing = { version = "0.1.40" } derive_builder = { version = "0.20.0" } -thiserror = { version = "1.0.61" } +thiserror = { version = "1.0.62" } hot_reload = { version = "0.1.5" } async-trait = { version = "0.1.81" } rustls = { version = "0.23.11", default-features = false, features = [ diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index 669a81fb..e9a4666d 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -49,7 +49,7 @@ async-trait = "0.1.81" # Error handling anyhow = "1.0.86" -thiserror = "1.0.61" +thiserror = "1.0.62" # http for both server and client http = "1.1.0" From 887e6b64b0f1984fcfdf3691c8b76ef74f002d27 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Fri, 12 Jul 2024 23:50:37 +0900 Subject: [PATCH 02/30] feat: wip - configuration design --- Cargo.toml | 2 +- rpxy-acme/Cargo.toml | 17 +++++++++ rpxy-acme/src/constants.rs | 14 ++++++++ rpxy-acme/src/error.rs | 15 ++++++++ rpxy-acme/src/lib.rs | 12 +++++++ rpxy-bin/Cargo.toml | 7 ++-- rpxy-bin/src/config/mod.rs | 5 ++- rpxy-bin/src/config/parse.rs | 58 +++++++++++++++++++++++++++++- rpxy-bin/src/config/toml.rs | 28 +++++++++++++++ rpxy-bin/src/main.rs | 8 +++++ rpxy-certs/src/reloader_service.rs | 11 +++--- rpxy-lib/Cargo.toml | 5 +-- rpxy-lib/src/globals.rs | 2 ++ 13 files changed, 173 insertions(+), 11 deletions(-) create mode 100644 rpxy-acme/Cargo.toml create mode 100644 rpxy-acme/src/constants.rs create mode 100644 rpxy-acme/src/error.rs create mode 100644 rpxy-acme/src/lib.rs diff --git a/Cargo.toml b/Cargo.toml index 355e5b14..68be1fe3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -9,7 +9,7 @@ edition = "2021" publish = false [workspace] -members = ["rpxy-bin", "rpxy-lib", "rpxy-certs"] +members = ["rpxy-bin", "rpxy-lib", "rpxy-certs", "rpxy-acme"] exclude = ["submodules"] resolver = "2" diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml new file mode 100644 index 00000000..4ceeaf37 --- /dev/null +++ b/rpxy-acme/Cargo.toml @@ -0,0 +1,17 @@ +[package] +name = "rpxy-acme" +description = "ACME manager library for `rpxy`" +version.workspace = true +authors.workspace = true +homepage.workspace = true +repository.workspace = true +license.workspace = true +readme.workspace = true +edition.workspace = true +publish.workspace = true + +[dependencies] +url = { version = "2.5.2" } +rustc-hash = "2.0.0" +thiserror = "1.0.62" +tracing = "0.1.40" diff --git a/rpxy-acme/src/constants.rs b/rpxy-acme/src/constants.rs new file mode 100644 index 00000000..edb657b9 --- /dev/null +++ b/rpxy-acme/src/constants.rs @@ -0,0 +1,14 @@ +/// ACME directory url +pub const ACME_DIR_URL: &str = "https://acme-v02.api.letsencrypt.org/directory"; + +/// ACME registry path that stores account key and certificate +pub const ACME_REGISTRY_PATH: &str = "./acme_registry"; + +/// ACME accounts directory, subdirectory of ACME_REGISTRY_PATH +pub(crate) const ACME_ACCOUNT_SUBDIR: &str = "account"; + +/// ACME private key file name +pub const ACME_PRIVATE_KEY_FILE_NAME: &str = "private_key.pem"; + +/// ACME certificate file name +pub const ACME_CERTIFICATE_FILE_NAME: &str = "certificate.pem"; diff --git a/rpxy-acme/src/error.rs b/rpxy-acme/src/error.rs new file mode 100644 index 00000000..08133c52 --- /dev/null +++ b/rpxy-acme/src/error.rs @@ -0,0 +1,15 @@ +use thiserror::Error; + +#[derive(Error, Debug)] +/// Error type for rpxy-acme +pub enum RpxyAcmeError { + /// Invalid acme registry path + #[error("Invalid acme registry path")] + InvalidAcmeRegistryPath, + /// Invalid url + #[error("Invalid url: {0}")] + InvalidUrl(#[from] url::ParseError), + /// IO error + #[error("IO error: {0}")] + Io(#[from] std::io::Error), +} diff --git a/rpxy-acme/src/lib.rs b/rpxy-acme/src/lib.rs new file mode 100644 index 00000000..1fec84c6 --- /dev/null +++ b/rpxy-acme/src/lib.rs @@ -0,0 +1,12 @@ +mod constants; +mod error; +mod targets; + +#[allow(unused_imports)] +mod log { + pub(super) use tracing::{debug, error, info, warn}; +} + +pub use constants::{ACME_CERTIFICATE_FILE_NAME, ACME_DIR_URL, ACME_PRIVATE_KEY_FILE_NAME, ACME_REGISTRY_PATH}; +pub use error::RpxyAcmeError; +pub use targets::AcmeTargets; diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index d571d1e5..358ee431 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -13,14 +13,15 @@ publish.workspace = true # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [features] -default = ["http3-quinn", "cache", "rustls-backend"] -# default = ["http3-s2n", "cache", "rustls-backend"] +default = ["http3-quinn", "cache", "rustls-backend", "acme"] +# default = ["http3-s2n", "cache", "rustls-backend", "acme"] http3-quinn = ["rpxy-lib/http3-quinn"] http3-s2n = ["rpxy-lib/http3-s2n"] native-tls-backend = ["rpxy-lib/native-tls-backend"] rustls-backend = ["rpxy-lib/rustls-backend"] webpki-roots = ["rpxy-lib/webpki-roots"] cache = ["rpxy-lib/cache"] +acme = ["rpxy-lib/acme", "rpxy-acme"] [dependencies] rpxy-lib = { path = "../rpxy-lib/", default-features = false, features = [ @@ -56,4 +57,6 @@ rpxy-certs = { path = "../rpxy-certs/", default-features = false, features = [ "http3", ] } +rpxy-acme = { path = "../rpxy-acme/", default-features = false, optional = true } + [dev-dependencies] diff --git a/rpxy-bin/src/config/mod.rs b/rpxy-bin/src/config/mod.rs index adc4ff28..079e477a 100644 --- a/rpxy-bin/src/config/mod.rs +++ b/rpxy-bin/src/config/mod.rs @@ -3,7 +3,10 @@ mod service; mod toml; pub use { - self::toml::ConfigToml, parse::{build_cert_manager, build_settings, parse_opts}, service::ConfigTomlReloader, + toml::ConfigToml, }; + +#[cfg(feature = "acme")] +pub use parse::build_acme_manager; diff --git a/rpxy-bin/src/config/parse.rs b/rpxy-bin/src/config/parse.rs index f45ca17c..4a28beda 100644 --- a/rpxy-bin/src/config/parse.rs +++ b/rpxy-bin/src/config/parse.rs @@ -6,6 +6,9 @@ use rpxy_certs::{build_cert_reloader, CryptoFileSourceBuilder, CryptoReloader, S use rpxy_lib::{AppConfig, AppConfigList, ProxyConfig}; use rustc_hash::FxHashMap as HashMap; +#[cfg(feature = "acme")] +use rpxy_acme::{AcmeTargets, ACME_CERTIFICATE_FILE_NAME, ACME_PRIVATE_KEY_FILE_NAME, ACME_REGISTRY_PATH}; + /// Parsed options pub struct Opts { pub config_file_path: String, @@ -103,11 +106,34 @@ pub async fn build_cert_manager( if config.listen_port_tls.is_none() { return Ok(None); } + + #[cfg(feature = "acme")] + let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone()); + #[cfg(feature = "acme")] + let registry_path = acme_option + .as_ref() + .and_then(|v| v.registry_path.as_deref()) + .unwrap_or(ACME_REGISTRY_PATH); + let mut crypto_source_map = HashMap::default(); for app in apps.0.values() { if let Some(tls) = app.tls.as_ref() { - ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some()); let server_name = app.server_name.as_ref().ok_or(anyhow!("No server name"))?; + + #[cfg(not(feature = "acme"))] + ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some()); + + #[cfg(feature = "acme")] + let tls = { + let mut tls = tls.clone(); + if let Some(true) = tls.acme { + ensure!(acme_option.is_some() && tls.tls_cert_key_path.is_none() && tls.tls_cert_path.is_none()); + tls.tls_cert_key_path = Some(format!("{registry_path}/{server_name}/{ACME_CERTIFICATE_FILE_NAME}")); + tls.tls_cert_path = Some(format!("{registry_path}/{server_name}/{ACME_PRIVATE_KEY_FILE_NAME}")); + } + tls + }; + let crypto_file_source = CryptoFileSourceBuilder::default() .tls_cert_path(tls.tls_cert_path.as_ref().unwrap()) .tls_cert_key_path(tls.tls_cert_key_path.as_ref().unwrap()) @@ -119,3 +145,33 @@ pub async fn build_cert_manager( let res = build_cert_reloader(&crypto_source_map, None).await?; Ok(Some(res)) } + +/* ----------------------- */ +#[cfg(feature = "acme")] +/// Build acme manager and dummy cert and key as initial states if not exists +/// TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING +pub async fn build_acme_manager(config: &ConfigToml) -> Result<(), anyhow::Error> { + let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone()); + if acme_option.is_none() { + return Ok(()); + } + let acme_option = acme_option.unwrap(); + let mut acme_targets = AcmeTargets::try_new( + acme_option.email.as_ref(), + acme_option.dir_url.as_deref(), + acme_option.registry_path.as_deref(), + ) + .map_err(|e| anyhow!("Invalid acme configuration: {e}"))?; + + let apps = config.apps.as_ref().unwrap(); + for app in apps.0.values() { + if let Some(tls) = app.tls.as_ref() { + if tls.acme.unwrap_or(false) { + acme_targets.add_target(app.server_name.as_ref().unwrap())?; + } + } + } + // TODO: remove later + println!("ACME targets: {:#?}", acme_targets); + Ok(()) +} diff --git a/rpxy-bin/src/config/toml.rs b/rpxy-bin/src/config/toml.rs index 957296cf..b2a70bb5 100644 --- a/rpxy-bin/src/config/toml.rs +++ b/rpxy-bin/src/config/toml.rs @@ -41,12 +41,25 @@ pub struct CacheOption { pub max_cache_each_size_on_memory: Option, } +#[cfg(feature = "acme")] +#[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)] +pub struct AcmeOption { + pub dir_url: Option, + pub email: String, + pub registry_path: Option, +} + #[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)] pub struct Experimental { #[cfg(any(feature = "http3-quinn", feature = "http3-s2n"))] pub h3: Option, + #[cfg(feature = "cache")] pub cache: Option, + + #[cfg(feature = "acme")] + pub acme: Option, + pub ignore_sni_consistency: Option, pub connection_handling_timeout: Option, } @@ -67,6 +80,8 @@ pub struct TlsOption { pub tls_cert_key_path: Option, pub https_redirection: Option, pub client_ca_cert_path: Option, + #[cfg(feature = "acme")] + pub acme: Option, } #[derive(Deserialize, Debug, Default, PartialEq, Eq, Clone)] @@ -222,8 +237,19 @@ impl Application { // tls settings let tls_config = if self.tls.is_some() { let tls = self.tls.as_ref().unwrap(); + + #[cfg(not(feature = "acme"))] ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some()); + #[cfg(feature = "acme")] + { + if tls.acme.unwrap_or(false) { + ensure!(tls.tls_cert_key_path.is_none() && tls.tls_cert_path.is_none()); + } else { + ensure!(tls.tls_cert_key_path.is_some() && tls.tls_cert_path.is_some()); + } + } + let https_redirection = if tls.https_redirection.is_none() { true // Default true } else { @@ -233,6 +259,8 @@ impl Application { Some(TlsConfig { mutual_tls: tls.client_ca_cert_path.is_some(), https_redirection, + #[cfg(feature = "acme")] + acme: tls.acme.unwrap_or(false), }) } else { None diff --git a/rpxy-bin/src/main.rs b/rpxy-bin/src/main.rs index d3988e31..9847a5fa 100644 --- a/rpxy-bin/src/main.rs +++ b/rpxy-bin/src/main.rs @@ -6,6 +6,8 @@ mod constants; mod error; mod log; +#[cfg(feature = "acme")] +use crate::config::build_acme_manager; use crate::{ config::{build_cert_manager, build_settings, parse_opts, ConfigToml, ConfigTomlReloader}, constants::CONFIG_WATCH_DELAY_SECS, @@ -66,6 +68,9 @@ async fn rpxy_service_without_watcher( let config_toml = ConfigToml::new(config_file_path).map_err(|e| anyhow!("Invalid toml file: {e}"))?; let (proxy_conf, app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?; + #[cfg(feature = "acme")] // TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING + let acme_manager = build_acme_manager(&config_toml).await; + let cert_service_and_rx = build_cert_manager(&config_toml) .await .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?; @@ -88,6 +93,9 @@ async fn rpxy_service_with_watcher( .ok_or(anyhow!("Something wrong in config reloader receiver"))?; let (mut proxy_conf, mut app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?; + #[cfg(feature = "acme")] // TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING + let acme_manager = build_acme_manager(&config_toml).await; + let mut cert_service_and_rx = build_cert_manager(&config_toml) .await .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?; diff --git a/rpxy-certs/src/reloader_service.rs b/rpxy-certs/src/reloader_service.rs index c3d1fcd7..4d10fa19 100644 --- a/rpxy-certs/src/reloader_service.rs +++ b/rpxy-certs/src/reloader_service.rs @@ -46,10 +46,13 @@ impl Reload for CryptoReloader { let mut server_crypto_base = ServerCryptoBase::default(); for (server_name_bytes, crypto_source) in self.inner.iter() { - let certs_keys = crypto_source.read().await.map_err(|e| { - error!("Failed to reload cert, key or ca cert: {e}"); - ReloaderError::::Reload("Failed to reload cert, key or ca cert") - })?; + let certs_keys = match crypto_source.read().await { + Ok(certs_keys) => certs_keys, + Err(e) => { + error!("Failed to read certs and keys, skip at this time: {}", e); + continue; + } + }; server_crypto_base.inner.insert(server_name_bytes.clone(), certs_keys); } diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index e9a4666d..1fbeb115 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -13,8 +13,8 @@ publish.workspace = true # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [features] -# default = ["http3-s2n", "sticky-cookie", "cache", "rustls-backend"] -default = ["http3-quinn", "sticky-cookie", "cache", "rustls-backend"] +# default = ["http3-s2n", "sticky-cookie", "cache", "rustls-backend", "acme"] +# default = ["http3-quinn", "sticky-cookie", "cache", "rustls-backend", "acme"] http3-quinn = ["socket2", "quinn", "h3", "h3-quinn", "rpxy-certs/http3"] http3-s2n = [ "s2n-quic", @@ -29,6 +29,7 @@ sticky-cookie = ["base64", "sha2", "chrono"] native-tls-backend = ["hyper-tls"] rustls-backend = ["hyper-rustls"] webpki-roots = ["rustls-backend", "hyper-rustls/webpki-tokio"] +acme = [] [dependencies] rand = "0.8.5" diff --git a/rpxy-lib/src/globals.rs b/rpxy-lib/src/globals.rs index 3582cdb8..fa19f787 100644 --- a/rpxy-lib/src/globals.rs +++ b/rpxy-lib/src/globals.rs @@ -159,4 +159,6 @@ pub struct UpstreamUri { pub struct TlsConfig { pub mutual_tls: bool, pub https_redirection: bool, + #[cfg(feature = "acme")] + pub acme: bool, } From 1c1fdc1f93ea76ae4336436e7dcffc0c3806c0c7 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Fri, 12 Jul 2024 23:50:58 +0900 Subject: [PATCH 03/30] feat: wip - configuration design --- rpxy-acme/src/targets.rs | 83 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 rpxy-acme/src/targets.rs diff --git a/rpxy-acme/src/targets.rs b/rpxy-acme/src/targets.rs new file mode 100644 index 00000000..0cc6f99f --- /dev/null +++ b/rpxy-acme/src/targets.rs @@ -0,0 +1,83 @@ +use rustc_hash::FxHashMap as HashMap; +use std::path::PathBuf; +use url::Url; + +use crate::{ + constants::{ACME_ACCOUNT_SUBDIR, ACME_CERTIFICATE_FILE_NAME, ACME_DIR_URL, ACME_PRIVATE_KEY_FILE_NAME, ACME_REGISTRY_PATH}, + error::RpxyAcmeError, + log::*, +}; + +#[derive(Debug)] +/// ACME settings +pub struct AcmeTargets { + /// ACME account email + pub email: String, + /// ACME directory url + pub acme_dir_url: Url, + /// ACME registry path that stores account key and certificate + pub acme_registry_path: PathBuf, + /// ACME accounts directory, subdirectory of ACME_REGISTRY_PATH + pub acme_accounts_dir: PathBuf, + /// ACME target info map + pub acme_targets: HashMap, +} + +#[derive(Debug)] +/// ACME settings for each server name +pub struct AcmeTargetInfo { + /// Server name + pub server_name: String, + /// private key path + pub private_key_path: PathBuf, + /// certificate path + pub certificate_path: PathBuf, +} + +impl AcmeTargets { + /// Create a new instance + pub fn try_new(email: &str, acme_dir_url: Option<&str>, acme_registry_path: Option<&str>) -> Result { + let acme_dir_url = Url::parse(acme_dir_url.unwrap_or(ACME_DIR_URL))?; + let acme_registry_path = acme_registry_path.map_or_else(|| PathBuf::from(ACME_REGISTRY_PATH), PathBuf::from); + if acme_registry_path.exists() && !acme_registry_path.is_dir() { + return Err(RpxyAcmeError::InvalidAcmeRegistryPath); + } + let acme_account_dir = acme_registry_path.join(ACME_ACCOUNT_SUBDIR); + if acme_account_dir.exists() && !acme_account_dir.is_dir() { + return Err(RpxyAcmeError::InvalidAcmeRegistryPath); + } + std::fs::create_dir_all(&acme_account_dir)?; + + Ok(Self { + email: email.to_owned(), + acme_dir_url, + acme_registry_path, + acme_accounts_dir: acme_account_dir, + acme_targets: HashMap::default(), + }) + } + + /// Add a new target + /// Write dummy cert and key files if not exists + pub fn add_target(&mut self, server_name: &str) -> Result<(), RpxyAcmeError> { + info!("Adding ACME target: {}", server_name); + let parent_dir = self.acme_registry_path.join(server_name); + let private_key_path = parent_dir.join(ACME_PRIVATE_KEY_FILE_NAME); + let certificate_path = parent_dir.join(ACME_CERTIFICATE_FILE_NAME); + + if !parent_dir.exists() { + warn!("Creating ACME target directory: {}", parent_dir.display()); + std::fs::create_dir_all(parent_dir)?; + } + + self.acme_targets.insert( + server_name.to_owned(), + AcmeTargetInfo { + server_name: server_name.to_owned(), + private_key_path, + certificate_path, + }, + ); + Ok(()) + } +} From 9b9622edc51ae77f551c6bc92fed1fa69026fdda Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Sat, 13 Jul 2024 04:29:53 +0900 Subject: [PATCH 04/30] wip: designing acme --- rpxy-acme/Cargo.toml | 14 ++++ rpxy-acme/src/constants.rs | 8 +- rpxy-acme/src/dir_cache.rs | 107 +++++++++++++++++++++++++++ rpxy-acme/src/lib.rs | 6 +- rpxy-acme/src/targets.rs | 137 +++++++++++++++++++---------------- rpxy-bin/src/config/parse.rs | 59 ++++++++------- 6 files changed, 235 insertions(+), 96 deletions(-) create mode 100644 rpxy-acme/src/dir_cache.rs diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml index 4ceeaf37..57dd5145 100644 --- a/rpxy-acme/Cargo.toml +++ b/rpxy-acme/Cargo.toml @@ -15,3 +15,17 @@ url = { version = "2.5.2" } rustc-hash = "2.0.0" thiserror = "1.0.62" tracing = "0.1.40" +async-trait = "0.1.81" +base64 = "0.22.1" +aws-lc-rs = { version = "1.8.0", default-features = false, features = [ + "aws-lc-sys", +] } +blocking = "1.6.1" +rustls = { version = "0.23.11", default-features = false, features = [ + "std", + "aws_lc_rs", +] } +rustls-platform-verifier = { version = "0.3.2" } +rustls-acme = { path = "../../rustls-acme/", default-features = false, features = [ + "aws-lc-rs", +] } diff --git a/rpxy-acme/src/constants.rs b/rpxy-acme/src/constants.rs index edb657b9..7b544b0b 100644 --- a/rpxy-acme/src/constants.rs +++ b/rpxy-acme/src/constants.rs @@ -5,10 +5,4 @@ pub const ACME_DIR_URL: &str = "https://acme-v02.api.letsencrypt.org/directory"; pub const ACME_REGISTRY_PATH: &str = "./acme_registry"; /// ACME accounts directory, subdirectory of ACME_REGISTRY_PATH -pub(crate) const ACME_ACCOUNT_SUBDIR: &str = "account"; - -/// ACME private key file name -pub const ACME_PRIVATE_KEY_FILE_NAME: &str = "private_key.pem"; - -/// ACME certificate file name -pub const ACME_CERTIFICATE_FILE_NAME: &str = "certificate.pem"; +pub(crate) const ACME_ACCOUNT_SUBDIR: &str = "accounts"; diff --git a/rpxy-acme/src/dir_cache.rs b/rpxy-acme/src/dir_cache.rs new file mode 100644 index 00000000..2f613d8d --- /dev/null +++ b/rpxy-acme/src/dir_cache.rs @@ -0,0 +1,107 @@ +use crate::constants::ACME_ACCOUNT_SUBDIR; +use async_trait::async_trait; +use aws_lc_rs as crypto; +use base64::prelude::*; +use blocking::unblock; +use crypto::digest::{Context, SHA256}; +use rustls_acme::{AccountCache, CertCache}; +use std::{ + io::ErrorKind, + path::{Path, PathBuf}, +}; + +enum FileType { + Account, + Cert, +} + +#[derive(Debug)] +pub struct DirCache { + account_dir: PathBuf, + cert_dir: PathBuf, +} + +impl DirCache { + pub fn new

(dir: P, server_name: impl AsRef) -> Self + where + P: AsRef, + { + Self { + account_dir: dir.as_ref().join(ACME_ACCOUNT_SUBDIR), + cert_dir: dir.as_ref().join(server_name), + } + } + async fn read_if_exist(&self, file: impl AsRef, file_type: FileType) -> Result>, std::io::Error> { + let subdir = match file_type { + FileType::Account => &self.account_dir, + FileType::Cert => &self.cert_dir, + }; + let file_path = subdir.join(file); + match unblock(move || std::fs::read(file_path)).await { + Ok(content) => Ok(Some(content)), + Err(err) => match err.kind() { + ErrorKind::NotFound => Ok(None), + _ => Err(err), + }, + } + } + async fn write(&self, file: impl AsRef, contents: impl AsRef<[u8]>, file_type: FileType) -> Result<(), std::io::Error> { + let subdir = match file_type { + FileType::Account => &self.account_dir, + FileType::Cert => &self.cert_dir, + } + .clone(); + let subdir_clone = subdir.clone(); + unblock(move || std::fs::create_dir_all(subdir_clone)).await?; + let file_path = subdir.join(file); + let contents = contents.as_ref().to_owned(); + unblock(move || std::fs::write(file_path, contents)).await + } + pub fn cached_account_file_name(contact: &[String], directory_url: impl AsRef) -> String { + let mut ctx = Context::new(&SHA256); + for el in contact { + ctx.update(el.as_ref()); + ctx.update(&[0]) + } + ctx.update(directory_url.as_ref().as_bytes()); + let hash = BASE64_URL_SAFE_NO_PAD.encode(ctx.finish()); + format!("cached_account_{}", hash) + } + pub fn cached_cert_file_name(domains: &[String], directory_url: impl AsRef) -> String { + let mut ctx = Context::new(&SHA256); + for domain in domains { + ctx.update(domain.as_ref()); + ctx.update(&[0]) + } + ctx.update(directory_url.as_ref().as_bytes()); + let hash = BASE64_URL_SAFE_NO_PAD.encode(ctx.finish()); + format!("cached_cert_{}", hash) + } +} + +#[async_trait] +impl CertCache for DirCache { + type EC = std::io::Error; + async fn load_cert(&self, domains: &[String], directory_url: &str) -> Result>, Self::EC> { + let file_name = Self::cached_cert_file_name(domains, directory_url); + self.read_if_exist(file_name, FileType::Cert).await + } + async fn store_cert(&self, domains: &[String], directory_url: &str, cert: &[u8]) -> Result<(), Self::EC> { + let file_name = Self::cached_cert_file_name(domains, directory_url); + self.write(file_name, cert, FileType::Cert).await + } +} + +#[async_trait] +impl AccountCache for DirCache { + type EA = std::io::Error; + async fn load_account(&self, contact: &[String], directory_url: &str) -> Result>, Self::EA> { + let file_name = Self::cached_account_file_name(contact, directory_url); + self.read_if_exist(file_name, FileType::Account).await + } + + async fn store_account(&self, contact: &[String], directory_url: &str, account: &[u8]) -> Result<(), Self::EA> { + let file_name = Self::cached_account_file_name(contact, directory_url); + self.write(file_name, account, FileType::Account).await + } +} diff --git a/rpxy-acme/src/lib.rs b/rpxy-acme/src/lib.rs index 1fec84c6..813b388a 100644 --- a/rpxy-acme/src/lib.rs +++ b/rpxy-acme/src/lib.rs @@ -1,4 +1,5 @@ mod constants; +mod dir_cache; mod error; mod targets; @@ -7,6 +8,7 @@ mod log { pub(super) use tracing::{debug, error, info, warn}; } -pub use constants::{ACME_CERTIFICATE_FILE_NAME, ACME_DIR_URL, ACME_PRIVATE_KEY_FILE_NAME, ACME_REGISTRY_PATH}; +pub use constants::{ACME_DIR_URL, ACME_REGISTRY_PATH}; +pub use dir_cache::DirCache; pub use error::RpxyAcmeError; -pub use targets::AcmeTargets; +pub use targets::AcmeContexts; diff --git a/rpxy-acme/src/targets.rs b/rpxy-acme/src/targets.rs index 0cc6f99f..08c46852 100644 --- a/rpxy-acme/src/targets.rs +++ b/rpxy-acme/src/targets.rs @@ -1,83 +1,96 @@ -use rustc_hash::FxHashMap as HashMap; -use std::path::PathBuf; -use url::Url; - +use crate::dir_cache::DirCache; use crate::{ - constants::{ACME_ACCOUNT_SUBDIR, ACME_CERTIFICATE_FILE_NAME, ACME_DIR_URL, ACME_PRIVATE_KEY_FILE_NAME, ACME_REGISTRY_PATH}, + constants::{ACME_DIR_URL, ACME_REGISTRY_PATH}, error::RpxyAcmeError, log::*, }; +use rustc_hash::FxHashMap as HashMap; +use rustls_acme::AcmeConfig; +use std::{fmt::Debug, path::PathBuf, sync::Arc}; +use url::Url; #[derive(Debug)] /// ACME settings -pub struct AcmeTargets { - /// ACME account email - pub email: String, +pub struct AcmeContexts +where + EC: Debug + 'static, + EA: Debug + 'static, +{ /// ACME directory url - pub acme_dir_url: Url, - /// ACME registry path that stores account key and certificate - pub acme_registry_path: PathBuf, - /// ACME accounts directory, subdirectory of ACME_REGISTRY_PATH - pub acme_accounts_dir: PathBuf, - /// ACME target info map - pub acme_targets: HashMap, -} - -#[derive(Debug)] -/// ACME settings for each server name -pub struct AcmeTargetInfo { - /// Server name - pub server_name: String, - /// private key path - pub private_key_path: PathBuf, - /// certificate path - pub certificate_path: PathBuf, + acme_dir_url: Url, + /// ACME registry directory + acme_registry_dir: PathBuf, + /// ACME contacts + contacts: Vec, + /// ACME config + inner: HashMap>>, } -impl AcmeTargets { - /// Create a new instance - pub fn try_new(email: &str, acme_dir_url: Option<&str>, acme_registry_path: Option<&str>) -> Result { - let acme_dir_url = Url::parse(acme_dir_url.unwrap_or(ACME_DIR_URL))?; - let acme_registry_path = acme_registry_path.map_or_else(|| PathBuf::from(ACME_REGISTRY_PATH), PathBuf::from); - if acme_registry_path.exists() && !acme_registry_path.is_dir() { - return Err(RpxyAcmeError::InvalidAcmeRegistryPath); - } - let acme_account_dir = acme_registry_path.join(ACME_ACCOUNT_SUBDIR); - if acme_account_dir.exists() && !acme_account_dir.is_dir() { +impl AcmeContexts { + /// Create a new instance. Note that for each domain, a new AcmeConfig is created. + /// This means that for each domain, a distinct operation will be dispatched and separated certificates will be generated. + pub fn try_new( + acme_dir_url: Option<&str>, + acme_registry_dir: Option<&str>, + contacts: &[String], + domains: &[String], + ) -> Result { + let acme_registry_dir = acme_registry_dir + .map(|v| v.to_ascii_lowercase()) + .map_or_else(|| PathBuf::from(ACME_REGISTRY_PATH), PathBuf::from); + if acme_registry_dir.exists() && !acme_registry_dir.is_dir() { return Err(RpxyAcmeError::InvalidAcmeRegistryPath); } - std::fs::create_dir_all(&acme_account_dir)?; + let acme_dir_url = acme_dir_url + .map(|v| v.to_ascii_lowercase()) + .as_deref() + .map_or_else(|| Url::parse(ACME_DIR_URL), Url::parse)?; + let contacts = contacts.iter().map(|email| format!("mailto:{email}")).collect::>(); + let rustls_client_config = rustls::ClientConfig::builder() + .dangerous() // The `Verifier` we're using is actually safe + .with_custom_certificate_verifier(std::sync::Arc::new(rustls_platform_verifier::Verifier::new())) + .with_no_client_auth(); + let rustls_client_config = Arc::new(rustls_client_config); + + let inner = domains + .iter() + .map(|domain| { + let dir_cache = DirCache::new(&acme_registry_dir, domain); + let config = AcmeConfig::new([domain]) + .contact(&contacts) + .cache(dir_cache) + .directory(acme_dir_url.as_str()) + .client_tls_config(rustls_client_config.clone()); + let config = Box::new(config); + (domain.to_ascii_lowercase(), config) + }) + .collect::>(); Ok(Self { - email: email.to_owned(), acme_dir_url, - acme_registry_path, - acme_accounts_dir: acme_account_dir, - acme_targets: HashMap::default(), + acme_registry_dir, + contacts, + inner, }) } +} - /// Add a new target - /// Write dummy cert and key files if not exists - pub fn add_target(&mut self, server_name: &str) -> Result<(), RpxyAcmeError> { - info!("Adding ACME target: {}", server_name); - let parent_dir = self.acme_registry_path.join(server_name); - let private_key_path = parent_dir.join(ACME_PRIVATE_KEY_FILE_NAME); - let certificate_path = parent_dir.join(ACME_CERTIFICATE_FILE_NAME); - - if !parent_dir.exists() { - warn!("Creating ACME target directory: {}", parent_dir.display()); - std::fs::create_dir_all(parent_dir)?; - } +#[cfg(test)] +mod tests { + use super::*; - self.acme_targets.insert( - server_name.to_owned(), - AcmeTargetInfo { - server_name: server_name.to_owned(), - private_key_path, - certificate_path, - }, - ); - Ok(()) + #[test] + fn test_try_new() { + let acme_dir_url = "https://acme.example.com/directory"; + let acme_registry_dir = "/tmp/acme"; + let contacts = vec!["test@example.com".to_string()]; + let acme_contexts: AcmeContexts = AcmeContexts::try_new( + Some(acme_dir_url), + Some(acme_registry_dir), + &contacts, + &["example.com".to_string(), "example.org".to_string()], + ) + .unwrap(); + println!("{:#?}", acme_contexts); } } diff --git a/rpxy-bin/src/config/parse.rs b/rpxy-bin/src/config/parse.rs index 4a28beda..741cc7ae 100644 --- a/rpxy-bin/src/config/parse.rs +++ b/rpxy-bin/src/config/parse.rs @@ -7,7 +7,7 @@ use rpxy_lib::{AppConfig, AppConfigList, ProxyConfig}; use rustc_hash::FxHashMap as HashMap; #[cfg(feature = "acme")] -use rpxy_acme::{AcmeTargets, ACME_CERTIFICATE_FILE_NAME, ACME_PRIVATE_KEY_FILE_NAME, ACME_REGISTRY_PATH}; +use rpxy_acme::{ACME_DIR_URL, ACME_REGISTRY_PATH}; /// Parsed options pub struct Opts { @@ -110,7 +110,12 @@ pub async fn build_cert_manager( #[cfg(feature = "acme")] let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone()); #[cfg(feature = "acme")] - let registry_path = acme_option + let acme_dir_url = acme_option + .as_ref() + .and_then(|v| v.dir_url.as_deref()) + .unwrap_or(ACME_DIR_URL); + #[cfg(feature = "acme")] + let acme_registry_path = acme_option .as_ref() .and_then(|v| v.registry_path.as_deref()) .unwrap_or(ACME_REGISTRY_PATH); @@ -128,8 +133,12 @@ pub async fn build_cert_manager( let mut tls = tls.clone(); if let Some(true) = tls.acme { ensure!(acme_option.is_some() && tls.tls_cert_key_path.is_none() && tls.tls_cert_path.is_none()); - tls.tls_cert_key_path = Some(format!("{registry_path}/{server_name}/{ACME_CERTIFICATE_FILE_NAME}")); - tls.tls_cert_path = Some(format!("{registry_path}/{server_name}/{ACME_PRIVATE_KEY_FILE_NAME}")); + // Both of tls_cert_key_path and tls_cert_path must be the same for ACME since it's a single file + let subdir = format!("{}/{}", acme_registry_path, server_name.to_ascii_lowercase()); + let file_name = + rpxy_acme::DirCache::cached_cert_file_name(&[server_name.to_ascii_lowercase()], acme_dir_url.to_ascii_lowercase()); + tls.tls_cert_key_path = Some(format!("{}/{}", subdir, file_name)); + tls.tls_cert_path = Some(format!("{}/{}", subdir, file_name)); } tls }; @@ -151,27 +160,27 @@ pub async fn build_cert_manager( /// Build acme manager and dummy cert and key as initial states if not exists /// TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING pub async fn build_acme_manager(config: &ConfigToml) -> Result<(), anyhow::Error> { - let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone()); - if acme_option.is_none() { - return Ok(()); - } - let acme_option = acme_option.unwrap(); - let mut acme_targets = AcmeTargets::try_new( - acme_option.email.as_ref(), - acme_option.dir_url.as_deref(), - acme_option.registry_path.as_deref(), - ) - .map_err(|e| anyhow!("Invalid acme configuration: {e}"))?; - - let apps = config.apps.as_ref().unwrap(); - for app in apps.0.values() { - if let Some(tls) = app.tls.as_ref() { - if tls.acme.unwrap_or(false) { - acme_targets.add_target(app.server_name.as_ref().unwrap())?; - } - } - } + // let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone()); + // if acme_option.is_none() { + // return Ok(()); + // } + // let acme_option = acme_option.unwrap(); + // let mut acme_targets = AcmeTargets::try_new( + // acme_option.email.as_ref(), + // acme_option.dir_url.as_deref(), + // acme_option.registry_path.as_deref(), + // ) + // .map_err(|e| anyhow!("Invalid acme configuration: {e}"))?; + + // let apps = config.apps.as_ref().unwrap(); + // for app in apps.0.values() { + // if let Some(tls) = app.tls.as_ref() { + // if tls.acme.unwrap_or(false) { + // acme_targets.add_target(app.server_name.as_ref().unwrap())?; + // } + // } + // } // TODO: remove later - println!("ACME targets: {:#?}", acme_targets); + // println!("ACME targets: {:#?}", acme_targets); Ok(()) } From 63f9d1dabc0b63fb7c7764768c968fd4c92132e1 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Sat, 13 Jul 2024 05:07:57 +0900 Subject: [PATCH 05/30] wip: designing acme --- rpxy-acme/src/dir_cache.rs | 8 ++-- rpxy-acme/src/targets.rs | 78 ++++++++++++++++++++++++------------ rpxy-bin/src/config/parse.rs | 54 +++++++++++++++---------- 3 files changed, 88 insertions(+), 52 deletions(-) diff --git a/rpxy-acme/src/dir_cache.rs b/rpxy-acme/src/dir_cache.rs index 2f613d8d..33504fa4 100644 --- a/rpxy-acme/src/dir_cache.rs +++ b/rpxy-acme/src/dir_cache.rs @@ -15,14 +15,14 @@ enum FileType { Cert, } -#[derive(Debug)] +#[derive(Debug, PartialEq, Eq)] pub struct DirCache { - account_dir: PathBuf, - cert_dir: PathBuf, + pub(super) account_dir: PathBuf, + pub(super) cert_dir: PathBuf, } impl DirCache { - pub fn new

(dir: P, server_name: impl AsRef) -> Self + pub fn new

(dir: P, server_name: &str) -> Self where P: AsRef, { diff --git a/rpxy-acme/src/targets.rs b/rpxy-acme/src/targets.rs index 08c46852..74e62623 100644 --- a/rpxy-acme/src/targets.rs +++ b/rpxy-acme/src/targets.rs @@ -1,32 +1,28 @@ -use crate::dir_cache::DirCache; use crate::{ constants::{ACME_DIR_URL, ACME_REGISTRY_PATH}, + dir_cache::DirCache, error::RpxyAcmeError, log::*, }; use rustc_hash::FxHashMap as HashMap; -use rustls_acme::AcmeConfig; -use std::{fmt::Debug, path::PathBuf, sync::Arc}; +// use rustls_acme::AcmeConfig; +use std::path::PathBuf; use url::Url; #[derive(Debug)] /// ACME settings -pub struct AcmeContexts -where - EC: Debug + 'static, - EA: Debug + 'static, -{ +pub struct AcmeContexts { /// ACME directory url acme_dir_url: Url, /// ACME registry directory acme_registry_dir: PathBuf, /// ACME contacts contacts: Vec, - /// ACME config - inner: HashMap>>, + /// ACME directly cache information + inner: HashMap, } -impl AcmeContexts { +impl AcmeContexts { /// Create a new instance. Note that for each domain, a new AcmeConfig is created. /// This means that for each domain, a distinct operation will be dispatched and separated certificates will be generated. pub fn try_new( @@ -35,6 +31,9 @@ impl AcmeContexts { contacts: &[String], domains: &[String], ) -> Result { + // Install aws_lc_rs as default crypto provider for rustls + let _ = rustls::crypto::CryptoProvider::install_default(rustls::crypto::aws_lc_rs::default_provider()); + let acme_registry_dir = acme_registry_dir .map(|v| v.to_ascii_lowercase()) .map_or_else(|| PathBuf::from(ACME_REGISTRY_PATH), PathBuf::from); @@ -46,25 +45,33 @@ impl AcmeContexts { .as_deref() .map_or_else(|| Url::parse(ACME_DIR_URL), Url::parse)?; let contacts = contacts.iter().map(|email| format!("mailto:{email}")).collect::>(); - let rustls_client_config = rustls::ClientConfig::builder() - .dangerous() // The `Verifier` we're using is actually safe - .with_custom_certificate_verifier(std::sync::Arc::new(rustls_platform_verifier::Verifier::new())) - .with_no_client_auth(); - let rustls_client_config = Arc::new(rustls_client_config); + // let rustls_client_config = rustls::ClientConfig::builder() + // .dangerous() // The `Verifier` we're using is actually safe + // .with_custom_certificate_verifier(std::sync::Arc::new(rustls_platform_verifier::Verifier::new())) + // .with_no_client_auth(); + // let rustls_client_config = Arc::new(rustls_client_config); let inner = domains .iter() .map(|domain| { - let dir_cache = DirCache::new(&acme_registry_dir, domain); - let config = AcmeConfig::new([domain]) - .contact(&contacts) - .cache(dir_cache) - .directory(acme_dir_url.as_str()) - .client_tls_config(rustls_client_config.clone()); - let config = Box::new(config); - (domain.to_ascii_lowercase(), config) + let domain = domain.to_ascii_lowercase(); + let dir_cache = DirCache::new(&acme_registry_dir, &domain); + (domain, dir_cache) }) .collect::>(); + // let inner = domains + // .iter() + // .map(|domain| { + // let dir_cache = DirCache::new(&acme_registry_dir, domain); + // let config = AcmeConfig::new([domain]) + // .contact(&contacts) + // .cache(dir_cache) + // .directory(acme_dir_url.as_str()) + // .client_tls_config(rustls_client_config.clone()); + // let config = Box::new(config); + // (domain.to_ascii_lowercase(), config) + // }) + // .collect::>(); Ok(Self { acme_dir_url, @@ -77,6 +84,8 @@ impl AcmeContexts { #[cfg(test)] mod tests { + use crate::constants::ACME_ACCOUNT_SUBDIR; + use super::*; #[test] @@ -84,13 +93,30 @@ mod tests { let acme_dir_url = "https://acme.example.com/directory"; let acme_registry_dir = "/tmp/acme"; let contacts = vec!["test@example.com".to_string()]; - let acme_contexts: AcmeContexts = AcmeContexts::try_new( + let acme_contexts: AcmeContexts = AcmeContexts::try_new( Some(acme_dir_url), Some(acme_registry_dir), &contacts, &["example.com".to_string(), "example.org".to_string()], ) .unwrap(); - println!("{:#?}", acme_contexts); + assert_eq!(acme_contexts.inner.len(), 2); + assert_eq!(acme_contexts.contacts, vec!["mailto:test@example.com".to_string()]); + assert_eq!(acme_contexts.acme_dir_url.as_str(), acme_dir_url); + assert_eq!(acme_contexts.acme_registry_dir, PathBuf::from(acme_registry_dir)); + assert_eq!( + acme_contexts.inner["example.com"], + DirCache { + account_dir: PathBuf::from(acme_registry_dir).join(ACME_ACCOUNT_SUBDIR), + cert_dir: PathBuf::from(acme_registry_dir).join("example.com"), + } + ); + assert_eq!( + acme_contexts.inner["example.org"], + DirCache { + account_dir: PathBuf::from(acme_registry_dir).join(ACME_ACCOUNT_SUBDIR), + cert_dir: PathBuf::from(acme_registry_dir).join("example.org"), + } + ); } } diff --git a/rpxy-bin/src/config/parse.rs b/rpxy-bin/src/config/parse.rs index 741cc7ae..3dd6599e 100644 --- a/rpxy-bin/src/config/parse.rs +++ b/rpxy-bin/src/config/parse.rs @@ -7,7 +7,7 @@ use rpxy_lib::{AppConfig, AppConfigList, ProxyConfig}; use rustc_hash::FxHashMap as HashMap; #[cfg(feature = "acme")] -use rpxy_acme::{ACME_DIR_URL, ACME_REGISTRY_PATH}; +use rpxy_acme::{AcmeContexts, ACME_DIR_URL, ACME_REGISTRY_PATH}; /// Parsed options pub struct Opts { @@ -160,27 +160,37 @@ pub async fn build_cert_manager( /// Build acme manager and dummy cert and key as initial states if not exists /// TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING pub async fn build_acme_manager(config: &ConfigToml) -> Result<(), anyhow::Error> { - // let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone()); - // if acme_option.is_none() { - // return Ok(()); - // } - // let acme_option = acme_option.unwrap(); - // let mut acme_targets = AcmeTargets::try_new( - // acme_option.email.as_ref(), - // acme_option.dir_url.as_deref(), - // acme_option.registry_path.as_deref(), - // ) - // .map_err(|e| anyhow!("Invalid acme configuration: {e}"))?; - - // let apps = config.apps.as_ref().unwrap(); - // for app in apps.0.values() { - // if let Some(tls) = app.tls.as_ref() { - // if tls.acme.unwrap_or(false) { - // acme_targets.add_target(app.server_name.as_ref().unwrap())?; - // } - // } - // } + let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone()); + if acme_option.is_none() { + return Ok(()); + } + let acme_option = acme_option.unwrap(); + + let domains = config + .apps + .as_ref() + .unwrap() + .0 + .values() + .filter_map(|app| { + // + if let Some(tls) = app.tls.as_ref() { + if let Some(true) = tls.acme { + return Some(app.server_name.as_ref().unwrap().to_owned()); + } + } + None + }) + .collect::>(); + + let acme_contexts = AcmeContexts::try_new( + acme_option.dir_url.as_deref(), + acme_option.registry_path.as_deref(), + &[acme_option.email], + domains.as_slice(), + )?; + // TODO: remove later - // println!("ACME targets: {:#?}", acme_targets); + println!("ACME contexts: {:#?}", acme_contexts); Ok(()) } From 3a88d3ce90abe91916d5d9899e85046a47ca5509 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Sat, 13 Jul 2024 05:13:32 +0900 Subject: [PATCH 06/30] fix: submodule --- .gitmodules | 3 +++ rpxy-acme/Cargo.toml | 2 +- submodules/rustls-acme | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) create mode 160000 submodules/rustls-acme diff --git a/.gitmodules b/.gitmodules index 0d6a4041..7ff65fe1 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "submodules/rusty-http-cache-semantics"] path = submodules/rusty-http-cache-semantics url = git@github.com:junkurihara/rusty-http-cache-semantics.git +[submodule "submodules/rustls-acme"] + path = submodules/rustls-acme + url = git@github.com:junkurihara/rustls-acme.git diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml index 57dd5145..9473429c 100644 --- a/rpxy-acme/Cargo.toml +++ b/rpxy-acme/Cargo.toml @@ -26,6 +26,6 @@ rustls = { version = "0.23.11", default-features = false, features = [ "aws_lc_rs", ] } rustls-platform-verifier = { version = "0.3.2" } -rustls-acme = { path = "../../rustls-acme/", default-features = false, features = [ +rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [ "aws-lc-rs", ] } diff --git a/submodules/rustls-acme b/submodules/rustls-acme new file mode 160000 index 00000000..43719fb0 --- /dev/null +++ b/submodules/rustls-acme @@ -0,0 +1 @@ +Subproject commit 43719fb04cc522c039c9e7420567a38416f9fec7 From 4d889e6a056fdc9ca96c992802d601eabdc42de3 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 17 Jul 2024 12:58:39 +0900 Subject: [PATCH 07/30] chore: deps --- rpxy-bin/Cargo.toml | 4 ++-- rpxy-certs/Cargo.toml | 4 ++-- rpxy-lib/Cargo.toml | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index 358ee431..61263469 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -32,7 +32,7 @@ mimalloc = { version = "*", default-features = false } anyhow = "1.0.86" rustc-hash = "2.0.0" serde = { version = "1.0.204", default-features = false, features = ["derive"] } -tokio = { version = "1.38.0", default-features = false, features = [ +tokio = { version = "1.38.1", default-features = false, features = [ "net", "rt-multi-thread", "time", @@ -45,7 +45,7 @@ async-trait = "0.1.81" # config clap = { version = "4.5.9", features = ["std", "cargo", "wrap_help"] } toml = { version = "0.8.14", default-features = false, features = ["parse"] } -hot_reload = "0.1.5" +hot_reload = "0.1.6" # logging tracing = { version = "0.1.40" } diff --git a/rpxy-certs/Cargo.toml b/rpxy-certs/Cargo.toml index cd308156..238c909d 100644 --- a/rpxy-certs/Cargo.toml +++ b/rpxy-certs/Cargo.toml @@ -19,7 +19,7 @@ rustc-hash = { version = "2.0.0" } tracing = { version = "0.1.40" } derive_builder = { version = "0.20.0" } thiserror = { version = "1.0.62" } -hot_reload = { version = "0.1.5" } +hot_reload = { version = "0.1.6" } async-trait = { version = "0.1.81" } rustls = { version = "0.23.11", default-features = false, features = [ "std", @@ -33,7 +33,7 @@ rustls-webpki = { version = "0.102.5", default-features = false, features = [ x509-parser = { version = "0.16.0" } [dev-dependencies] -tokio = { version = "1.38.0", default-features = false, features = [ +tokio = { version = "1.38.1", default-features = false, features = [ "rt-multi-thread", "macros", ] } diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index 1fbeb115..67f5a8de 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -34,10 +34,10 @@ acme = [] [dependencies] rand = "0.8.5" rustc-hash = "2.0.0" -bytes = "1.6.0" +bytes = "1.6.1" derive_builder = "0.20.0" futures = { version = "0.3.30", features = ["alloc", "async-await"] } -tokio = { version = "1.38.0", default-features = false, features = [ +tokio = { version = "1.38.1", default-features = false, features = [ "net", "rt-multi-thread", "time", @@ -76,7 +76,7 @@ hyper-rustls = { git = "https://github.com/junkurihara/hyper-rustls", branch = " # tls and cert management for server rpxy-certs = { path = "../rpxy-certs/", default-features = false } -hot_reload = "0.1.5" +hot_reload = "0.1.6" rustls = { version = "0.23.11", default-features = false } tokio-rustls = { version = "0.26.0", features = ["early-data"] } From 9e79a481c6ebf4ae892c124509efc41934e1feb2 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 17 Jul 2024 17:06:37 +0900 Subject: [PATCH 08/30] wip: implementing api --- rpxy-acme/Cargo.toml | 2 + rpxy-acme/src/dir_cache.rs | 2 +- rpxy-acme/src/lib.rs | 4 +- rpxy-acme/src/{targets.rs => manager.rs} | 91 ++++++++++++++++-------- rpxy-bin/Cargo.toml | 2 +- rpxy-bin/src/config/parse.rs | 23 +++--- rpxy-bin/src/main.rs | 79 ++++++++++++++++++-- 7 files changed, 155 insertions(+), 48 deletions(-) rename rpxy-acme/src/{targets.rs => manager.rs} (54%) diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml index 9473429c..7adc8fdd 100644 --- a/rpxy-acme/Cargo.toml +++ b/rpxy-acme/Cargo.toml @@ -29,3 +29,5 @@ rustls-platform-verifier = { version = "0.3.2" } rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [ "aws-lc-rs", ] } +tokio = { version = "1.38.1", default-features = false } +tokio-stream = { version = "0.1.15", default-features = false } diff --git a/rpxy-acme/src/dir_cache.rs b/rpxy-acme/src/dir_cache.rs index 33504fa4..5170ad61 100644 --- a/rpxy-acme/src/dir_cache.rs +++ b/rpxy-acme/src/dir_cache.rs @@ -15,7 +15,7 @@ enum FileType { Cert, } -#[derive(Debug, PartialEq, Eq)] +#[derive(Debug, PartialEq, Eq, Clone)] pub struct DirCache { pub(super) account_dir: PathBuf, pub(super) cert_dir: PathBuf, diff --git a/rpxy-acme/src/lib.rs b/rpxy-acme/src/lib.rs index 813b388a..246b9008 100644 --- a/rpxy-acme/src/lib.rs +++ b/rpxy-acme/src/lib.rs @@ -1,7 +1,7 @@ mod constants; mod dir_cache; mod error; -mod targets; +mod manager; #[allow(unused_imports)] mod log { @@ -11,4 +11,4 @@ mod log { pub use constants::{ACME_DIR_URL, ACME_REGISTRY_PATH}; pub use dir_cache::DirCache; pub use error::RpxyAcmeError; -pub use targets::AcmeContexts; +pub use manager::AcmeManager; diff --git a/rpxy-acme/src/targets.rs b/rpxy-acme/src/manager.rs similarity index 54% rename from rpxy-acme/src/targets.rs rename to rpxy-acme/src/manager.rs index 74e62623..112c4493 100644 --- a/rpxy-acme/src/targets.rs +++ b/rpxy-acme/src/manager.rs @@ -5,24 +5,29 @@ use crate::{ log::*, }; use rustc_hash::FxHashMap as HashMap; -// use rustls_acme::AcmeConfig; -use std::path::PathBuf; +use rustls::ServerConfig; +use rustls_acme::AcmeConfig; +use std::{path::PathBuf, sync::Arc}; +use tokio::runtime::Handle; +use tokio_stream::StreamExt; use url::Url; -#[derive(Debug)] +#[derive(Debug, Clone)] /// ACME settings -pub struct AcmeContexts { +pub struct AcmeManager { /// ACME directory url acme_dir_url: Url, - /// ACME registry directory - acme_registry_dir: PathBuf, + // /// ACME registry directory + // acme_registry_dir: PathBuf, /// ACME contacts contacts: Vec, /// ACME directly cache information inner: HashMap, + /// Tokio runtime handle + runtime_handle: Handle, } -impl AcmeContexts { +impl AcmeManager { /// Create a new instance. Note that for each domain, a new AcmeConfig is created. /// This means that for each domain, a distinct operation will be dispatched and separated certificates will be generated. pub fn try_new( @@ -30,6 +35,7 @@ impl AcmeContexts { acme_registry_dir: Option<&str>, contacts: &[String], domains: &[String], + runtime_handle: Handle, ) -> Result { // Install aws_lc_rs as default crypto provider for rustls let _ = rustls::crypto::CryptoProvider::install_default(rustls::crypto::aws_lc_rs::default_provider()); @@ -45,11 +51,6 @@ impl AcmeContexts { .as_deref() .map_or_else(|| Url::parse(ACME_DIR_URL), Url::parse)?; let contacts = contacts.iter().map(|email| format!("mailto:{email}")).collect::>(); - // let rustls_client_config = rustls::ClientConfig::builder() - // .dangerous() // The `Verifier` we're using is actually safe - // .with_custom_certificate_verifier(std::sync::Arc::new(rustls_platform_verifier::Verifier::new())) - // .with_no_client_auth(); - // let rustls_client_config = Arc::new(rustls_client_config); let inner = domains .iter() @@ -59,27 +60,59 @@ impl AcmeContexts { (domain, dir_cache) }) .collect::>(); - // let inner = domains - // .iter() - // .map(|domain| { - // let dir_cache = DirCache::new(&acme_registry_dir, domain); - // let config = AcmeConfig::new([domain]) - // .contact(&contacts) - // .cache(dir_cache) - // .directory(acme_dir_url.as_str()) - // .client_tls_config(rustls_client_config.clone()); - // let config = Box::new(config); - // (domain.to_ascii_lowercase(), config) - // }) - // .collect::>(); Ok(Self { acme_dir_url, - acme_registry_dir, + // acme_registry_dir, contacts, inner, + runtime_handle, }) } + + /// Start ACME manager to manage certificates for each domain. + /// Returns a Vec> as a tasks handles and a map of domain to ServerConfig for challenge. + pub fn spawn_manager_tasks(&self) -> (Vec>, HashMap>) { + info!("rpxy ACME manager started"); + + let rustls_client_config = rustls::ClientConfig::builder() + .dangerous() // The `Verifier` we're using is actually safe + .with_custom_certificate_verifier(Arc::new(rustls_platform_verifier::Verifier::new())) + .with_no_client_auth(); + let rustls_client_config = Arc::new(rustls_client_config); + + let mut server_configs_for_challenge: HashMap> = HashMap::default(); + let join_handles = self + .inner + .clone() + .into_iter() + .map(|(domain, dir_cache)| { + let config = AcmeConfig::new([&domain]) + .contact(&self.contacts) + .cache(dir_cache.to_owned()) + .directory(self.acme_dir_url.as_str()) + .client_tls_config(rustls_client_config.clone()); + let mut state = config.state(); + server_configs_for_challenge.insert(domain.to_ascii_lowercase(), state.challenge_rustls_config()); + self.runtime_handle.spawn(async move { + info!("rpxy ACME manager task for {domain} started"); + // infinite loop unless the return value is None + loop { + let Some(res) = state.next().await else { + error!("rpxy ACME manager task for {domain} exited"); + break; + }; + match res { + Ok(ok) => info!("rpxy ACME event: {ok:?}"), + Err(err) => error!("rpxy ACME error: {err:?}"), + } + } + }) + }) + .collect::>(); + + (join_handles, server_configs_for_challenge) + } } #[cfg(test)] @@ -93,17 +126,19 @@ mod tests { let acme_dir_url = "https://acme.example.com/directory"; let acme_registry_dir = "/tmp/acme"; let contacts = vec!["test@example.com".to_string()]; - let acme_contexts: AcmeContexts = AcmeContexts::try_new( + let handle = Handle::current(); + let acme_contexts: AcmeManager = AcmeManager::try_new( Some(acme_dir_url), Some(acme_registry_dir), &contacts, &["example.com".to_string(), "example.org".to_string()], + handle, ) .unwrap(); assert_eq!(acme_contexts.inner.len(), 2); assert_eq!(acme_contexts.contacts, vec!["mailto:test@example.com".to_string()]); assert_eq!(acme_contexts.acme_dir_url.as_str(), acme_dir_url); - assert_eq!(acme_contexts.acme_registry_dir, PathBuf::from(acme_registry_dir)); + // assert_eq!(acme_contexts.acme_registry_dir, PathBuf::from(acme_registry_dir)); assert_eq!( acme_contexts.inner["example.com"], DirCache { diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index 61263469..f330d9d5 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -40,7 +40,7 @@ tokio = { version = "1.38.1", default-features = false, features = [ "macros", ] } async-trait = "0.1.81" - +futures-util = { version = "0.3.30", default-features = false } # config clap = { version = "4.5.9", features = ["std", "cargo", "wrap_help"] } diff --git a/rpxy-bin/src/config/parse.rs b/rpxy-bin/src/config/parse.rs index 3dd6599e..a591c409 100644 --- a/rpxy-bin/src/config/parse.rs +++ b/rpxy-bin/src/config/parse.rs @@ -7,7 +7,7 @@ use rpxy_lib::{AppConfig, AppConfigList, ProxyConfig}; use rustc_hash::FxHashMap as HashMap; #[cfg(feature = "acme")] -use rpxy_acme::{AcmeContexts, ACME_DIR_URL, ACME_REGISTRY_PATH}; +use rpxy_acme::{AcmeManager, ACME_DIR_URL, ACME_REGISTRY_PATH}; /// Parsed options pub struct Opts { @@ -157,12 +157,14 @@ pub async fn build_cert_manager( /* ----------------------- */ #[cfg(feature = "acme")] -/// Build acme manager and dummy cert and key as initial states if not exists -/// TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING -pub async fn build_acme_manager(config: &ConfigToml) -> Result<(), anyhow::Error> { +/// Build acme manager +pub async fn build_acme_manager( + config: &ConfigToml, + runtime_handle: tokio::runtime::Handle, +) -> Result, anyhow::Error> { let acme_option = config.experimental.as_ref().and_then(|v| v.acme.clone()); if acme_option.is_none() { - return Ok(()); + return Ok(None); } let acme_option = acme_option.unwrap(); @@ -183,14 +185,17 @@ pub async fn build_acme_manager(config: &ConfigToml) -> Result<(), anyhow::Error }) .collect::>(); - let acme_contexts = AcmeContexts::try_new( + if domains.is_empty() { + return Ok(None); + } + + let acme_manager = AcmeManager::try_new( acme_option.dir_url.as_deref(), acme_option.registry_path.as_deref(), &[acme_option.email], domains.as_slice(), + runtime_handle, )?; - // TODO: remove later - println!("ACME contexts: {:#?}", acme_contexts); - Ok(()) + Ok(Some(acme_manager)) } diff --git a/rpxy-bin/src/main.rs b/rpxy-bin/src/main.rs index 9847a5fa..f07212e3 100644 --- a/rpxy-bin/src/main.rs +++ b/rpxy-bin/src/main.rs @@ -68,16 +68,33 @@ async fn rpxy_service_without_watcher( let config_toml = ConfigToml::new(config_file_path).map_err(|e| anyhow!("Invalid toml file: {e}"))?; let (proxy_conf, app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?; - #[cfg(feature = "acme")] // TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING - let acme_manager = build_acme_manager(&config_toml).await; + #[cfg(feature = "acme")] + let acme_manager = build_acme_manager(&config_toml, runtime_handle.clone()).await?; let cert_service_and_rx = build_cert_manager(&config_toml) .await .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?; - rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), &runtime_handle, None) + #[cfg(feature = "acme")] + { + rpxy_entrypoint( + &proxy_conf, + &app_conf, + cert_service_and_rx.as_ref(), + acme_manager.as_ref(), + &runtime_handle, + None, + ) .await .map_err(|e| anyhow!(e)) + } + + #[cfg(not(feature = "acme"))] + { + rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), &runtime_handle, None) + .await + .map_err(|e| anyhow!(e)) + } } async fn rpxy_service_with_watcher( @@ -93,8 +110,8 @@ async fn rpxy_service_with_watcher( .ok_or(anyhow!("Something wrong in config reloader receiver"))?; let (mut proxy_conf, mut app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?; - #[cfg(feature = "acme")] // TODO: CURRENTLY NOT IMPLEMENTED, UNDER DESIGNING - let acme_manager = build_acme_manager(&config_toml).await; + #[cfg(feature = "acme")] + let acme_manager = build_acme_manager(&config_toml, runtime_handle.clone()).await?; let mut cert_service_and_rx = build_cert_manager(&config_toml) .await @@ -106,7 +123,16 @@ async fn rpxy_service_with_watcher( // Continuous monitoring loop { tokio::select! { - rpxy_res = rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), &runtime_handle, Some(term_notify.clone())) => { + rpxy_res = { + #[cfg(feature = "acme")] + { + rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), acme_manager.as_ref(), &runtime_handle, Some(term_notify.clone())) + } + #[cfg(not(feature = "acme"))] + { + rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), &runtime_handle, Some(term_notify.clone())) + } + } => { error!("rpxy entrypoint or cert service exited"); return rpxy_res.map_err(|e| anyhow!(e)); } @@ -145,6 +171,7 @@ async fn rpxy_service_with_watcher( Ok(()) } +#[cfg(not(feature = "acme"))] /// Wrapper of entry point for rpxy service with certificate management service async fn rpxy_entrypoint( proxy_config: &rpxy_lib::ProxyConfig, @@ -152,7 +179,7 @@ async fn rpxy_entrypoint( cert_service_and_rx: Option<&( ReloaderService, ReloaderReceiver, - )>, // TODO: + )>, runtime_handle: &tokio::runtime::Handle, term_notify: Option>, ) -> Result<(), anyhow::Error> { @@ -173,3 +200,41 @@ async fn rpxy_entrypoint( .map_err(|e| anyhow!(e)) } } + +#[cfg(feature = "acme")] +/// Wrapper of entry point for rpxy service with certificate management service +async fn rpxy_entrypoint( + proxy_config: &rpxy_lib::ProxyConfig, + app_config_list: &rpxy_lib::AppConfigList, + cert_service_and_rx: Option<&( + ReloaderService, + ReloaderReceiver, + )>, + acme_manager: Option<&rpxy_acme::AcmeManager>, + runtime_handle: &tokio::runtime::Handle, + term_notify: Option>, +) -> Result<(), anyhow::Error> { + // TODO: remove later, reconsider routine + println!("ACME manager:\n{:#?}", acme_manager); + let x = acme_manager.unwrap().clone(); + let (handle, confs) = x.spawn_manager_tasks(); + tokio::spawn(async move { futures_util::future::select_all(handle).await }); + // TODO: + + if let Some((cert_service, cert_rx)) = cert_service_and_rx { + tokio::select! { + rpxy_res = entrypoint(proxy_config, app_config_list, Some(cert_rx), runtime_handle, term_notify) => { + error!("rpxy entrypoint exited"); + rpxy_res.map_err(|e| anyhow!(e)) + } + cert_res = cert_service.start() => { + error!("cert reloader service exited"); + cert_res.map_err(|e| anyhow!(e)) + } + } + } else { + entrypoint(proxy_config, app_config_list, None, runtime_handle, term_notify) + .await + .map_err(|e| anyhow!(e)) + } +} From d6136f9ffaf3e348401839b3104c7a185fb19302 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 17 Jul 2024 17:10:36 +0900 Subject: [PATCH 09/30] fix test --- rpxy-acme/src/manager.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rpxy-acme/src/manager.rs b/rpxy-acme/src/manager.rs index 112c4493..54b1ece9 100644 --- a/rpxy-acme/src/manager.rs +++ b/rpxy-acme/src/manager.rs @@ -121,8 +121,8 @@ mod tests { use super::*; - #[test] - fn test_try_new() { + #[tokio::test] + async fn test_try_new() { let acme_dir_url = "https://acme.example.com/directory"; let acme_registry_dir = "/tmp/acme"; let contacts = vec!["test@example.com".to_string()]; From 7b0ca08e1e434bd4605fc238db403d3b45a3bba5 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 17 Jul 2024 20:48:37 +0900 Subject: [PATCH 10/30] feat: add initial acme support (ugly!) --- CHANGELOG.md | 9 ++ README.md | 34 +++++- config-example.toml | 14 +++ rpxy-acme/src/lib.rs | 4 + rpxy-acme/src/manager.rs | 40 ++++--- rpxy-bin/src/main.rs | 176 ++++++++++++++++++++----------- rpxy-lib/Cargo.toml | 5 +- rpxy-lib/src/error.rs | 5 + rpxy-lib/src/globals.rs | 4 + rpxy-lib/src/lib.rs | 38 +++++-- rpxy-lib/src/proxy/proxy_main.rs | 37 ++++++- 11 files changed, 277 insertions(+), 89 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53a74b1a..4302a589 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ ## 0.9.0 (Unreleased) +### Important Changes + +- Breaking: Experimental ACME support is added. Check the new configuration options and README.md for ACME support. Note that it is still under development and may have some issues. + +### Improvement + +- Refactor: lots of minor improvements +- Deps + ## 0.8.1 ### Improvement diff --git a/README.md b/README.md index 20d7891f..b825cd14 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# rpxy: A simple and ultrafast reverse-proxy serving multiple domain names with TLS termination, written in pure Rust +# rpxy: A simple and ultrafast reverse-proxy serving multiple domain names with TLS termination, written in Rust [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE) ![Unit Test](https://github.com/junkurihara/rust-rpxy/actions/workflows/ci.yml/badge.svg) @@ -10,9 +10,11 @@ ## Introduction -`rpxy` [ahr-pik-see] is an implementation of simple and lightweight reverse-proxy with some additional features. The implementation is based on [`hyper`](https://github.com/hyperium/hyper), [`rustls`](https://github.com/rustls/rustls) and [`tokio`](https://github.com/tokio-rs/tokio), i.e., written in pure Rust. Our `rpxy` routes multiple host names to appropriate backend application servers while serving TLS connections. +`rpxy` [ahr-pik-see] is an implementation of simple and lightweight reverse-proxy with some additional features. The implementation is based on [`hyper`](https://github.com/hyperium/hyper), [`rustls`](https://github.com/rustls/rustls) and [`tokio`](https://github.com/tokio-rs/tokio), i.e., written in Rust^[^pure_rust]. Our `rpxy` routes multiple host names to appropriate backend application servers while serving TLS connections. - As default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib] +[^pure_rust]: Doubtfully can be claimed to be written in pure Rust since current `rpxy` is based on `aws-lc-rs` for cryptographic operations. + + As default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib] Furthermore, `rpxy` supports the automatic issuance and renewal of certificates via [TLS-ALPN-01 (RFC8737)](https://www.rfc-editor.org/rfc/rfc8737) of [ACME protocol (RFC8555)](https://www.rfc-editor.org/rfc/rfc8555) thanks to [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme). [^h3lib]: HTTP/3 libraries are mutually exclusive. You need to explicitly specify `s2n-quic` with `--no-default-features` flag. Also note that if you build `rpxy` with `s2n-quic`, then it requires `openssl` just for building the package. @@ -298,6 +300,32 @@ max_cache_each_size_on_memory = 4096 # optional. default is 4k if 0, it is alway A *storable* (in the context of an HTTP message) response is stored if its size is less than or equal to `max_cache_each_size` in bytes. If it is also less than or equal to `max_cache_each_size_on_memory`, it is stored as an on-memory object. Otherwise, it is stored as a temporary file. Note that `max_cache_each_size` must be larger or equal to `max_cache_each_size_on_memory`. Also note that once `rpxy` restarts or the config is updated, the cache is totally eliminated not only from the on-memory table but also from the file system. +### Automated Certificate Issuance and Renewal via TLS-ALPN-01 ACME protocol + +This is a brand-new feature and maybe still unstable. Thanks to the [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme), the automatic issuance and renewal of certificates are finally available in `rpxy`. To enable this feature, you need to specify the following entries in `config.toml`. + +```toml +# ACME enabled domain name. +# ACME will be used to get a certificate for the server_name with ACME tls-alpn-01 protocol. +# Note that acme option must be specified in the experimental section. +[apps.localhost_with_acme] +server_name = 'example.org' +reverse_proxy = [{ upstream = [{ location = 'example.com', tls = true }] }] +tls = { https_redirection = true, acme = true } # do not specify tls_cert_path and/or tls_cert_key_path +``` + +For the ACME enabled domain, the following settings are referred to acquire a certificate. + +```toml +# Global ACME settings. Unless specified, ACME is disabled. +[experimental.acme] +dir_url = "https://localhost:14000/dir" # optional. default is "https://acme-v02.api.letsencrypt.org/directory" +email = "test@example.com" +registry_path = "./acme_registry" # optional. default is "./acme_registry" relative to the current working directory +``` + +The above configuration is common to all ACME enabled domains. Note that the https port must be open to the public to verify the domain ownership. + ## TIPS ### Using Private Key Issued by Let's Encrypt diff --git a/config-example.toml b/config-example.toml index c3d1e476..d279e50c 100644 --- a/config-example.toml +++ b/config-example.toml @@ -89,6 +89,14 @@ server_name = 'localhost.localdomain' reverse_proxy = [{ upstream = [{ location = 'www.google.com', tls = true }] }] ###################################################################### +###################################################################### +# ACME enabled example. ACME will be used to get a certificate for the server_name with ACME tls-alpn-01 protocol. +# Note that acme option must be specified in the experimental section. +[apps.localhost_with_acme] +server_name = 'kubernetes.docker.internal' +reverse_proxy = [{ upstream = [{ location = 'example.com', tls = true }] }] +tls = { https_redirection = true, acme = true } + ################################### # Experimantal settings # ################################### @@ -119,3 +127,9 @@ cache_dir = './cache' # optional. default is "./cache" relative t max_cache_entry = 1000 # optional. default is 1k max_cache_each_size = 65535 # optional. default is 64k max_cache_each_size_on_memory = 4096 # optional. default is 4k if 0, it is always file cache. + +# ACME settings. Unless specified, ACME is disabled. +[experimental.acme] +dir_url = "https://localhost:14000/dir" # optional. default is "https://acme-v02.api.letsencrypt.org/directory" +email = "test@example.com" +registry_path = "./acme_registry" # optional. default is "./acme_registry" relative to the current working directory diff --git a/rpxy-acme/src/lib.rs b/rpxy-acme/src/lib.rs index 246b9008..6254a865 100644 --- a/rpxy-acme/src/lib.rs +++ b/rpxy-acme/src/lib.rs @@ -12,3 +12,7 @@ pub use constants::{ACME_DIR_URL, ACME_REGISTRY_PATH}; pub use dir_cache::DirCache; pub use error::RpxyAcmeError; pub use manager::AcmeManager; + +pub mod reexports { + pub use rustls_acme::is_tls_alpn_challenge; +} diff --git a/rpxy-acme/src/manager.rs b/rpxy-acme/src/manager.rs index 54b1ece9..e54731c9 100644 --- a/rpxy-acme/src/manager.rs +++ b/rpxy-acme/src/manager.rs @@ -72,9 +72,10 @@ impl AcmeManager { /// Start ACME manager to manage certificates for each domain. /// Returns a Vec> as a tasks handles and a map of domain to ServerConfig for challenge. - pub fn spawn_manager_tasks(&self) -> (Vec>, HashMap>) { - info!("rpxy ACME manager started"); - + pub fn spawn_manager_tasks( + &self, + term_notify: Option>, + ) -> (Vec>, HashMap>) { let rustls_client_config = rustls::ClientConfig::builder() .dangerous() // The `Verifier` we're using is actually safe .with_custom_certificate_verifier(Arc::new(rustls_platform_verifier::Verifier::new())) @@ -94,17 +95,30 @@ impl AcmeManager { .client_tls_config(rustls_client_config.clone()); let mut state = config.state(); server_configs_for_challenge.insert(domain.to_ascii_lowercase(), state.challenge_rustls_config()); - self.runtime_handle.spawn(async move { - info!("rpxy ACME manager task for {domain} started"); - // infinite loop unless the return value is None - loop { - let Some(res) = state.next().await else { - error!("rpxy ACME manager task for {domain} exited"); - break; + self.runtime_handle.spawn({ + let term_notify = term_notify.clone(); + async move { + info!("rpxy ACME manager task for {domain} started"); + // infinite loop unless the return value is None + let task = async { + loop { + let Some(res) = state.next().await else { + error!("rpxy ACME manager task for {domain} exited"); + break; + }; + match res { + Ok(ok) => info!("rpxy ACME event: {ok:?}"), + Err(err) => error!("rpxy ACME error: {err:?}"), + } + } }; - match res { - Ok(ok) => info!("rpxy ACME event: {ok:?}"), - Err(err) => error!("rpxy ACME error: {err:?}"), + if let Some(notify) = term_notify.as_ref() { + tokio::select! { + _ = task => {}, + _ = notify.notified() => { info!("rpxy ACME manager task for {domain} terminated") } + } + } else { + task.await; } } }) diff --git a/rpxy-bin/src/main.rs b/rpxy-bin/src/main.rs index f07212e3..eff2648b 100644 --- a/rpxy-bin/src/main.rs +++ b/rpxy-bin/src/main.rs @@ -15,7 +15,7 @@ use crate::{ log::*, }; use hot_reload::{ReloaderReceiver, ReloaderService}; -use rpxy_lib::entrypoint; +use rpxy_lib::{entrypoint, RpxyOptions, RpxyOptionsBuilder}; fn main() { init_logger(); @@ -68,30 +68,40 @@ async fn rpxy_service_without_watcher( let config_toml = ConfigToml::new(config_file_path).map_err(|e| anyhow!("Invalid toml file: {e}"))?; let (proxy_conf, app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?; - #[cfg(feature = "acme")] - let acme_manager = build_acme_manager(&config_toml, runtime_handle.clone()).await?; - - let cert_service_and_rx = build_cert_manager(&config_toml) + let (cert_service, cert_rx) = build_cert_manager(&config_toml) .await - .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?; + .map_err(|e| anyhow!("Invalid cert configuration: {e}"))? + .map(|(s, r)| (Some(s), Some(r))) + .unwrap_or((None, None)); #[cfg(feature = "acme")] { - rpxy_entrypoint( - &proxy_conf, - &app_conf, - cert_service_and_rx.as_ref(), - acme_manager.as_ref(), - &runtime_handle, - None, - ) - .await - .map_err(|e| anyhow!(e)) + let acme_manager = build_acme_manager(&config_toml, runtime_handle.clone()).await?; + let (acme_join_handles, server_config_acme_challenge) = acme_manager + .as_ref() + .map(|m| m.spawn_manager_tasks(None)) + .unwrap_or((vec![], Default::default())); + let rpxy_opts = RpxyOptionsBuilder::default() + .proxy_config(proxy_conf) + .app_config_list(app_conf) + .cert_rx(cert_rx) + .runtime_handle(runtime_handle.clone()) + .server_configs_acme_challenge(std::sync::Arc::new(server_config_acme_challenge)) + .build()?; + rpxy_entrypoint(&rpxy_opts, cert_service.as_ref(), acme_join_handles) //, &runtime_handle) + .await + .map_err(|e| anyhow!(e)) } #[cfg(not(feature = "acme"))] { - rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), &runtime_handle, None) + let rpxy_opts = RpxyOptionsBuilder::default() + .proxy_config(proxy_conf.clone()) + .app_config_list(app_conf.clone()) + .cert_rx(cert_rx.clone()) + .runtime_handle(runtime_handle.clone()) + .build()?; + rpxy_entrypoint(&rpxy_opts, cert_service.as_ref()) //, &runtime_handle) .await .map_err(|e| anyhow!(e)) } @@ -111,7 +121,7 @@ async fn rpxy_service_with_watcher( let (mut proxy_conf, mut app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?; #[cfg(feature = "acme")] - let acme_manager = build_acme_manager(&config_toml, runtime_handle.clone()).await?; + let mut acme_manager = build_acme_manager(&config_toml, runtime_handle.clone()).await?; let mut cert_service_and_rx = build_cert_manager(&config_toml) .await @@ -122,15 +132,48 @@ async fn rpxy_service_with_watcher( // Continuous monitoring loop { + let (cert_service, cert_rx) = cert_service_and_rx + .as_ref() + .map(|(s, r)| (Some(s), Some(r))) + .unwrap_or((None, None)); + + #[cfg(feature = "acme")] + let (acme_join_handles, server_config_acme_challenge) = acme_manager + .as_ref() + .map(|m| m.spawn_manager_tasks(Some(term_notify.clone()))) + .unwrap_or((vec![], Default::default())); + + let rpxy_opts = { + #[cfg(feature = "acme")] + let res = RpxyOptionsBuilder::default() + .proxy_config(proxy_conf.clone()) + .app_config_list(app_conf.clone()) + .cert_rx(cert_rx.cloned()) + .runtime_handle(runtime_handle.clone()) + .term_notify(Some(term_notify.clone())) + .server_configs_acme_challenge(std::sync::Arc::new(server_config_acme_challenge)) + .build(); + + #[cfg(not(feature = "acme"))] + let res = RpxyOptionsBuilder::default() + .proxy_config(proxy_conf.clone()) + .app_config_list(app_conf.clone()) + .cert_rx(cert_rx.cloned()) + .runtime_handle(runtime_handle.clone()) + .term_notify(Some(term_notify.clone())) + .build(); + res + }?; + tokio::select! { rpxy_res = { #[cfg(feature = "acme")] { - rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), acme_manager.as_ref(), &runtime_handle, Some(term_notify.clone())) + rpxy_entrypoint(&rpxy_opts, cert_service, acme_join_handles)//, &runtime_handle) } #[cfg(not(feature = "acme"))] { - rpxy_entrypoint(&proxy_conf, &app_conf, cert_service_and_rx.as_ref(), &runtime_handle, Some(term_notify.clone())) + rpxy_entrypoint(&rpxy_opts, cert_service)//, &runtime_handle) } } => { error!("rpxy entrypoint or cert service exited"); @@ -159,8 +202,20 @@ async fn rpxy_service_with_watcher( continue; } }; + #[cfg(feature = "acme")] + { + match build_acme_manager(&config_toml, runtime_handle.clone()).await { + Ok(m) => { + acme_manager = m; + }, + Err(e) => { + error!("Invalid acme configuration. Configuration does not updated: {e}"); + continue; + } + } + } - info!("Configuration updated. Terminate all spawned proxy services and force to re-bind TCP/UDP sockets"); + info!("Configuration updated. Terminate all spawned services and force to re-bind TCP/UDP sockets"); term_notify.notify_waiters(); // tokio::time::sleep(tokio::time::Duration::from_secs(1)).await; } @@ -174,18 +229,14 @@ async fn rpxy_service_with_watcher( #[cfg(not(feature = "acme"))] /// Wrapper of entry point for rpxy service with certificate management service async fn rpxy_entrypoint( - proxy_config: &rpxy_lib::ProxyConfig, - app_config_list: &rpxy_lib::AppConfigList, - cert_service_and_rx: Option<&( - ReloaderService, - ReloaderReceiver, - )>, - runtime_handle: &tokio::runtime::Handle, - term_notify: Option>, + rpxy_opts: &RpxyOptions, + cert_service: Option<&ReloaderService>, + // runtime_handle: &tokio::runtime::Handle, ) -> Result<(), anyhow::Error> { - if let Some((cert_service, cert_rx)) = cert_service_and_rx { + // TODO: refactor: update routine + if let Some(cert_service) = cert_service { tokio::select! { - rpxy_res = entrypoint(proxy_config, app_config_list, Some(cert_rx), runtime_handle, term_notify) => { + rpxy_res = entrypoint(rpxy_opts) => { error!("rpxy entrypoint exited"); rpxy_res.map_err(|e| anyhow!(e)) } @@ -195,46 +246,49 @@ async fn rpxy_entrypoint( } } } else { - entrypoint(proxy_config, app_config_list, None, runtime_handle, term_notify) - .await - .map_err(|e| anyhow!(e)) + entrypoint(rpxy_opts).await.map_err(|e| anyhow!(e)) } } #[cfg(feature = "acme")] /// Wrapper of entry point for rpxy service with certificate management service async fn rpxy_entrypoint( - proxy_config: &rpxy_lib::ProxyConfig, - app_config_list: &rpxy_lib::AppConfigList, - cert_service_and_rx: Option<&( - ReloaderService, - ReloaderReceiver, - )>, - acme_manager: Option<&rpxy_acme::AcmeManager>, - runtime_handle: &tokio::runtime::Handle, - term_notify: Option>, + rpxy_opts: &RpxyOptions, + cert_service: Option<&ReloaderService>, + acme_task_handles: Vec>, + // runtime_handle: &tokio::runtime::Handle, ) -> Result<(), anyhow::Error> { - // TODO: remove later, reconsider routine - println!("ACME manager:\n{:#?}", acme_manager); - let x = acme_manager.unwrap().clone(); - let (handle, confs) = x.spawn_manager_tasks(); - tokio::spawn(async move { futures_util::future::select_all(handle).await }); - // TODO: - - if let Some((cert_service, cert_rx)) = cert_service_and_rx { - tokio::select! { - rpxy_res = entrypoint(proxy_config, app_config_list, Some(cert_rx), runtime_handle, term_notify) => { - error!("rpxy entrypoint exited"); - rpxy_res.map_err(|e| anyhow!(e)) + // TODO: refactor: update routine + if let Some(cert_service) = cert_service { + if acme_task_handles.is_empty() { + tokio::select! { + rpxy_res = entrypoint(rpxy_opts) => { + error!("rpxy entrypoint exited"); + rpxy_res.map_err(|e| anyhow!(e)) + } + cert_res = cert_service.start() => { + error!("cert reloader service exited"); + cert_res.map_err(|e| anyhow!(e)) + } } - cert_res = cert_service.start() => { - error!("cert reloader service exited"); - cert_res.map_err(|e| anyhow!(e)) + } else { + let select_all = futures_util::future::select_all(acme_task_handles); + tokio::select! { + rpxy_res = entrypoint(rpxy_opts) => { + error!("rpxy entrypoint exited"); + rpxy_res.map_err(|e| anyhow!(e)) + } + (acme_res, _, _) = select_all => { + error!("acme manager exited"); + acme_res.map_err(|e| anyhow!(e)) + } + cert_res = cert_service.start() => { + error!("cert reloader service exited"); + cert_res.map_err(|e| anyhow!(e)) + } } } } else { - entrypoint(proxy_config, app_config_list, None, runtime_handle, term_notify) - .await - .map_err(|e| anyhow!(e)) + entrypoint(rpxy_opts).await.map_err(|e| anyhow!(e)) } } diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index 67f5a8de..a23e192b 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -29,7 +29,7 @@ sticky-cookie = ["base64", "sha2", "chrono"] native-tls-backend = ["hyper-tls"] rustls-backend = ["hyper-rustls"] webpki-roots = ["rustls-backend", "hyper-rustls/webpki-tokio"] -acme = [] +acme = ["dep:rpxy-acme"] [dependencies] rand = "0.8.5" @@ -80,6 +80,9 @@ hot_reload = "0.1.6" rustls = { version = "0.23.11", default-features = false } tokio-rustls = { version = "0.26.0", features = ["early-data"] } +# acme +rpxy-acme = { path = "../rpxy-acme/", default-features = false, optional = true } + # logging tracing = { version = "0.1.40" } diff --git a/rpxy-lib/src/error.rs b/rpxy-lib/src/error.rs index 98ebf031..20470ede 100644 --- a/rpxy-lib/src/error.rs +++ b/rpxy-lib/src/error.rs @@ -105,4 +105,9 @@ pub enum RpxyError { // Others #[error("Infallible")] Infallible(#[from] std::convert::Infallible), + + /// No Acme server config for Acme challenge + #[cfg(feature = "acme")] + #[error("No Acme server config")] + NoAcmeServerConfig, } diff --git a/rpxy-lib/src/globals.rs b/rpxy-lib/src/globals.rs index fa19f787..8c5e0937 100644 --- a/rpxy-lib/src/globals.rs +++ b/rpxy-lib/src/globals.rs @@ -16,6 +16,10 @@ pub struct Globals { pub term_notify: Option>, /// Shared context - Certificate reloader service receiver // TODO: newer one pub cert_reloader_rx: Option>, + + #[cfg(feature = "acme")] + /// ServerConfig used for only ACME challenge for ACME domains + pub server_configs_acme_challenge: Arc>>, } /// Configuration parameters for proxy transport and request handlers diff --git a/rpxy-lib/src/lib.rs b/rpxy-lib/src/lib.rs index ccb647e9..9dd78da5 100644 --- a/rpxy-lib/src/lib.rs +++ b/rpxy-lib/src/lib.rs @@ -30,13 +30,36 @@ pub mod reexports { pub use hyper::Uri; } +#[derive(derive_builder::Builder)] +/// rpxy entrypoint args +pub struct RpxyOptions { + /// Configuration parameters for proxy transport and request handlers + pub proxy_config: ProxyConfig, + /// List of application configurations + pub app_config_list: AppConfigList, + /// Certificate reloader service receiver + pub cert_rx: Option>, // TODO: + /// Async task runtime handler + pub runtime_handle: tokio::runtime::Handle, + /// Notify object to stop async tasks + pub term_notify: Option>, + + #[cfg(feature = "acme")] + /// ServerConfig used for only ACME challenge for ACME domains + pub server_configs_acme_challenge: Arc>>, +} + /// Entrypoint that creates and spawns tasks of reverse proxy services pub async fn entrypoint( - proxy_config: &ProxyConfig, - app_config_list: &AppConfigList, - cert_rx: Option<&ReloaderReceiver>, // TODO: - runtime_handle: &tokio::runtime::Handle, - term_notify: Option>, + RpxyOptions { + proxy_config, + app_config_list, + cert_rx, // TODO: + runtime_handle, + term_notify, + #[cfg(feature = "acme")] + server_configs_acme_challenge, + }: &RpxyOptions, ) -> RpxyResult<()> { #[cfg(all(feature = "http3-quinn", feature = "http3-s2n"))] warn!("Both \"http3-quinn\" and \"http3-s2n\" features are enabled. \"http3-quinn\" will be used"); @@ -85,7 +108,10 @@ pub async fn entrypoint( request_count: Default::default(), runtime_handle: runtime_handle.clone(), term_notify: term_notify.clone(), - cert_reloader_rx: cert_rx.cloned(), + cert_reloader_rx: cert_rx.clone(), + + #[cfg(feature = "acme")] + server_configs_acme_challenge: server_configs_acme_challenge.clone(), }); // 3. build message handler containing Arc-ed http_client and backends, and make it contained in Arc as well diff --git a/rpxy-lib/src/proxy/proxy_main.rs b/rpxy-lib/src/proxy/proxy_main.rs index 21b2c6bd..e57a16f9 100644 --- a/rpxy-lib/src/proxy/proxy_main.rs +++ b/rpxy-lib/src/proxy/proxy_main.rs @@ -167,6 +167,9 @@ where let mut server_crypto_map: Option> = None; loop { + #[cfg(feature = "acme")] + let server_configs_acme_challenge = self.globals.server_configs_acme_challenge.clone(); + select! { tcp_cnx = tcp_listener.accept().fuse() => { if tcp_cnx.is_err() || server_crypto_map.is_none() { @@ -190,11 +193,35 @@ where if server_name.is_none(){ return Err(RpxyError::NoServerNameInClientHello); } - let server_crypto = sc_map_inner.as_ref().unwrap().get(server_name.as_ref().unwrap()); - if server_crypto.is_none() { - return Err(RpxyError::NoTlsServingApp(server_name.as_ref().unwrap().try_into().unwrap_or_default())); - } - let stream = match start.into_stream(server_crypto.unwrap().clone()).await { + /* ------------------ */ + // Check for ACME TLS ALPN challenge + #[cfg(feature = "acme")] + let server_crypto = { + if rpxy_acme::reexports::is_tls_alpn_challenge(&client_hello) { + info!("ACME TLS ALPN challenge received"); + let Some(server_crypto_acme) = server_configs_acme_challenge.get(&sni.unwrap().to_ascii_lowercase()) else { + return Err(RpxyError::NoAcmeServerConfig); + }; + server_crypto_acme + } else { + let server_crypto = sc_map_inner.as_ref().unwrap().get(server_name.as_ref().unwrap()); + let Some(server_crypto) = server_crypto else { + return Err(RpxyError::NoTlsServingApp(server_name.as_ref().unwrap().try_into().unwrap_or_default())); + }; + server_crypto + } + }; + /* ------------------ */ + #[cfg(not(feature = "acme"))] + let server_crypto = { + let server_crypto = sc_map_inner.as_ref().unwrap().get(server_name.as_ref().unwrap()); + let Some(server_crypto) = server_crypto else { + return Err(RpxyError::NoTlsServingApp(server_name.as_ref().unwrap().try_into().unwrap_or_default())); + }; + server_crypto + }; + /* ------------------ */ + let stream = match start.into_stream(server_crypto.clone()).await { Ok(s) => TokioIo::new(s), Err(e) => { return Err(RpxyError::FailedToTlsHandshake(e.to_string())); From 23bc33bd6e37546534994e67fd5bbd42796ee59f Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 17 Jul 2024 20:55:31 +0900 Subject: [PATCH 11/30] bump --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 68be1fe3..01c02639 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,5 @@ [workspace.package] -version = "0.8.1" +version = "0.9.0" authors = ["Jun Kurihara"] homepage = "https://github.com/junkurihara/rust-rpxy" repository = "https://github.com/junkurihara/rust-rpxy" From 597f3afd76db3cedecef14e0a8cdf7bba5556bb8 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 17 Jul 2024 21:07:19 +0900 Subject: [PATCH 12/30] update docker-compose --- docker/docker-compose-slim.yml | 1 + docker/docker-compose.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/docker/docker-compose-slim.yml b/docker/docker-compose-slim.yml index e02c20b4..0337d200 100644 --- a/docker/docker-compose-slim.yml +++ b/docker/docker-compose-slim.yml @@ -31,6 +31,7 @@ services: volumes: - ./log:/rpxy/log:rw - ./cache:/rpxy/cache:rw + - ./acme_registry:/rpxy/acme_registry:rw - ../example-certs/server.crt:/certs/server.crt:ro - ../example-certs/server.key:/certs/server.key:ro - ../config-example.toml:/etc/rpxy.toml:ro diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 435dcb35..a8ad4af3 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -31,6 +31,7 @@ services: volumes: - ./log:/rpxy/log:rw - ./cache:/rpxy/cache:rw + - ./acme_registry:/rpxy/acme_registry:rw - ../example-certs/server.crt:/certs/server.crt:ro - ../example-certs/server.key:/certs/server.key:ro - ../config-example.toml:/etc/rpxy.toml:ro From 28a6da9505b77ad20acfdc0c08327441eff66501 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 17 Jul 2024 21:41:23 +0900 Subject: [PATCH 13/30] feat: force TLS shutdown after TLS ALPN 01 challenge --- rpxy-lib/src/proxy/proxy_main.rs | 44 +++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/rpxy-lib/src/proxy/proxy_main.rs b/rpxy-lib/src/proxy/proxy_main.rs index e57a16f9..3690d35d 100644 --- a/rpxy-lib/src/proxy/proxy_main.rs +++ b/rpxy-lib/src/proxy/proxy_main.rs @@ -193,6 +193,8 @@ where if server_name.is_none(){ return Err(RpxyError::NoServerNameInClientHello); } + #[cfg(feature = "acme")] + let mut is_handshake_acme = false; // for shutdown just after TLS handshake /* ------------------ */ // Check for ACME TLS ALPN challenge #[cfg(feature = "acme")] @@ -202,6 +204,7 @@ where let Some(server_crypto_acme) = server_configs_acme_challenge.get(&sni.unwrap().to_ascii_lowercase()) else { return Err(RpxyError::NoAcmeServerConfig); }; + is_handshake_acme = true; server_crypto_acme } else { let server_crypto = sc_map_inner.as_ref().unwrap().get(server_name.as_ref().unwrap()); @@ -227,7 +230,14 @@ where return Err(RpxyError::FailedToTlsHandshake(e.to_string())); } }; - Ok((stream, client_addr, server_name)) + #[cfg(feature = "acme")] + { + Ok((stream, client_addr, server_name, is_handshake_acme)) + } + #[cfg(not(feature="acme"))] + { + Ok((stream, client_addr, server_name)) + } }; self.globals.runtime_handle.spawn( async move { @@ -239,14 +249,36 @@ where error!("Timeout to handshake TLS"); return; }; - match v { - Ok((stream, client_addr, server_name)) => { - self_inner.serve_connection(stream, client_addr, server_name); + /* ------------------ */ + #[cfg(feature = "acme")] + { + match v { + Ok((mut stream, client_addr, server_name, is_handshake_acme)) => { + if is_handshake_acme { + debug!("Shutdown TLS connection after ACME TLS ALPN challenge"); + use tokio::io::AsyncWriteExt; + stream.inner_mut().shutdown().await.ok(); + } + self_inner.serve_connection(stream, client_addr, server_name); + } + Err(e) => { + error!("{}", e); + } } - Err(e) => { - error!("{}", e); + } + /* ------------------ */ + #[cfg(not(feature = "acme"))] + { + match v { + Ok((stream, client_addr, server_name)) => { + self_inner.serve_connection(stream, client_addr, server_name); + } + Err(e) => { + error!("{}", e); + } } } + /* ------------------ */ }); } _ = server_crypto_rx.changed().fuse() => { From 9114c77a14c95d69493fb14b661a27bd37500558 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Thu, 18 Jul 2024 16:11:59 +0900 Subject: [PATCH 14/30] docs: typo --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b825cd14..0b291491 100644 --- a/README.md +++ b/README.md @@ -10,11 +10,11 @@ ## Introduction -`rpxy` [ahr-pik-see] is an implementation of simple and lightweight reverse-proxy with some additional features. The implementation is based on [`hyper`](https://github.com/hyperium/hyper), [`rustls`](https://github.com/rustls/rustls) and [`tokio`](https://github.com/tokio-rs/tokio), i.e., written in Rust^[^pure_rust]. Our `rpxy` routes multiple host names to appropriate backend application servers while serving TLS connections. +`rpxy` [ahr-pik-see] is an implementation of simple and lightweight reverse-proxy with some additional features. The implementation is based on [`hyper`](https://github.com/hyperium/hyper), [`rustls`](https://github.com/rustls/rustls) and [`tokio`](https://github.com/tokio-rs/tokio), i.e., written in Rust [^pure_rust]. Our `rpxy` routes multiple host names to appropriate backend application servers while serving TLS connections. [^pure_rust]: Doubtfully can be claimed to be written in pure Rust since current `rpxy` is based on `aws-lc-rs` for cryptographic operations. - As default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib] Furthermore, `rpxy` supports the automatic issuance and renewal of certificates via [TLS-ALPN-01 (RFC8737)](https://www.rfc-editor.org/rfc/rfc8737) of [ACME protocol (RFC8555)](https://www.rfc-editor.org/rfc/rfc8555) thanks to [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme). +By default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib] Furthermore, `rpxy` supports the automatic issuance and renewal of certificates via [TLS-ALPN-01 (RFC8737)](https://www.rfc-editor.org/rfc/rfc8737) of [ACME protocol (RFC8555)](https://www.rfc-editor.org/rfc/rfc8555) thanks to [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme). [^h3lib]: HTTP/3 libraries are mutually exclusive. You need to explicitly specify `s2n-quic` with `--no-default-features` flag. Also note that if you build `rpxy` with `s2n-quic`, then it requires `openssl` just for building the package. From 3657a96955c113386cd2a7e60ef98f48153d6ce8 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Tue, 23 Jul 2024 13:55:35 +0900 Subject: [PATCH 15/30] deps: s2n-quic --- rpxy-acme/Cargo.toml | 4 ++-- rpxy-bin/Cargo.toml | 2 +- rpxy-certs/Cargo.toml | 4 ++-- rpxy-lib/Cargo.toml | 8 ++++---- submodules/s2n-quic-h3/Cargo.toml | 4 ++-- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml index 7adc8fdd..331bbe2b 100644 --- a/rpxy-acme/Cargo.toml +++ b/rpxy-acme/Cargo.toml @@ -13,11 +13,11 @@ publish.workspace = true [dependencies] url = { version = "2.5.2" } rustc-hash = "2.0.0" -thiserror = "1.0.62" +thiserror = "1.0.63" tracing = "0.1.40" async-trait = "0.1.81" base64 = "0.22.1" -aws-lc-rs = { version = "1.8.0", default-features = false, features = [ +aws-lc-rs = { version = "1.8.1", default-features = false, features = [ "aws-lc-sys", ] } blocking = "1.6.1" diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index f330d9d5..14db7b71 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -44,7 +44,7 @@ futures-util = { version = "0.3.30", default-features = false } # config clap = { version = "4.5.9", features = ["std", "cargo", "wrap_help"] } -toml = { version = "0.8.14", default-features = false, features = ["parse"] } +toml = { version = "0.8.15", default-features = false, features = ["parse"] } hot_reload = "0.1.6" # logging diff --git a/rpxy-certs/Cargo.toml b/rpxy-certs/Cargo.toml index 238c909d..9f64b7c8 100644 --- a/rpxy-certs/Cargo.toml +++ b/rpxy-certs/Cargo.toml @@ -18,7 +18,7 @@ http3 = [] rustc-hash = { version = "2.0.0" } tracing = { version = "0.1.40" } derive_builder = { version = "0.20.0" } -thiserror = { version = "1.0.62" } +thiserror = { version = "1.0.63" } hot_reload = { version = "0.1.6" } async-trait = { version = "0.1.81" } rustls = { version = "0.23.11", default-features = false, features = [ @@ -26,7 +26,7 @@ rustls = { version = "0.23.11", default-features = false, features = [ "aws_lc_rs", ] } rustls-pemfile = { version = "2.1.2" } -rustls-webpki = { version = "0.102.5", default-features = false, features = [ +rustls-webpki = { version = "0.102.6", default-features = false, features = [ "std", "aws_lc_rs", ] } diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index a23e192b..f996ab7c 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -50,7 +50,7 @@ async-trait = "0.1.81" # Error handling anyhow = "1.0.86" -thiserror = "1.0.62" +thiserror = "1.0.63" # http for both server and client http = "1.1.0" @@ -93,11 +93,11 @@ h3-quinn = { version = "0.0.7", optional = true } s2n-quic-h3 = { path = "../submodules/s2n-quic-h3/", features = [ "tracing", ], optional = true } -s2n-quic = { version = "1.42.0", default-features = false, features = [ +s2n-quic = { version = "1.43.0", default-features = false, features = [ "provider-tls-rustls", ], optional = true } -s2n-quic-core = { version = "0.42.0", default-features = false, optional = true } -s2n-quic-rustls = { version = "0.42.0", optional = true } +s2n-quic-core = { version = "0.43.0", default-features = false, optional = true } +s2n-quic-rustls = { version = "0.43.0", optional = true } ########## # for UDP socket wit SO_REUSEADDR when h3 with quinn socket2 = { version = "0.5.7", features = ["all"], optional = true } diff --git a/submodules/s2n-quic-h3/Cargo.toml b/submodules/s2n-quic-h3/Cargo.toml index 4a0c725d..b4459244 100644 --- a/submodules/s2n-quic-h3/Cargo.toml +++ b/submodules/s2n-quic-h3/Cargo.toml @@ -15,8 +15,8 @@ futures = { version = "0.3", default-features = false } h3 = { version = "0.0.6", features = ["tracing"] } # s2n-quic = { path = "../s2n-quic" } # s2n-quic-core = { path = "../s2n-quic-core" } -s2n-quic = { version = "1.42.0" } -s2n-quic-core = { version = "0.42.0" } +s2n-quic = { version = "1.43.0" } +s2n-quic-core = { version = "0.43.0" } tracing = { version = "0.1.40", optional = true } [features] From 2dd2d41edd792a202d4fad448d3b6dde9ba1184b Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 24 Jul 2024 00:46:49 +0900 Subject: [PATCH 16/30] deps: rustls --- rpxy-acme/Cargo.toml | 4 ++-- rpxy-bin/Cargo.toml | 4 ++-- rpxy-certs/Cargo.toml | 4 ++-- rpxy-lib/Cargo.toml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml index 331bbe2b..9775749a 100644 --- a/rpxy-acme/Cargo.toml +++ b/rpxy-acme/Cargo.toml @@ -21,7 +21,7 @@ aws-lc-rs = { version = "1.8.1", default-features = false, features = [ "aws-lc-sys", ] } blocking = "1.6.1" -rustls = { version = "0.23.11", default-features = false, features = [ +rustls = { version = "0.23.12", default-features = false, features = [ "std", "aws_lc_rs", ] } @@ -29,5 +29,5 @@ rustls-platform-verifier = { version = "0.3.2" } rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [ "aws-lc-rs", ] } -tokio = { version = "1.38.1", default-features = false } +tokio = { version = "1.39.0", default-features = false } tokio-stream = { version = "0.1.15", default-features = false } diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index 14db7b71..3a03f8e5 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -32,7 +32,7 @@ mimalloc = { version = "*", default-features = false } anyhow = "1.0.86" rustc-hash = "2.0.0" serde = { version = "1.0.204", default-features = false, features = ["derive"] } -tokio = { version = "1.38.1", default-features = false, features = [ +tokio = { version = "1.39.0", default-features = false, features = [ "net", "rt-multi-thread", "time", @@ -43,7 +43,7 @@ async-trait = "0.1.81" futures-util = { version = "0.3.30", default-features = false } # config -clap = { version = "4.5.9", features = ["std", "cargo", "wrap_help"] } +clap = { version = "4.5.10", features = ["std", "cargo", "wrap_help"] } toml = { version = "0.8.15", default-features = false, features = ["parse"] } hot_reload = "0.1.6" diff --git a/rpxy-certs/Cargo.toml b/rpxy-certs/Cargo.toml index 9f64b7c8..08e1ebf0 100644 --- a/rpxy-certs/Cargo.toml +++ b/rpxy-certs/Cargo.toml @@ -21,7 +21,7 @@ derive_builder = { version = "0.20.0" } thiserror = { version = "1.0.63" } hot_reload = { version = "0.1.6" } async-trait = { version = "0.1.81" } -rustls = { version = "0.23.11", default-features = false, features = [ +rustls = { version = "0.23.12", default-features = false, features = [ "std", "aws_lc_rs", ] } @@ -33,7 +33,7 @@ rustls-webpki = { version = "0.102.6", default-features = false, features = [ x509-parser = { version = "0.16.0" } [dev-dependencies] -tokio = { version = "1.38.1", default-features = false, features = [ +tokio = { version = "1.39.0", default-features = false, features = [ "rt-multi-thread", "macros", ] } diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index f996ab7c..6aeb624a 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -37,7 +37,7 @@ rustc-hash = "2.0.0" bytes = "1.6.1" derive_builder = "0.20.0" futures = { version = "0.3.30", features = ["alloc", "async-await"] } -tokio = { version = "1.38.1", default-features = false, features = [ +tokio = { version = "1.39.0", default-features = false, features = [ "net", "rt-multi-thread", "time", @@ -77,7 +77,7 @@ hyper-rustls = { git = "https://github.com/junkurihara/hyper-rustls", branch = " # tls and cert management for server rpxy-certs = { path = "../rpxy-certs/", default-features = false } hot_reload = "0.1.6" -rustls = { version = "0.23.11", default-features = false } +rustls = { version = "0.23.12", default-features = false } tokio-rustls = { version = "0.26.0", features = ["early-data"] } # acme From 52abed973f4ffb8acace2dc57975d98754b003c2 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 24 Jul 2024 01:18:35 +0900 Subject: [PATCH 17/30] 0.9.0-alpha.1 --- CHANGELOG.md | 4 +++- Cargo.toml | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4302a589..30a92542 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ # CHANGELOG -## 0.9.0 (Unreleased) +## 0.10.0 (Unreleased) + +## 0.9.0 ### Important Changes diff --git a/Cargo.toml b/Cargo.toml index 01c02639..e990fdf5 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,5 @@ [workspace.package] -version = "0.9.0" +version = "0.9.0-alpha.1" authors = ["Jun Kurihara"] homepage = "https://github.com/junkurihara/rust-rpxy" repository = "https://github.com/junkurihara/rust-rpxy" From 5037f95b373c19ccacf7c633e4d62e026a86d107 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 24 Jul 2024 01:21:59 +0900 Subject: [PATCH 18/30] deps: revert tokio (yanked!) --- rpxy-acme/Cargo.toml | 2 +- rpxy-bin/Cargo.toml | 2 +- rpxy-certs/Cargo.toml | 2 +- rpxy-lib/Cargo.toml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml index 9775749a..55a93c2f 100644 --- a/rpxy-acme/Cargo.toml +++ b/rpxy-acme/Cargo.toml @@ -29,5 +29,5 @@ rustls-platform-verifier = { version = "0.3.2" } rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [ "aws-lc-rs", ] } -tokio = { version = "1.39.0", default-features = false } +tokio = { version = "1.38.1", default-features = false } tokio-stream = { version = "0.1.15", default-features = false } diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index 3a03f8e5..3e16fb93 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -32,7 +32,7 @@ mimalloc = { version = "*", default-features = false } anyhow = "1.0.86" rustc-hash = "2.0.0" serde = { version = "1.0.204", default-features = false, features = ["derive"] } -tokio = { version = "1.39.0", default-features = false, features = [ +tokio = { version = "1.38.1", default-features = false, features = [ "net", "rt-multi-thread", "time", diff --git a/rpxy-certs/Cargo.toml b/rpxy-certs/Cargo.toml index 08e1ebf0..c17a94c8 100644 --- a/rpxy-certs/Cargo.toml +++ b/rpxy-certs/Cargo.toml @@ -33,7 +33,7 @@ rustls-webpki = { version = "0.102.6", default-features = false, features = [ x509-parser = { version = "0.16.0" } [dev-dependencies] -tokio = { version = "1.39.0", default-features = false, features = [ +tokio = { version = "1.38.1", default-features = false, features = [ "rt-multi-thread", "macros", ] } diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index 6aeb624a..da03ef19 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -37,7 +37,7 @@ rustc-hash = "2.0.0" bytes = "1.6.1" derive_builder = "0.20.0" futures = { version = "0.3.30", features = ["alloc", "async-await"] } -tokio = { version = "1.39.0", default-features = false, features = [ +tokio = { version = "1.38.1", default-features = false, features = [ "net", "rt-multi-thread", "time", From ac8ba2f293b83e4f1402d87bf67dbc7b4a16b836 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 24 Jul 2024 02:05:06 +0900 Subject: [PATCH 19/30] docs: todo --- TODO.md | 1 - 1 file changed, 1 deletion(-) diff --git a/TODO.md b/TODO.md index b304abd5..16890c91 100644 --- a/TODO.md +++ b/TODO.md @@ -1,6 +1,5 @@ # TODO List -- Support of `rustls-0.22`. - We need more sophistication on `Forwarder` struct to handle `h2c`. - Cache using `lru` crate might be inefficient in terms of the speed. - Consider more sophisticated architecture for cache From 8c77cb465b4da4890c76a907d4ce68432550aab2 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Fri, 26 Jul 2024 13:53:43 +0900 Subject: [PATCH 20/30] chore: deps, update readme --- README.md | 19 +++++-------------- docker/README.md | 27 ++++++++++++++++++++++++--- rpxy-acme/Cargo.toml | 2 +- rpxy-bin/Cargo.toml | 6 +++--- rpxy-certs/Cargo.toml | 2 +- rpxy-lib/Cargo.toml | 2 +- 6 files changed, 35 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 0b291491..221d6be0 100644 --- a/README.md +++ b/README.md @@ -238,20 +238,7 @@ Since it is currently a work-in-progress project, we are frequently adding new o ## Using Docker Image -You can also use `docker` image hosted on [Docker Hub](https://hub.docker.com/r/jqtype/rpxy) and [GitHub Container Registry](https://github.com/junkurihara/rust-rpxy/pkgs/container/rust-rpxy) instead of directly executing the binary. See [`./docker/README.md`](./docker/README.md) for the differences on image tags. - -There are only several docker-specific environment variables. - -- `HOST_USER` (default: `user`): User name executing `rpxy` inside the container. -- `HOST_UID` (default: `900`): `UID` of `HOST_USER`. -- `HOST_GID` (default: `900`): `GID` of `HOST_USER` -- `LOG_LEVEL=debug|info|warn|error`: Log level -- `LOG_TO_FILE=true|false`: Enable logging to the log file `/rpxy/log/rpxy.log` using `logrotate`. You should mount `/rpxy/log` via docker volume option if enabled. The log dir and file will be owned by the `HOST_USER` with `HOST_UID:HOST_GID` on the host machine. Hence, `HOST_USER`, `HOST_UID` and `HOST_GID` should be the same as ones of the user who executes the `rpxy` docker container on the host. -- `WATCH=true|false` (default: `false`): Activate continuous watching of the config file if true. - -Then, all you need is to mount your `config.toml` as `/etc/rpxy.toml` and certificates/private keys as you like through the docker volume option. **If `WATCH=true`, You need to mount a directory, e.g., `./rpxy-config/`, including `rpxy.toml` on `/rpxy/config` instead of a file to correctly track file changes**. This is a docker limitation. Even if `WATCH=false`, you can mount the dir onto `/rpxy/config` rather than `/etc/rpxy.toml`. A file mounted on `/etc/rpxy` is prioritized over a dir mounted on `/rpxy/config`. - -See [`docker/docker-compose.yml`](./docker/docker-compose.yml) for the detailed configuration. Note that the file path of keys and certificates must be ones in your docker container. +You can also use `docker` image hosted on [Docker Hub](https://hub.docker.com/r/jqtype/rpxy) and [GitHub Container Registry](https://github.com/junkurihara/rust-rpxy/pkgs/container/rust-rpxy) instead of directly executing the binary. See [`./docker`](./docker/README.md) directory for more details. ## Example @@ -407,6 +394,10 @@ However, we found that if you want to use the brand-new UDP-based protocol, HTTP Your docker container can receive only TCP-based connection, i.e., HTTP/2 or before, unless you manually manage the port. We see that this is weird and expect that it is a kind of bug (of docker? ubuntu? or something else?). But at least for Ubuntu 22.04LTS, you need to handle it as above. +### Managing `rpxy` via web interface + +Check a third party project [`Gamerboy59/rpxy-webui`](https://github.com/Gamerboy59/rpxy-webui) to manage `rpxy` via web interface. + ### Other TIPS todo! diff --git a/docker/README.md b/docker/README.md index 74344a76..56411d09 100644 --- a/docker/README.md +++ b/docker/README.md @@ -1,14 +1,33 @@ # Docker Images of `rpxy` -The `rpxy` docker images are hosted both on [Docker Hub](https://hub.docker.com/r/jqtype/rpxy) and [GitHub Container Registry](https://github.com/junkurihara/rust-rpxy/pkgs/container/rust-rpxy). Differences among tags are summarized as follows. +The `rpxy` docker images are hosted both on [Docker Hub](https://hub.docker.com/r/jqtype/rpxy) and [GitHub Container Registry](https://github.com/junkurihara/rust-rpxy/pkgs/container/rust-rpxy). -## Latest Builds +## Usage + +There are several docker-specific environment variables. + +- `HOST_USER` (default: `user`): User name executing `rpxy` inside the container. +- `HOST_UID` (default: `900`): `UID` of `HOST_USER`. +- `HOST_GID` (default: `900`): `GID` of `HOST_USER` +- `LOG_LEVEL=debug|info|warn|error`: Log level +- `LOG_TO_FILE=true|false`: Enable logging to the log file `/rpxy/log/rpxy.log` using `logrotate`. You should mount `/rpxy/log` via docker volume option if enabled. The log dir and file will be owned by the `HOST_USER` with `HOST_UID:HOST_GID` on the host machine. Hence, `HOST_USER`, `HOST_UID` and `HOST_GID` should be the same as ones of the user who executes the `rpxy` docker container on the host. +- `WATCH=true|false` (default: `false`): Activate continuous watching of the config file if true. + +Then, all you need is to mount your `config.toml` as `/etc/rpxy.toml` and certificates/private keys as you like through the docker volume option. **If `WATCH=true`, You need to mount a directory, e.g., `./rpxy-config/`, including `rpxy.toml` on `/rpxy/config` instead of a file to correctly track file changes**. This is a docker limitation. Even if `WATCH=false`, you can mount the dir onto `/rpxy/config` rather than `/etc/rpxy.toml`. A file mounted on `/etc/rpxy` is prioritized over a dir mounted on `/rpxy/config`. + +See [`docker-compose.yml`](./docker-compose.yml) for the detailed configuration. Note that the file path of keys and certificates must be ones in your docker container. + +## Differences among image tags of Docker Hub and GitHub Container Registry + +Differences among tags are summarized as follows. + +### Latest Builds - `latest`: Built from the `main` branch with default features, running on Ubuntu. - `latest-slim`, `slim`: Built by `musl` from the `main` branch with default features, running on Alpine. - `latest-s2n`, `s2n`: Built from the `main` branch with the `http3-s2n` feature, running on Ubuntu. -## Nightly Builds +### Nightly Builds - `nightly`: Built from the `develop` branch with default features, running on Ubuntu. - `nightly-slim`: Built by `musl` from the `develop` branch with default features, running on Alpine. @@ -17,3 +36,5 @@ The `rpxy` docker images are hosted both on [Docker Hub](https://hub.docker.com/ ## Caveats Due to some compile errors of `s2n-quic` subpackages with `musl`, `nightly-s2n-slim` or `latest-s2n-slim` are not yet provided. + +See [`./docker/README.md`](./docker/README.md) for the differences on image tags. diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml index 55a93c2f..d1d318cf 100644 --- a/rpxy-acme/Cargo.toml +++ b/rpxy-acme/Cargo.toml @@ -29,5 +29,5 @@ rustls-platform-verifier = { version = "0.3.2" } rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [ "aws-lc-rs", ] } -tokio = { version = "1.38.1", default-features = false } +tokio = { version = "1.39.1", default-features = false } tokio-stream = { version = "0.1.15", default-features = false } diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index 3e16fb93..73911d82 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -32,7 +32,7 @@ mimalloc = { version = "*", default-features = false } anyhow = "1.0.86" rustc-hash = "2.0.0" serde = { version = "1.0.204", default-features = false, features = ["derive"] } -tokio = { version = "1.38.1", default-features = false, features = [ +tokio = { version = "1.39.1", default-features = false, features = [ "net", "rt-multi-thread", "time", @@ -43,8 +43,8 @@ async-trait = "0.1.81" futures-util = { version = "0.3.30", default-features = false } # config -clap = { version = "4.5.10", features = ["std", "cargo", "wrap_help"] } -toml = { version = "0.8.15", default-features = false, features = ["parse"] } +clap = { version = "4.5.11", features = ["std", "cargo", "wrap_help"] } +toml = { version = "0.8.16", default-features = false, features = ["parse"] } hot_reload = "0.1.6" # logging diff --git a/rpxy-certs/Cargo.toml b/rpxy-certs/Cargo.toml index c17a94c8..d80eb3c3 100644 --- a/rpxy-certs/Cargo.toml +++ b/rpxy-certs/Cargo.toml @@ -33,7 +33,7 @@ rustls-webpki = { version = "0.102.6", default-features = false, features = [ x509-parser = { version = "0.16.0" } [dev-dependencies] -tokio = { version = "1.38.1", default-features = false, features = [ +tokio = { version = "1.39.1", default-features = false, features = [ "rt-multi-thread", "macros", ] } diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index da03ef19..ed296832 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -37,7 +37,7 @@ rustc-hash = "2.0.0" bytes = "1.6.1" derive_builder = "0.20.0" futures = { version = "0.3.30", features = ["alloc", "async-await"] } -tokio = { version = "1.38.1", default-features = false, features = [ +tokio = { version = "1.39.1", default-features = false, features = [ "net", "rt-multi-thread", "time", From 6b3a4d5eaa8cb723a97096d7fec18cdefe83c654 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Fri, 26 Jul 2024 18:32:54 +0900 Subject: [PATCH 21/30] fix: fix webpki-roots build feature --- rpxy-lib/Cargo.toml | 2 -- rpxy-lib/src/forwarder/client.rs | 12 ++++++------ 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index ed296832..3386d324 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -13,8 +13,6 @@ publish.workspace = true # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html [features] -# default = ["http3-s2n", "sticky-cookie", "cache", "rustls-backend", "acme"] -# default = ["http3-quinn", "sticky-cookie", "cache", "rustls-backend", "acme"] http3-quinn = ["socket2", "quinn", "h3", "h3-quinn", "rpxy-certs/http3"] http3-s2n = [ "s2n-quic", diff --git a/rpxy-lib/src/forwarder/client.rs b/rpxy-lib/src/forwarder/client.rs index c5bc39ab..bc99b41a 100644 --- a/rpxy-lib/src/forwarder/client.rs +++ b/rpxy-lib/src/forwarder/client.rs @@ -204,18 +204,18 @@ where /// Build forwarder pub async fn try_new(_globals: &Arc) -> RpxyResult { // build hyper client with rustls and webpki, only https is allowed - #[cfg(feature = "rustls-backend-webpki")] + #[cfg(feature = "webpki-roots")] let builder = hyper_rustls::HttpsConnectorBuilder::new().with_webpki_roots(); - #[cfg(feature = "rustls-backend-webpki")] + #[cfg(feature = "webpki-roots")] let builder_h2 = hyper_rustls::HttpsConnectorBuilder::new().with_webpki_roots(); - #[cfg(feature = "rustls-backend-webpki")] + #[cfg(feature = "webpki-roots")] info!("Mozilla WebPKI root certs with rustls is used for the connection to backend applications"); - #[cfg(not(feature = "rustls-backend-webpki"))] + #[cfg(not(feature = "webpki-roots"))] let builder = hyper_rustls::HttpsConnectorBuilder::new().with_platform_verifier(); - #[cfg(not(feature = "rustls-backend-webpki"))] + #[cfg(not(feature = "webpki-roots"))] let builder_h2 = hyper_rustls::HttpsConnectorBuilder::new().with_platform_verifier(); - #[cfg(not(feature = "rustls-backend-webpki"))] + #[cfg(not(feature = "webpki-roots"))] info!("Platform verifier with rustls is used for the connection to backend applications"); let mut http = HttpConnector::new(); From 0950fdbd152985a59bff9d7e586b58098e2d7981 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Fri, 26 Jul 2024 20:58:00 +0900 Subject: [PATCH 22/30] fix: change tokio::sync::Notify to tokio_util::sync::CancellationToken --- rpxy-acme/Cargo.toml | 1 + rpxy-acme/src/manager.rs | 8 ++++---- rpxy-bin/Cargo.toml | 1 + rpxy-bin/src/main.rs | 13 ++++++------- rpxy-lib/Cargo.toml | 1 + rpxy-lib/src/globals.rs | 3 ++- rpxy-lib/src/lib.rs | 7 ++++--- rpxy-lib/src/proxy/proxy_main.rs | 6 +++--- 8 files changed, 22 insertions(+), 18 deletions(-) diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml index d1d318cf..e9962256 100644 --- a/rpxy-acme/Cargo.toml +++ b/rpxy-acme/Cargo.toml @@ -30,4 +30,5 @@ rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, f "aws-lc-rs", ] } tokio = { version = "1.39.1", default-features = false } +tokio-util = { version = "0.7.11", default-features = false } tokio-stream = { version = "0.1.15", default-features = false } diff --git a/rpxy-acme/src/manager.rs b/rpxy-acme/src/manager.rs index e54731c9..92427438 100644 --- a/rpxy-acme/src/manager.rs +++ b/rpxy-acme/src/manager.rs @@ -74,7 +74,7 @@ impl AcmeManager { /// Returns a Vec> as a tasks handles and a map of domain to ServerConfig for challenge. pub fn spawn_manager_tasks( &self, - term_notify: Option>, + cancel_token: Option, ) -> (Vec>, HashMap>) { let rustls_client_config = rustls::ClientConfig::builder() .dangerous() // The `Verifier` we're using is actually safe @@ -96,7 +96,7 @@ impl AcmeManager { let mut state = config.state(); server_configs_for_challenge.insert(domain.to_ascii_lowercase(), state.challenge_rustls_config()); self.runtime_handle.spawn({ - let term_notify = term_notify.clone(); + let cancel_token = cancel_token.clone(); async move { info!("rpxy ACME manager task for {domain} started"); // infinite loop unless the return value is None @@ -112,10 +112,10 @@ impl AcmeManager { } } }; - if let Some(notify) = term_notify.as_ref() { + if let Some(cancel_token) = cancel_token.as_ref() { tokio::select! { _ = task => {}, - _ = notify.notified() => { info!("rpxy ACME manager task for {domain} terminated") } + _ = cancel_token.cancelled() => { info!("rpxy ACME manager task for {domain} terminated") } } } else { task.await; diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index 73911d82..e42212e6 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -39,6 +39,7 @@ tokio = { version = "1.39.1", default-features = false, features = [ "sync", "macros", ] } +tokio-util = { version = "0.7.11", default-features = false } async-trait = "0.1.81" futures-util = { version = "0.3.30", default-features = false } diff --git a/rpxy-bin/src/main.rs b/rpxy-bin/src/main.rs index eff2648b..d7f71216 100644 --- a/rpxy-bin/src/main.rs +++ b/rpxy-bin/src/main.rs @@ -127,11 +127,11 @@ async fn rpxy_service_with_watcher( .await .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?; - // Notifier for proxy service termination - let term_notify = std::sync::Arc::new(tokio::sync::Notify::new()); - // Continuous monitoring loop { + // Notifier for proxy service termination + let cancel_token = tokio_util::sync::CancellationToken::new(); + let (cert_service, cert_rx) = cert_service_and_rx .as_ref() .map(|(s, r)| (Some(s), Some(r))) @@ -140,7 +140,7 @@ async fn rpxy_service_with_watcher( #[cfg(feature = "acme")] let (acme_join_handles, server_config_acme_challenge) = acme_manager .as_ref() - .map(|m| m.spawn_manager_tasks(Some(term_notify.clone()))) + .map(|m| m.spawn_manager_tasks(Some(cancel_token.child_token()))) .unwrap_or((vec![], Default::default())); let rpxy_opts = { @@ -150,7 +150,7 @@ async fn rpxy_service_with_watcher( .app_config_list(app_conf.clone()) .cert_rx(cert_rx.cloned()) .runtime_handle(runtime_handle.clone()) - .term_notify(Some(term_notify.clone())) + .cancel_token(Some(cancel_token.child_token())) .server_configs_acme_challenge(std::sync::Arc::new(server_config_acme_challenge)) .build(); @@ -216,8 +216,7 @@ async fn rpxy_service_with_watcher( } info!("Configuration updated. Terminate all spawned services and force to re-bind TCP/UDP sockets"); - term_notify.notify_waiters(); - // tokio::time::sleep(tokio::time::Duration::from_secs(1)).await; + cancel_token.cancel(); } else => break } diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index 3386d324..452a3226 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -43,6 +43,7 @@ tokio = { version = "1.39.1", default-features = false, features = [ "macros", "fs", ] } +tokio-util = { version = "0.7.11", default-features = false } pin-project-lite = "0.2.14" async-trait = "0.1.81" diff --git a/rpxy-lib/src/globals.rs b/rpxy-lib/src/globals.rs index 8c5e0937..de1983db 100644 --- a/rpxy-lib/src/globals.rs +++ b/rpxy-lib/src/globals.rs @@ -2,6 +2,7 @@ use crate::{constants::*, count::RequestCount}; use hot_reload::ReloaderReceiver; use rpxy_certs::ServerCryptoBase; use std::{net::SocketAddr, sync::Arc, time::Duration}; +use tokio_util::sync::CancellationToken; /// Global object containing proxy configurations and shared object like counters. /// But note that in Globals, we do not have Mutex and RwLock. It is indeed, the context shared among async tasks. @@ -13,7 +14,7 @@ pub struct Globals { /// Shared context - Async task runtime handler pub runtime_handle: tokio::runtime::Handle, /// Shared context - Notify object to stop async tasks - pub term_notify: Option>, + pub cancel_token: Option, /// Shared context - Certificate reloader service receiver // TODO: newer one pub cert_reloader_rx: Option>, diff --git a/rpxy-lib/src/lib.rs b/rpxy-lib/src/lib.rs index 9dd78da5..3a6097da 100644 --- a/rpxy-lib/src/lib.rs +++ b/rpxy-lib/src/lib.rs @@ -23,6 +23,7 @@ use futures::future::select_all; use hot_reload::ReloaderReceiver; use rpxy_certs::ServerCryptoBase; use std::sync::Arc; +use tokio_util::sync::CancellationToken; /* ------------------------------------------------ */ pub use crate::globals::{AppConfig, AppConfigList, ProxyConfig, ReverseProxyConfig, TlsConfig, UpstreamUri}; @@ -42,7 +43,7 @@ pub struct RpxyOptions { /// Async task runtime handler pub runtime_handle: tokio::runtime::Handle, /// Notify object to stop async tasks - pub term_notify: Option>, + pub cancel_token: Option, #[cfg(feature = "acme")] /// ServerConfig used for only ACME challenge for ACME domains @@ -56,7 +57,7 @@ pub async fn entrypoint( app_config_list, cert_rx, // TODO: runtime_handle, - term_notify, + cancel_token, #[cfg(feature = "acme")] server_configs_acme_challenge, }: &RpxyOptions, @@ -107,7 +108,7 @@ pub async fn entrypoint( proxy_config: proxy_config.clone(), request_count: Default::default(), runtime_handle: runtime_handle.clone(), - term_notify: term_notify.clone(), + cancel_token: cancel_token.clone(), cert_reloader_rx: cert_rx.clone(), #[cfg(feature = "acme")] diff --git a/rpxy-lib/src/proxy/proxy_main.rs b/rpxy-lib/src/proxy/proxy_main.rs index 3690d35d..9be175d9 100644 --- a/rpxy-lib/src/proxy/proxy_main.rs +++ b/rpxy-lib/src/proxy/proxy_main.rs @@ -312,13 +312,13 @@ where } }; - match &self.globals.term_notify { - Some(term) => { + match &self.globals.cancel_token { + Some(cancel_token) => { select! { _ = proxy_service.fuse() => { warn!("Proxy service got down"); } - _ = term.notified().fuse() => { + _ = cancel_token.cancelled().fuse() => { info!("Proxy service listening on {} receives term signal", self.listening_on); } } From 8d9f07a848c22bd97c6a10b30ed78756fbf3530c Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Fri, 26 Jul 2024 23:25:40 +0900 Subject: [PATCH 23/30] wip: fixing dynamic reloading --- rpxy-bin/src/main.rs | 20 +++++++++-------- rpxy-lib/src/lib.rs | 37 +++++++++++++++++++++++++++----- rpxy-lib/src/proxy/proxy_main.rs | 19 +--------------- 3 files changed, 44 insertions(+), 32 deletions(-) diff --git a/rpxy-bin/src/main.rs b/rpxy-bin/src/main.rs index d7f71216..42b783dc 100644 --- a/rpxy-bin/src/main.rs +++ b/rpxy-bin/src/main.rs @@ -44,18 +44,20 @@ fn main() { .unwrap(); tokio::select! { - Err(e) = config_service.start() => { - error!("config reloader service exited: {e}"); - std::process::exit(1); - } - Err(e) = rpxy_service_with_watcher(config_rx, runtime.handle().clone()) => { - error!("rpxy service existed: {e}"); - std::process::exit(1); + config_res = config_service.start() => { + if let Err(e) = config_res { + error!("config reloader service exited: {e}"); + std::process::exit(1); + } } - else => { - std::process::exit(0); + rpxy_res = rpxy_service_with_watcher(config_rx, runtime.handle().clone()) => { + if let Err(e) = rpxy_res { + error!("rpxy service existed: {e}"); + std::process::exit(1); + } } } + std::process::exit(0); } }); } diff --git a/rpxy-lib/src/lib.rs b/rpxy-lib/src/lib.rs index 3a6097da..fdfb81d3 100644 --- a/rpxy-lib/src/lib.rs +++ b/rpxy-lib/src/lib.rs @@ -19,7 +19,7 @@ use crate::{ message_handler::HttpMessageHandlerBuilder, proxy::Proxy, }; -use futures::future::select_all; +use futures::future::join_all; use hot_reload::ReloaderReceiver; use rpxy_certs::ServerCryptoBase; use std::sync::Arc; @@ -130,8 +130,9 @@ pub async fn entrypoint( let connection_builder = proxy::connection_builder(&globals); // spawn each proxy for a given socket with copied Arc-ed backend, message_handler and connection builder. + let parent_cancel_token = globals.cancel_token.clone().unwrap_or_default(); let addresses = globals.proxy_config.listen_sockets.clone(); - let futures_iter = addresses.into_iter().map(|listening_on| { + let join_handles = addresses.into_iter().map(|listening_on| { let mut tls_enabled = false; if let Some(https_port) = globals.proxy_config.https_port { tls_enabled = https_port == listening_on.port() @@ -143,11 +144,37 @@ pub async fn entrypoint( connection_builder: connection_builder.clone(), message_handler: message_handler.clone(), }; - globals.runtime_handle.spawn(async move { proxy.start().await }) + + let cancel_token = parent_cancel_token.child_token(); + let parent_cancel_token_clone = parent_cancel_token.clone(); + globals.runtime_handle.spawn(async move { + info!("rpxy proxy service for {listening_on} started"); + tokio::select! { + _ = cancel_token.cancelled() => { + info!("rpxy proxy service for {listening_on} terminated"); + Ok(()) + }, + proxy_res = proxy.start() => { + info!("rpxy proxy service for {listening_on} exited"); + // cancel other proxy tasks + parent_cancel_token_clone.cancel(); + proxy_res + } + } + }) }); - if let (Ok(Err(e)), _, _) = select_all(futures_iter).await { - error!("Some proxy services are down: {}", e); + let join_res = join_all(join_handles).await; + let mut errs = join_res.into_iter().filter_map(|res| { + if let Ok(Err(e)) = res { + error!("Some proxy services are down: {}", e); + Some(e) + } else { + None + } + }); + // returns the first error as the representative error + if let Some(e) = errs.next() { return Err(e); } diff --git a/rpxy-lib/src/proxy/proxy_main.rs b/rpxy-lib/src/proxy/proxy_main.rs index 9be175d9..3bb0aeca 100644 --- a/rpxy-lib/src/proxy/proxy_main.rs +++ b/rpxy-lib/src/proxy/proxy_main.rs @@ -312,23 +312,6 @@ where } }; - match &self.globals.cancel_token { - Some(cancel_token) => { - select! { - _ = proxy_service.fuse() => { - warn!("Proxy service got down"); - } - _ = cancel_token.cancelled().fuse() => { - info!("Proxy service listening on {} receives term signal", self.listening_on); - } - } - } - None => { - proxy_service.await?; - warn!("Proxy service got down"); - } - } - - Ok(()) + proxy_service.await } } From 48b33409f9852b65a83b72969825dd1ffe1a4e3d Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Sat, 27 Jul 2024 03:32:35 +0900 Subject: [PATCH 24/30] fix: redesigned graceful shutdown for config update --- rpxy-bin/src/constants.rs | 2 +- rpxy-bin/src/main.rs | 393 ++++++++++++++++++++------------------ rpxy-lib/src/globals.rs | 6 +- rpxy-lib/src/lib.rs | 7 +- 4 files changed, 212 insertions(+), 196 deletions(-) diff --git a/rpxy-bin/src/constants.rs b/rpxy-bin/src/constants.rs index 53c8bbce..3173fa92 100644 --- a/rpxy-bin/src/constants.rs +++ b/rpxy-bin/src/constants.rs @@ -1,6 +1,6 @@ pub const LISTEN_ADDRESSES_V4: &[&str] = &["0.0.0.0"]; pub const LISTEN_ADDRESSES_V6: &[&str] = &["[::]"]; -pub const CONFIG_WATCH_DELAY_SECS: u32 = 20; +pub const CONFIG_WATCH_DELAY_SECS: u32 = 2; #[cfg(feature = "cache")] // Cache directory diff --git a/rpxy-bin/src/main.rs b/rpxy-bin/src/main.rs index 42b783dc..9acdc2c8 100644 --- a/rpxy-bin/src/main.rs +++ b/rpxy-bin/src/main.rs @@ -16,6 +16,8 @@ use crate::{ }; use hot_reload::{ReloaderReceiver, ReloaderService}; use rpxy_lib::{entrypoint, RpxyOptions, RpxyOptionsBuilder}; +use std::sync::Arc; +use tokio_util::sync::CancellationToken; fn main() { init_logger(); @@ -62,53 +64,203 @@ fn main() { }); } -async fn rpxy_service_without_watcher( - config_file_path: &str, +/// rpxy service definition +struct RpxyService { runtime_handle: tokio::runtime::Handle, -) -> Result<(), anyhow::Error> { - info!("Start rpxy service"); - let config_toml = ConfigToml::new(config_file_path).map_err(|e| anyhow!("Invalid toml file: {e}"))?; - let (proxy_conf, app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?; + proxy_conf: rpxy_lib::ProxyConfig, + app_conf: rpxy_lib::AppConfigList, + cert_service: Option>>, + cert_rx: Option>, + #[cfg(feature = "acme")] + acme_manager: Option, +} - let (cert_service, cert_rx) = build_cert_manager(&config_toml) - .await - .map_err(|e| anyhow!("Invalid cert configuration: {e}"))? - .map(|(s, r)| (Some(s), Some(r))) - .unwrap_or((None, None)); +impl RpxyService { + async fn new(config_toml: &ConfigToml, runtime_handle: tokio::runtime::Handle) -> Result { + let (proxy_conf, app_conf) = build_settings(config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?; - #[cfg(feature = "acme")] - { - let acme_manager = build_acme_manager(&config_toml, runtime_handle.clone()).await?; - let (acme_join_handles, server_config_acme_challenge) = acme_manager - .as_ref() - .map(|m| m.spawn_manager_tasks(None)) - .unwrap_or((vec![], Default::default())); - let rpxy_opts = RpxyOptionsBuilder::default() - .proxy_config(proxy_conf) - .app_config_list(app_conf) - .cert_rx(cert_rx) - .runtime_handle(runtime_handle.clone()) - .server_configs_acme_challenge(std::sync::Arc::new(server_config_acme_challenge)) - .build()?; - rpxy_entrypoint(&rpxy_opts, cert_service.as_ref(), acme_join_handles) //, &runtime_handle) + let (cert_service, cert_rx) = build_cert_manager(config_toml) .await - .map_err(|e| anyhow!(e)) + .map_err(|e| anyhow!("Invalid cert configuration: {e}"))? + .map(|(s, r)| (Some(Arc::new(s)), Some(r))) + .unwrap_or((None, None)); + + Ok(RpxyService { + runtime_handle: runtime_handle.clone(), + proxy_conf, + app_conf, + cert_service, + cert_rx, + #[cfg(feature = "acme")] + acme_manager: build_acme_manager(config_toml, runtime_handle.clone()).await?, + }) } - #[cfg(not(feature = "acme"))] - { - let rpxy_opts = RpxyOptionsBuilder::default() - .proxy_config(proxy_conf.clone()) - .app_config_list(app_conf.clone()) - .cert_rx(cert_rx.clone()) - .runtime_handle(runtime_handle.clone()) - .build()?; - rpxy_entrypoint(&rpxy_opts, cert_service.as_ref()) //, &runtime_handle) - .await - .map_err(|e| anyhow!(e)) + async fn start(&self, cancel_token: Option) -> Result<(), anyhow::Error> { + let RpxyService { + runtime_handle, + proxy_conf, + app_conf, + cert_service: _, + cert_rx, + #[cfg(feature = "acme")] + acme_manager, + } = self; + + #[cfg(feature = "acme")] + { + let (acme_join_handles, server_config_acme_challenge) = acme_manager + .as_ref() + .map(|m| m.spawn_manager_tasks(cancel_token.as_ref().map(|t| t.child_token()))) + .unwrap_or((vec![], Default::default())); + let rpxy_opts = RpxyOptionsBuilder::default() + .proxy_config(proxy_conf.clone()) + .app_config_list(app_conf.clone()) + .cert_rx(cert_rx.clone()) + .runtime_handle(runtime_handle.clone()) + .cancel_token(cancel_token.as_ref().map(|t| t.child_token())) + .server_configs_acme_challenge(Arc::new(server_config_acme_challenge)) + .build()?; + self + .start_inner(rpxy_opts, acme_join_handles) //, &runtime_handle) + .await + .map_err(|e| anyhow!(e)) + } + + #[cfg(not(feature = "acme"))] + { + let rpxy_opts = RpxyOptionsBuilder::default() + .proxy_config(proxy_conf.clone()) + .app_config_list(app_conf.clone()) + .cert_rx(cert_rx.clone()) + .runtime_handle(runtime_handle.clone()) + .cancel_token(cancel_token.as_ref().map(|t| t.child_token())) + .build()?; + self + .start_inner(rpxy_opts) //, &runtime_handle) + .await + .map_err(|e| anyhow!(e)) + } + } + + /// Wrapper of entry point for rpxy service with certificate management service + async fn start_inner( + &self, + rpxy_opts: RpxyOptions, + // cert_service: Option<&Arc>>, + #[cfg(feature = "acme")] acme_task_handles: Vec>, + // runtime_handle: &tokio::runtime::Handle, + ) -> Result<(), anyhow::Error> { + let cancel_token = rpxy_opts.cancel_token.clone().unwrap_or_default(); + let runtime_handle = rpxy_opts.runtime_handle.clone(); + + // spawn rpxy entry point + let cancel_token_clone = cancel_token.clone(); + let child_cancel_token = cancel_token.child_token(); + let rpxy_handle = runtime_handle.spawn(async move { + tokio::select! { + rpxy_res = entrypoint(&rpxy_opts) => { + if let Err(ref e) = rpxy_res { + error!("rpxy entrypoint exited on error: {e}"); + } + cancel_token_clone.cancel(); + rpxy_res.map_err(|e| anyhow!(e)) + } + _ = child_cancel_token.cancelled() => { + debug!("rpxy entrypoint terminated by cancel token"); + Ok(()) + } + } + }); + + if self.cert_service.is_none() { + return rpxy_handle.await?; + } + + // spawn certificate reloader service + let cert_service = self.cert_service.as_ref().unwrap().clone(); + let cancel_token_clone = cancel_token.clone(); + let child_cancel_token = cancel_token.child_token(); + let cert_handle = runtime_handle.spawn(async move { + tokio::select! { + cert_res = cert_service.start() => { + if let Err(ref e) = cert_res { + error!("cert reloader service exited on error: {e}"); + } + cancel_token_clone.cancel(); + cert_res.map_err(|e| anyhow!(e)) + } + _ = child_cancel_token.cancelled() => { + debug!("cert reloader service terminated by cancel token"); + Ok(()) + } + } + }); + + #[cfg(not(feature = "acme"))] + { + let (rpxy_res, cert_res) = tokio::join!(rpxy_handle, cert_handle); + let (rpxy_res, cert_res) = (rpxy_res?, cert_res?); + match (rpxy_res, cert_res) { + (Ok(()), Ok(())) => Ok(()), + (Err(e), _) => Err(e), + (_, Err(e)) => Err(e), + } + } + + #[cfg(feature = "acme")] + { + if acme_task_handles.is_empty() { + let (rpxy_res, cert_res) = tokio::join!(rpxy_handle, cert_handle); + let (rpxy_res, cert_res) = (rpxy_res?, cert_res?); + return match (rpxy_res, cert_res) { + (Ok(()), Ok(())) => Ok(()), + (Err(e), _) => Err(e), + (_, Err(e)) => Err(e), + }; + } + + // spawn acme manager tasks + let select_all = futures_util::future::select_all(acme_task_handles); + let cancel_token_clone = cancel_token.clone(); + let child_cancel_token = cancel_token.child_token(); + let acme_handle = runtime_handle.spawn(async move { + tokio::select! { + (acme_res, _, _) = select_all => { + if let Err(ref e) = acme_res { + error!("acme manager exited on error: {e}"); + } + cancel_token_clone.cancel(); + acme_res.map_err(|e| anyhow!(e)) + } + _ = child_cancel_token.cancelled() => { + debug!("acme manager terminated by cancel token"); + Ok(()) + } + } + }); + let (rpxy_res, cert_res, acme_res) = tokio::join!(rpxy_handle, cert_handle, acme_handle); + let (rpxy_res, cert_res, acme_res) = (rpxy_res?, cert_res?, acme_res?); + match (rpxy_res, cert_res, acme_res) { + (Ok(()), Ok(()), Ok(())) => Ok(()), + (Err(e), _, _) => Err(e), + (_, Err(e), _) => Err(e), + (_, _, Err(e)) => Err(e), + } + } } } +async fn rpxy_service_without_watcher( + config_file_path: &str, + runtime_handle: tokio::runtime::Handle, +) -> Result<(), anyhow::Error> { + info!("Start rpxy service"); + let config_toml = ConfigToml::new(config_file_path).map_err(|e| anyhow!("Invalid toml file: {e}"))?; + let service = RpxyService::new(&config_toml, runtime_handle).await?; + service.start(None).await +} + async fn rpxy_service_with_watcher( mut config_rx: ReloaderReceiver, runtime_handle: tokio::runtime::Handle, @@ -120,176 +272,41 @@ async fn rpxy_service_with_watcher( .borrow() .clone() .ok_or(anyhow!("Something wrong in config reloader receiver"))?; - let (mut proxy_conf, mut app_conf) = build_settings(&config_toml).map_err(|e| anyhow!("Invalid configuration: {e}"))?; - - #[cfg(feature = "acme")] - let mut acme_manager = build_acme_manager(&config_toml, runtime_handle.clone()).await?; - - let mut cert_service_and_rx = build_cert_manager(&config_toml) - .await - .map_err(|e| anyhow!("Invalid cert configuration: {e}"))?; + let mut service = RpxyService::new(&config_toml, runtime_handle.clone()).await?; // Continuous monitoring loop { // Notifier for proxy service termination let cancel_token = tokio_util::sync::CancellationToken::new(); - let (cert_service, cert_rx) = cert_service_and_rx - .as_ref() - .map(|(s, r)| (Some(s), Some(r))) - .unwrap_or((None, None)); - - #[cfg(feature = "acme")] - let (acme_join_handles, server_config_acme_challenge) = acme_manager - .as_ref() - .map(|m| m.spawn_manager_tasks(Some(cancel_token.child_token()))) - .unwrap_or((vec![], Default::default())); - - let rpxy_opts = { - #[cfg(feature = "acme")] - let res = RpxyOptionsBuilder::default() - .proxy_config(proxy_conf.clone()) - .app_config_list(app_conf.clone()) - .cert_rx(cert_rx.cloned()) - .runtime_handle(runtime_handle.clone()) - .cancel_token(Some(cancel_token.child_token())) - .server_configs_acme_challenge(std::sync::Arc::new(server_config_acme_challenge)) - .build(); - - #[cfg(not(feature = "acme"))] - let res = RpxyOptionsBuilder::default() - .proxy_config(proxy_conf.clone()) - .app_config_list(app_conf.clone()) - .cert_rx(cert_rx.cloned()) - .runtime_handle(runtime_handle.clone()) - .term_notify(Some(term_notify.clone())) - .build(); - res - }?; - tokio::select! { - rpxy_res = { - #[cfg(feature = "acme")] - { - rpxy_entrypoint(&rpxy_opts, cert_service, acme_join_handles)//, &runtime_handle) + /* ---------- */ + rpxy_res = service.start(Some(cancel_token.clone())) => { + if let Err(ref e) = rpxy_res { + error!("rpxy service exited on error: {e}"); + } else { + error!("rpxy service exited"); } - #[cfg(not(feature = "acme"))] - { - rpxy_entrypoint(&rpxy_opts, cert_service)//, &runtime_handle) - } - } => { - error!("rpxy entrypoint or cert service exited"); return rpxy_res.map_err(|e| anyhow!(e)); } + /* ---------- */ _ = config_rx.changed() => { - let Some(config_toml) = config_rx.borrow().clone() else { + let Some(new_config_toml) = config_rx.borrow().clone() else { error!("Something wrong in config reloader receiver"); return Err(anyhow!("Something wrong in config reloader receiver")); }; - match build_settings(&config_toml) { - Ok((p, a)) => { - (proxy_conf, app_conf) = (p, a) + match RpxyService::new(&new_config_toml, runtime_handle.clone()).await { + Ok(new_service) => { + info!("Configuration updated."); + service = new_service; }, Err(e) => { - error!("Invalid configuration. Configuration does not updated: {e}"); - continue; + error!("rpxy failed to be ready. Configuration does not updated: {e}"); } }; - match build_cert_manager(&config_toml).await { - Ok(c) => { - cert_service_and_rx = c; - }, - Err(e) => { - error!("Invalid cert configuration. Configuration does not updated: {e}"); - continue; - } - }; - #[cfg(feature = "acme")] - { - match build_acme_manager(&config_toml, runtime_handle.clone()).await { - Ok(m) => { - acme_manager = m; - }, - Err(e) => { - error!("Invalid acme configuration. Configuration does not updated: {e}"); - continue; - } - } - } - - info!("Configuration updated. Terminate all spawned services and force to re-bind TCP/UDP sockets"); + info!("Terminate all spawned services and force to re-bind TCP/UDP sockets"); cancel_token.cancel(); } - else => break - } - } - - Ok(()) -} - -#[cfg(not(feature = "acme"))] -/// Wrapper of entry point for rpxy service with certificate management service -async fn rpxy_entrypoint( - rpxy_opts: &RpxyOptions, - cert_service: Option<&ReloaderService>, - // runtime_handle: &tokio::runtime::Handle, -) -> Result<(), anyhow::Error> { - // TODO: refactor: update routine - if let Some(cert_service) = cert_service { - tokio::select! { - rpxy_res = entrypoint(rpxy_opts) => { - error!("rpxy entrypoint exited"); - rpxy_res.map_err(|e| anyhow!(e)) - } - cert_res = cert_service.start() => { - error!("cert reloader service exited"); - cert_res.map_err(|e| anyhow!(e)) - } - } - } else { - entrypoint(rpxy_opts).await.map_err(|e| anyhow!(e)) - } -} - -#[cfg(feature = "acme")] -/// Wrapper of entry point for rpxy service with certificate management service -async fn rpxy_entrypoint( - rpxy_opts: &RpxyOptions, - cert_service: Option<&ReloaderService>, - acme_task_handles: Vec>, - // runtime_handle: &tokio::runtime::Handle, -) -> Result<(), anyhow::Error> { - // TODO: refactor: update routine - if let Some(cert_service) = cert_service { - if acme_task_handles.is_empty() { - tokio::select! { - rpxy_res = entrypoint(rpxy_opts) => { - error!("rpxy entrypoint exited"); - rpxy_res.map_err(|e| anyhow!(e)) - } - cert_res = cert_service.start() => { - error!("cert reloader service exited"); - cert_res.map_err(|e| anyhow!(e)) - } - } - } else { - let select_all = futures_util::future::select_all(acme_task_handles); - tokio::select! { - rpxy_res = entrypoint(rpxy_opts) => { - error!("rpxy entrypoint exited"); - rpxy_res.map_err(|e| anyhow!(e)) - } - (acme_res, _, _) = select_all => { - error!("acme manager exited"); - acme_res.map_err(|e| anyhow!(e)) - } - cert_res = cert_service.start() => { - error!("cert reloader service exited"); - cert_res.map_err(|e| anyhow!(e)) - } - } } - } else { - entrypoint(rpxy_opts).await.map_err(|e| anyhow!(e)) } } diff --git a/rpxy-lib/src/globals.rs b/rpxy-lib/src/globals.rs index de1983db..c8b73bf9 100644 --- a/rpxy-lib/src/globals.rs +++ b/rpxy-lib/src/globals.rs @@ -1,7 +1,7 @@ use crate::{constants::*, count::RequestCount}; use hot_reload::ReloaderReceiver; use rpxy_certs::ServerCryptoBase; -use std::{net::SocketAddr, sync::Arc, time::Duration}; +use std::{net::SocketAddr, time::Duration}; use tokio_util::sync::CancellationToken; /// Global object containing proxy configurations and shared object like counters. @@ -14,13 +14,13 @@ pub struct Globals { /// Shared context - Async task runtime handler pub runtime_handle: tokio::runtime::Handle, /// Shared context - Notify object to stop async tasks - pub cancel_token: Option, + pub cancel_token: CancellationToken, /// Shared context - Certificate reloader service receiver // TODO: newer one pub cert_reloader_rx: Option>, #[cfg(feature = "acme")] /// ServerConfig used for only ACME challenge for ACME domains - pub server_configs_acme_challenge: Arc>>, + pub server_configs_acme_challenge: std::sync::Arc>>, } /// Configuration parameters for proxy transport and request handlers diff --git a/rpxy-lib/src/lib.rs b/rpxy-lib/src/lib.rs index fdfb81d3..43463b2f 100644 --- a/rpxy-lib/src/lib.rs +++ b/rpxy-lib/src/lib.rs @@ -108,7 +108,7 @@ pub async fn entrypoint( proxy_config: proxy_config.clone(), request_count: Default::default(), runtime_handle: runtime_handle.clone(), - cancel_token: cancel_token.clone(), + cancel_token: cancel_token.clone().unwrap_or_default(), cert_reloader_rx: cert_rx.clone(), #[cfg(feature = "acme")] @@ -130,7 +130,6 @@ pub async fn entrypoint( let connection_builder = proxy::connection_builder(&globals); // spawn each proxy for a given socket with copied Arc-ed backend, message_handler and connection builder. - let parent_cancel_token = globals.cancel_token.clone().unwrap_or_default(); let addresses = globals.proxy_config.listen_sockets.clone(); let join_handles = addresses.into_iter().map(|listening_on| { let mut tls_enabled = false; @@ -145,8 +144,8 @@ pub async fn entrypoint( message_handler: message_handler.clone(), }; - let cancel_token = parent_cancel_token.child_token(); - let parent_cancel_token_clone = parent_cancel_token.clone(); + let cancel_token = globals.cancel_token.child_token(); + let parent_cancel_token_clone = globals.cancel_token.clone(); globals.runtime_handle.spawn(async move { info!("rpxy proxy service for {listening_on} started"); tokio::select! { From e48efa010949bb001a76754f641a2955addd8f28 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Sat, 27 Jul 2024 03:32:51 +0900 Subject: [PATCH 25/30] fix: typo --- rpxy-bin/src/constants.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpxy-bin/src/constants.rs b/rpxy-bin/src/constants.rs index 3173fa92..53c8bbce 100644 --- a/rpxy-bin/src/constants.rs +++ b/rpxy-bin/src/constants.rs @@ -1,6 +1,6 @@ pub const LISTEN_ADDRESSES_V4: &[&str] = &["0.0.0.0"]; pub const LISTEN_ADDRESSES_V6: &[&str] = &["[::]"]; -pub const CONFIG_WATCH_DELAY_SECS: u32 = 2; +pub const CONFIG_WATCH_DELAY_SECS: u32 = 20; #[cfg(feature = "cache")] // Cache directory From 3b918af40b515b89142d84435c6f8186b16ef04f Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Sat, 27 Jul 2024 04:38:25 +0900 Subject: [PATCH 26/30] chore: refactor dynamic reloading --- Cargo.toml | 2 +- rpxy-acme/src/manager.rs | 2 +- rpxy-bin/src/constants.rs | 2 +- rpxy-bin/src/main.rs | 84 ++++++++++++++++----------------------- rpxy-lib/src/globals.rs | 2 +- rpxy-lib/src/lib.rs | 28 +++++++------ 6 files changed, 54 insertions(+), 66 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index e990fdf5..554a677c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,5 @@ [workspace.package] -version = "0.9.0-alpha.1" +version = "0.9.0-alpha.2" authors = ["Jun Kurihara"] homepage = "https://github.com/junkurihara/rust-rpxy" repository = "https://github.com/junkurihara/rust-rpxy" diff --git a/rpxy-acme/src/manager.rs b/rpxy-acme/src/manager.rs index 92427438..fe10c851 100644 --- a/rpxy-acme/src/manager.rs +++ b/rpxy-acme/src/manager.rs @@ -115,7 +115,7 @@ impl AcmeManager { if let Some(cancel_token) = cancel_token.as_ref() { tokio::select! { _ = task => {}, - _ = cancel_token.cancelled() => { info!("rpxy ACME manager task for {domain} terminated") } + _ = cancel_token.cancelled() => { debug!("rpxy ACME manager task for {domain} terminated") } } } else { task.await; diff --git a/rpxy-bin/src/constants.rs b/rpxy-bin/src/constants.rs index 53c8bbce..2f27735a 100644 --- a/rpxy-bin/src/constants.rs +++ b/rpxy-bin/src/constants.rs @@ -1,6 +1,6 @@ pub const LISTEN_ADDRESSES_V4: &[&str] = &["0.0.0.0"]; pub const LISTEN_ADDRESSES_V6: &[&str] = &["[::]"]; -pub const CONFIG_WATCH_DELAY_SECS: u32 = 20; +pub const CONFIG_WATCH_DELAY_SECS: u32 = 15; #[cfg(feature = "cache")] // Cache directory diff --git a/rpxy-bin/src/main.rs b/rpxy-bin/src/main.rs index 9acdc2c8..ce962533 100644 --- a/rpxy-bin/src/main.rs +++ b/rpxy-bin/src/main.rs @@ -121,10 +121,7 @@ impl RpxyService { .cancel_token(cancel_token.as_ref().map(|t| t.child_token())) .server_configs_acme_challenge(Arc::new(server_config_acme_challenge)) .build()?; - self - .start_inner(rpxy_opts, acme_join_handles) //, &runtime_handle) - .await - .map_err(|e| anyhow!(e)) + self.start_inner(rpxy_opts, acme_join_handles).await.map_err(|e| anyhow!(e)) } #[cfg(not(feature = "acme"))] @@ -136,10 +133,7 @@ impl RpxyService { .runtime_handle(runtime_handle.clone()) .cancel_token(cancel_token.as_ref().map(|t| t.child_token())) .build()?; - self - .start_inner(rpxy_opts) //, &runtime_handle) - .await - .map_err(|e| anyhow!(e)) + self.start_inner(rpxy_opts).await.map_err(|e| anyhow!(e)) } } @@ -147,53 +141,49 @@ impl RpxyService { async fn start_inner( &self, rpxy_opts: RpxyOptions, - // cert_service: Option<&Arc>>, #[cfg(feature = "acme")] acme_task_handles: Vec>, - // runtime_handle: &tokio::runtime::Handle, ) -> Result<(), anyhow::Error> { - let cancel_token = rpxy_opts.cancel_token.clone().unwrap_or_default(); + let cancel_token = rpxy_opts.cancel_token.clone(); let runtime_handle = rpxy_opts.runtime_handle.clone(); - // spawn rpxy entry point + // spawn rpxy entrypoint, where cancellation token is possibly contained inside the service let cancel_token_clone = cancel_token.clone(); - let child_cancel_token = cancel_token.child_token(); let rpxy_handle = runtime_handle.spawn(async move { - tokio::select! { - rpxy_res = entrypoint(&rpxy_opts) => { - if let Err(ref e) = rpxy_res { - error!("rpxy entrypoint exited on error: {e}"); - } - cancel_token_clone.cancel(); - rpxy_res.map_err(|e| anyhow!(e)) - } - _ = child_cancel_token.cancelled() => { - debug!("rpxy entrypoint terminated by cancel token"); - Ok(()) + if let Err(e) = entrypoint(&rpxy_opts).await { + error!("rpxy entrypoint exited on error: {e}"); + if let Some(cancel_token) = cancel_token_clone { + cancel_token.cancel(); } + return Err(anyhow!(e)); } + Ok(()) }); if self.cert_service.is_none() { return rpxy_handle.await?; } - // spawn certificate reloader service + // spawn certificate reloader service, where cert service does not have cancellation token inside the service let cert_service = self.cert_service.as_ref().unwrap().clone(); let cancel_token_clone = cancel_token.clone(); - let child_cancel_token = cancel_token.child_token(); + let child_cancel_token = cancel_token.as_ref().map(|c| c.child_token()); let cert_handle = runtime_handle.spawn(async move { - tokio::select! { - cert_res = cert_service.start() => { - if let Err(ref e) = cert_res { - error!("cert reloader service exited on error: {e}"); + if let Some(child_cancel_token) = child_cancel_token { + tokio::select! { + cert_res = cert_service.start() => { + if let Err(ref e) = cert_res { + error!("cert reloader service exited on error: {e}"); + } + cancel_token_clone.unwrap().cancel(); + cert_res.map_err(|e| anyhow!(e)) + } + _ = child_cancel_token.cancelled() => { + debug!("cert reloader service terminated"); + Ok(()) } - cancel_token_clone.cancel(); - cert_res.map_err(|e| anyhow!(e)) - } - _ = child_cancel_token.cancelled() => { - debug!("cert reloader service terminated by cancel token"); - Ok(()) } + } else { + cert_service.start().await.map_err(|e| anyhow!(e)) } }); @@ -220,24 +210,18 @@ impl RpxyService { }; } - // spawn acme manager tasks + // spawn acme manager tasks, where cancellation token is possibly contained inside the service let select_all = futures_util::future::select_all(acme_task_handles); let cancel_token_clone = cancel_token.clone(); - let child_cancel_token = cancel_token.child_token(); let acme_handle = runtime_handle.spawn(async move { - tokio::select! { - (acme_res, _, _) = select_all => { - if let Err(ref e) = acme_res { - error!("acme manager exited on error: {e}"); - } - cancel_token_clone.cancel(); - acme_res.map_err(|e| anyhow!(e)) - } - _ = child_cancel_token.cancelled() => { - debug!("acme manager terminated by cancel token"); - Ok(()) - } + let (acme_res, _, _) = select_all.await; + if let Err(ref e) = acme_res { + error!("acme manager exited on error: {e}"); + } + if let Some(cancel_token) = cancel_token_clone { + cancel_token.cancel(); } + acme_res.map_err(|e| anyhow!(e)) }); let (rpxy_res, cert_res, acme_res) = tokio::join!(rpxy_handle, cert_handle, acme_handle); let (rpxy_res, cert_res, acme_res) = (rpxy_res?, cert_res?, acme_res?); diff --git a/rpxy-lib/src/globals.rs b/rpxy-lib/src/globals.rs index c8b73bf9..97aadefc 100644 --- a/rpxy-lib/src/globals.rs +++ b/rpxy-lib/src/globals.rs @@ -14,7 +14,7 @@ pub struct Globals { /// Shared context - Async task runtime handler pub runtime_handle: tokio::runtime::Handle, /// Shared context - Notify object to stop async tasks - pub cancel_token: CancellationToken, + pub cancel_token: Option, /// Shared context - Certificate reloader service receiver // TODO: newer one pub cert_reloader_rx: Option>, diff --git a/rpxy-lib/src/lib.rs b/rpxy-lib/src/lib.rs index 43463b2f..f5f6d591 100644 --- a/rpxy-lib/src/lib.rs +++ b/rpxy-lib/src/lib.rs @@ -108,7 +108,7 @@ pub async fn entrypoint( proxy_config: proxy_config.clone(), request_count: Default::default(), runtime_handle: runtime_handle.clone(), - cancel_token: cancel_token.clone().unwrap_or_default(), + cancel_token: cancel_token.clone(), cert_reloader_rx: cert_rx.clone(), #[cfg(feature = "acme")] @@ -144,21 +144,25 @@ pub async fn entrypoint( message_handler: message_handler.clone(), }; - let cancel_token = globals.cancel_token.child_token(); + let cancel_token = globals.cancel_token.as_ref().map(|t| t.child_token()); let parent_cancel_token_clone = globals.cancel_token.clone(); globals.runtime_handle.spawn(async move { info!("rpxy proxy service for {listening_on} started"); - tokio::select! { - _ = cancel_token.cancelled() => { - info!("rpxy proxy service for {listening_on} terminated"); - Ok(()) - }, - proxy_res = proxy.start() => { - info!("rpxy proxy service for {listening_on} exited"); - // cancel other proxy tasks - parent_cancel_token_clone.cancel(); - proxy_res + if let Some(cancel_token) = cancel_token { + tokio::select! { + _ = cancel_token.cancelled() => { + debug!("rpxy proxy service for {listening_on} terminated"); + Ok(()) + }, + proxy_res = proxy.start() => { + info!("rpxy proxy service for {listening_on} exited"); + // cancel other proxy tasks + parent_cancel_token_clone.unwrap().cancel(); + proxy_res + } } + } else { + proxy.start().await } }) }); From b35d1bc602bfcc2880ec33c2d95c43e2b33ed7f6 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Sat, 27 Jul 2024 04:43:55 +0900 Subject: [PATCH 27/30] fix docker actions --- .github/workflows/release_docker.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release_docker.yml b/.github/workflows/release_docker.yml index 3615a392..c0182729 100644 --- a/.github/workflows/release_docker.yml +++ b/.github/workflows/release_docker.yml @@ -45,7 +45,7 @@ jobs: - target: "s2n" dockerfile: ./docker/Dockerfile build-args: | - "CARGO_FEATURES=--no-default-features --features=http3-s2n,cache,rustls-backend" + "CARGO_FEATURES=--no-default-features --features=http3-s2n,cache,rustls-backend,acme" "ADDITIONAL_DEPS=pkg-config libssl-dev cmake libclang1 gcc g++" platforms: linux/amd64,linux/arm64 tags-suffix: "-s2n" @@ -58,7 +58,7 @@ jobs: dockerfile: ./docker/Dockerfile platforms: linux/amd64,linux/arm64 build-args: | - "CARGO_FEATURES=--no-default-features --features=http3-quinn,cache,webpki-roots" + "CARGO_FEATURES=--no-default-features --features=http3-quinn,cache,webpki-roots,acme" tags-suffix: "-webpki-roots" # Aliases must be used only for release builds aliases: | @@ -68,7 +68,7 @@ jobs: - target: "slim-webpki-roots" dockerfile: ./docker/Dockerfile-slim build-args: | - "CARGO_FEATURES=--no-default-features --features=http3-quinn,cache,webpki-roots" + "CARGO_FEATURES=--no-default-features --features=http3-quinn,cache,webpki-roots,acme" build-contexts: | messense/rust-musl-cross:amd64-musl=docker-image://messense/rust-musl-cross:x86_64-musl messense/rust-musl-cross:arm64-musl=docker-image://messense/rust-musl-cross:aarch64-musl @@ -82,7 +82,7 @@ jobs: - target: "s2n-webpki-roots" dockerfile: ./docker/Dockerfile build-args: | - "CARGO_FEATURES=--no-default-features --features=http3-s2n,cache,webpki-roots" + "CARGO_FEATURES=--no-default-features --features=http3-s2n,cache,webpki-roots,acme" "ADDITIONAL_DEPS=pkg-config libssl-dev cmake libclang1 gcc g++" platforms: linux/amd64,linux/arm64 tags-suffix: "-s2n-webpki-roots" From 257510c026753da3c980993245f0cf033fa05069 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Sat, 27 Jul 2024 09:10:10 +0900 Subject: [PATCH 28/30] changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 30a92542..dc1bc3aa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,10 @@ - Refactor: lots of minor improvements - Deps +### Bugfix + +- Fix the bug that the dynamic config reload does not work properly. + ## 0.8.1 ### Improvement From 3f6bc9c266c8811aa9515ae78c9ee7c4f201db25 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 31 Jul 2024 20:55:49 +0900 Subject: [PATCH 29/30] deps --- rpxy-acme/Cargo.toml | 4 ++-- rpxy-bin/Cargo.toml | 4 ++-- rpxy-certs/Cargo.toml | 2 +- rpxy-lib/Cargo.toml | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rpxy-acme/Cargo.toml b/rpxy-acme/Cargo.toml index e9962256..679c94d8 100644 --- a/rpxy-acme/Cargo.toml +++ b/rpxy-acme/Cargo.toml @@ -25,10 +25,10 @@ rustls = { version = "0.23.12", default-features = false, features = [ "std", "aws_lc_rs", ] } -rustls-platform-verifier = { version = "0.3.2" } +rustls-platform-verifier = { version = "0.3.3" } rustls-acme = { path = "../submodules/rustls-acme/", default-features = false, features = [ "aws-lc-rs", ] } -tokio = { version = "1.39.1", default-features = false } +tokio = { version = "1.39.2", default-features = false } tokio-util = { version = "0.7.11", default-features = false } tokio-stream = { version = "0.1.15", default-features = false } diff --git a/rpxy-bin/Cargo.toml b/rpxy-bin/Cargo.toml index e42212e6..91fe4d68 100644 --- a/rpxy-bin/Cargo.toml +++ b/rpxy-bin/Cargo.toml @@ -32,7 +32,7 @@ mimalloc = { version = "*", default-features = false } anyhow = "1.0.86" rustc-hash = "2.0.0" serde = { version = "1.0.204", default-features = false, features = ["derive"] } -tokio = { version = "1.39.1", default-features = false, features = [ +tokio = { version = "1.39.2", default-features = false, features = [ "net", "rt-multi-thread", "time", @@ -45,7 +45,7 @@ futures-util = { version = "0.3.30", default-features = false } # config clap = { version = "4.5.11", features = ["std", "cargo", "wrap_help"] } -toml = { version = "0.8.16", default-features = false, features = ["parse"] } +toml = { version = "0.8.17", default-features = false, features = ["parse"] } hot_reload = "0.1.6" # logging diff --git a/rpxy-certs/Cargo.toml b/rpxy-certs/Cargo.toml index d80eb3c3..072450ef 100644 --- a/rpxy-certs/Cargo.toml +++ b/rpxy-certs/Cargo.toml @@ -33,7 +33,7 @@ rustls-webpki = { version = "0.102.6", default-features = false, features = [ x509-parser = { version = "0.16.0" } [dev-dependencies] -tokio = { version = "1.39.1", default-features = false, features = [ +tokio = { version = "1.39.2", default-features = false, features = [ "rt-multi-thread", "macros", ] } diff --git a/rpxy-lib/Cargo.toml b/rpxy-lib/Cargo.toml index 452a3226..e8fef1ae 100644 --- a/rpxy-lib/Cargo.toml +++ b/rpxy-lib/Cargo.toml @@ -32,10 +32,10 @@ acme = ["dep:rpxy-acme"] [dependencies] rand = "0.8.5" rustc-hash = "2.0.0" -bytes = "1.6.1" +bytes = "1.7.0" derive_builder = "0.20.0" futures = { version = "0.3.30", features = ["alloc", "async-await"] } -tokio = { version = "1.39.1", default-features = false, features = [ +tokio = { version = "1.39.2", default-features = false, features = [ "net", "rt-multi-thread", "time", @@ -103,7 +103,7 @@ socket2 = { version = "0.5.7", features = ["all"], optional = true } # cache http-cache-semantics = { path = "../submodules/rusty-http-cache-semantics", default-features = false, optional = true } -lru = { version = "0.12.3", optional = true } +lru = { version = "0.12.4", optional = true } sha2 = { version = "0.10.8", default-features = false, optional = true } # cookie handling for sticky cookie From 9ca81e96e7b268352da3dda96236e23fbdaad200 Mon Sep 17 00:00:00 2001 From: Jun Kurihara Date: Wed, 31 Jul 2024 20:56:59 +0900 Subject: [PATCH 30/30] 0.9.0 --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index 554a677c..01c02639 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,5 +1,5 @@ [workspace.package] -version = "0.9.0-alpha.2" +version = "0.9.0" authors = ["Jun Kurihara"] homepage = "https://github.com/junkurihara/rust-rpxy" repository = "https://github.com/junkurihara/rust-rpxy"