-
Notifications
You must be signed in to change notification settings - Fork 305
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
pd: 🔐 extract auto-https into a standalone crate
fixes #3119. see also, #1886. this pulls the auto-https code (see #3627, #3652) into a standalone library crate.
- Loading branch information
Showing
8 changed files
with
124 additions
and
94 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,88 +0,0 @@ | ||
//! Automatic HTTPS certificate management facilities. | ||
//! | ||
//! See [`axum_acceptor`] for more information. | ||
use { | ||
anyhow::Error, | ||
futures::Future, | ||
rustls::ServerConfig, | ||
rustls_acme::{axum::AxumAcceptor, caches::DirCache, AcmeConfig, AcmeState}, | ||
std::{fmt::Debug, path::PathBuf, sync::Arc}, | ||
}; | ||
|
||
/// Protocols supported by this server, in order of preference. | ||
/// | ||
/// See [rfc7301] for more info on ALPN. | ||
/// | ||
/// [rfc7301]: https://datatracker.ietf.org/doc/html/rfc7301 | ||
// | ||
// We also permit HTTP1.1 for backwards-compatibility, specifically for grpc-web. | ||
const ALPN_PROTOCOLS: [&[u8]; 2] = [b"h2", b"http/1.1"]; | ||
|
||
/// The location of the file-based certificate cache. | ||
// NB: this must not be an absolute path see [Path::join]. | ||
const CACHE_DIR: &str = "tokio_rustls_acme_cache"; | ||
|
||
/// Use ACME to resolve certificates and handle new connections. | ||
/// | ||
/// This returns a tuple containing an [`AxumAcceptor`] that may be used with [`axum_server`], and | ||
/// a [`Future`] that represents the background task to poll and log for changes in the | ||
/// certificate environment. | ||
pub fn axum_acceptor( | ||
home: PathBuf, | ||
domain: String, | ||
production_api: bool, | ||
) -> (AxumAcceptor, impl Future<Output = Result<(), Error>>) { | ||
// Use a file-based cache located within the home directory. | ||
let cache = home.join(CACHE_DIR); | ||
let cache = DirCache::new(cache); | ||
|
||
// Create an ACME client, which we will use to resolve certificates. | ||
let state = AcmeConfig::new(vec![domain]) | ||
.cache(cache) | ||
.directory_lets_encrypt(production_api) | ||
.state(); | ||
|
||
// Define our server configuration, using the ACME certificate resolver. | ||
let mut rustls_config = ServerConfig::builder() | ||
.with_safe_defaults() | ||
.with_no_client_auth() | ||
.with_cert_resolver(state.resolver()); | ||
rustls_config.alpn_protocols = self::alpn_protocols(); | ||
let rustls_config = Arc::new(rustls_config); | ||
|
||
// Return our connection acceptor and our background worker task. | ||
let acceptor = state.axum_acceptor(rustls_config.clone()); | ||
let worker = self::acme_worker(state); | ||
(acceptor, worker) | ||
} | ||
|
||
/// This function defines the task responsible for handling ACME events. | ||
/// | ||
/// This function will never return, unless an error is encountered. | ||
#[tracing::instrument(level = "error", skip_all)] | ||
async fn acme_worker<EC, EA>(mut state: AcmeState<EC, EA>) -> Result<(), anyhow::Error> | ||
where | ||
EC: Debug + 'static, | ||
EA: Debug + 'static, | ||
{ | ||
use futures::StreamExt; | ||
loop { | ||
match state.next().await { | ||
Some(Ok(ok)) => tracing::debug!("received acme event: {:?}", ok), | ||
Some(Err(err)) => tracing::error!("acme error: {:?}", err), | ||
None => { | ||
debug_assert!(false, "acme worker unexpectedly reached end-of-stream"); | ||
tracing::error!("acme worker unexpectedly reached end-of-stream"); | ||
anyhow::bail!("unexpected end-of-stream"); | ||
} | ||
} | ||
} | ||
} | ||
|
||
/// Returns a vector of the protocols supported by this server. | ||
/// | ||
/// This is a convenience method to retrieve an owned copy of [`ALPN_PROTOCOLS`]. | ||
fn alpn_protocols() -> Vec<Vec<u8>> { | ||
ALPN_PROTOCOLS.into_iter().map(<[u8]>::to_vec).collect() | ||
} | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
[package] | ||
name = "penumbra-auto-https" | ||
version = "0.65.0-alpha.1" | ||
authors = ["Penumbra Labs <team@penumbra.zone>"] | ||
edition = "2021" | ||
description = "Automatic HTTPS management for Penumbra" | ||
repository = "https://github.com/penumbra-zone/penumbra/" | ||
homepage = "https://penumbra.zone" | ||
license = "MIT OR Apache-2.0" | ||
publish = false | ||
|
||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html | ||
|
||
[dependencies] | ||
anyhow = "1" | ||
futures = "0.3" | ||
rustls = "0.20.9" | ||
axum-server = { version = "0.4.7", features = [] } | ||
rustls-acme = { version = "0.6.0", features = ["axum"] } | ||
tracing = "0.1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
//! Automatic HTTPS certificate management facilities. | ||
//! | ||
//! See [`axum_acceptor`] for more information. | ||
use { | ||
anyhow::Error, | ||
futures::Future, | ||
rustls::ServerConfig, | ||
rustls_acme::{axum::AxumAcceptor, caches::DirCache, AcmeConfig, AcmeState}, | ||
std::{fmt::Debug, path::PathBuf, sync::Arc}, | ||
}; | ||
|
||
/// Protocols supported by this server, in order of preference. | ||
/// | ||
/// See [rfc7301] for more info on ALPN. | ||
/// | ||
/// [rfc7301]: https://datatracker.ietf.org/doc/html/rfc7301 | ||
// | ||
// We also permit HTTP1.1 for backwards-compatibility, specifically for grpc-web. | ||
const ALPN_PROTOCOLS: [&[u8]; 2] = [b"h2", b"http/1.1"]; | ||
|
||
/// The location of the file-based certificate cache. | ||
// NB: this must not be an absolute path see [Path::join]. | ||
const CACHE_DIR: &str = "tokio_rustls_acme_cache"; | ||
|
||
/// Use ACME to resolve certificates and handle new connections. | ||
/// | ||
/// This returns a tuple containing an [`AxumAcceptor`] that may be used with [`axum_server`], and | ||
/// a [`Future`] that represents the background task to poll and log for changes in the | ||
/// certificate environment. | ||
pub fn axum_acceptor( | ||
home: PathBuf, | ||
domain: String, | ||
production_api: bool, | ||
) -> (AxumAcceptor, impl Future<Output = Result<(), Error>>) { | ||
// Use a file-based cache located within the home directory. | ||
let cache = home.join(CACHE_DIR); | ||
let cache = DirCache::new(cache); | ||
|
||
// Create an ACME client, which we will use to resolve certificates. | ||
let state = AcmeConfig::new(vec![domain]) | ||
.cache(cache) | ||
.directory_lets_encrypt(production_api) | ||
.state(); | ||
|
||
// Define our server configuration, using the ACME certificate resolver. | ||
let mut rustls_config = ServerConfig::builder() | ||
.with_safe_defaults() | ||
.with_no_client_auth() | ||
.with_cert_resolver(state.resolver()); | ||
rustls_config.alpn_protocols = self::alpn_protocols(); | ||
let rustls_config = Arc::new(rustls_config); | ||
|
||
// Return our connection acceptor and our background worker task. | ||
let acceptor = state.axum_acceptor(rustls_config.clone()); | ||
let worker = self::acme_worker(state); | ||
(acceptor, worker) | ||
} | ||
|
||
/// This function defines the task responsible for handling ACME events. | ||
/// | ||
/// This function will never return, unless an error is encountered. | ||
#[tracing::instrument(level = "error", skip_all)] | ||
async fn acme_worker<EC, EA>(mut state: AcmeState<EC, EA>) -> Result<(), anyhow::Error> | ||
where | ||
EC: Debug + 'static, | ||
EA: Debug + 'static, | ||
{ | ||
use futures::StreamExt; | ||
loop { | ||
match state.next().await { | ||
Some(Ok(ok)) => tracing::debug!("received acme event: {:?}", ok), | ||
Some(Err(err)) => tracing::error!("acme error: {:?}", err), | ||
None => { | ||
debug_assert!(false, "acme worker unexpectedly reached end-of-stream"); | ||
tracing::error!("acme worker unexpectedly reached end-of-stream"); | ||
anyhow::bail!("unexpected end-of-stream"); | ||
} | ||
} | ||
} | ||
} | ||
|
||
/// Returns a vector of the protocols supported by this server. | ||
/// | ||
/// This is a convenience method to retrieve an owned copy of [`ALPN_PROTOCOLS`]. | ||
fn alpn_protocols() -> Vec<Vec<u8>> { | ||
ALPN_PROTOCOLS.into_iter().map(<[u8]>::to_vec).collect() | ||
} |