Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Caddy-style Automatic HTTPS to pd #1406

Closed
Tracked by #1886
hdevalence opened this issue Sep 12, 2022 · 3 comments
Closed
Tracked by #1886

Add support for Caddy-style Automatic HTTPS to pd #1406

hdevalence opened this issue Sep 12, 2022 · 3 comments

Comments

@hdevalence
Copy link
Member

hdevalence commented Sep 12, 2022
edited
Loading

Is your feature request related to a problem? Please describe.

Following #1405, we have a way for pd to serve TLS connections with HTTPS, using user-managed certificates. This is good to get started, and is useful for deployment environments that have some tooling for certificate management (e.g., cloud infrastructure with cert tooling), but doesn't help much for individual or development deployments.

Describe the solution you'd like

pd should have support for Caddy-style Automatic HTTPS, and it should always use HTTPS for all RPC endpoints, in the same way Caddy does: self-signed certs for localhost, and Let's Encrypt for public DNS names.

To support ACME, we can use a library like https://crates.io/crates/rustls-acme

Additional context

We'll also want to have TLS support for pviewd, but that could be done separately, because there's a different trust and threat model -- pviewd has secret data, so the transport security story should include authentication.
@zbuc zbuc added this to Testnets Oct 21, 2022
@zbuc zbuc moved this to Future in Testnets Oct 21, 2022
@hdevalence
Copy link
Member Author

Rough notes on how we could combine rustls-acme with tonic:

rustls-acme is an easy-to-use, async compatible ACME client library for rustls. The validation mechanism used is tls-alpn-01, which allows serving acme challenge responses and regular TLS traffic on the same port.

https://docs.rs/rustls-acme/0.5.1/rustls_acme/#high-level-api

The result is a Stream of incoming TLS connections. The tonic API's Server::builder() can configure hardcoded TLS certificates, but then after add_service turns into a Router, with a serve method (which we use). Using view-source on docs.rs, we see that serve internally wraps serve_with_incoming. Perhaps we can combine the rustls-acme with serve_with_incoming?

@hdevalence hdevalence mentioned this issue Nov 26, 2022
Merged
4 tasks
@conorsch conorsch mentioned this issue Dec 15, 2022
Closed
@conorsch conorsch mentioned this issue Jan 24, 2023
Open
10 tasks
@conorsch conorsch removed the status in Testnets Feb 3, 2023
@conorsch
Copy link
Contributor

conorsch commented Feb 3, 2023

Removing from testnet milestone, in favor of #1886, which is the parent epic. Will continue to pull subtickets from that epic.

@hdevalence hdevalence moved this to Future in Testnets Mar 17, 2023
This was referenced Mar 25, 2023
Closed
Closed
@hdevalence
Copy link
Member Author

Closed by #1406

@github-project-automation github-project-automation bot moved this from Future to Testnet 51: Elara in Testnets Apr 13, 2023
@hdevalence hdevalence mentioned this issue Sep 29, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
Testnets
Status: Testnet 51: Elara
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hdevalence @conorsch