Merge pull request #180 from junkurihara/https-redirection

feat: https redirection
junkurihara · Sep 6, 2024 · 725d8c8 · 725d8c8
2 parents 90ac176 + 6f7119c
commit 725d8c8
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 2 deletions.
diff --git a/config-example.toml b/config-example.toml
@@ -10,6 +10,11 @@
 listen_port = 8080
 listen_port_tls = 8443
 
+# Optional. If you listen on a custom port like 8443 but redirect with firewall to 443
+# When you specify this, the server sends a redirection response 301 with specified port to the client for plaintext http request.
+# Otherwise, the server sends 301 with the same port as `listen_port_tls`.
+# https_redirection_port = 443
+
 # Optional for h2 and http1.1
 tcp_listen_backlog = 1024
 

diff --git a/rpxy-bin/src/config/parse.rs b/rpxy-bin/src/config/parse.rs
@@ -59,6 +59,13 @@ pub fn build_settings(config: &ConfigToml) -> std::result::Result<(ProxyConfig,
       "Some apps serves only plaintext HTTP"
     );
   }
+  // https redirection port must be configured only when both http_port and https_port are configured.
+  if proxy_config.https_redirection_port.is_some() {
+    ensure!(
+      proxy_config.https_port.is_some() && proxy_config.http_port.is_some(),
+      "https_redirection_port can be specified only when both http_port and https_port are specified"
+    );
+  }
   // https redirection can be configured if both ports are active
   if !(proxy_config.https_port.is_some() && proxy_config.http_port.is_some()) {
     ensure!(

diff --git a/rpxy-bin/src/config/toml.rs b/rpxy-bin/src/config/toml.rs
@@ -13,6 +13,7 @@ pub struct ConfigToml {
   pub listen_port: Option<u16>,
   pub listen_port_tls: Option<u16>,
   pub listen_ipv6: Option<bool>,
+  pub https_redirection_port: Option<u16>,
   pub tcp_listen_backlog: Option<u32>,
   pub max_concurrent_streams: Option<u32>,
   pub max_clients: Option<u32>,
@@ -107,6 +108,11 @@ impl TryInto<ProxyConfig> for &ConfigToml {
       // listen port and socket
       http_port: self.listen_port,
       https_port: self.listen_port_tls,
+      https_redirection_port: if self.https_redirection_port.is_some() {
+        self.https_redirection_port
+      } else {
+        self.listen_port_tls
+      },
       ..Default::default()
     };
     ensure!(

diff --git a/rpxy-lib/src/globals.rs b/rpxy-lib/src/globals.rs
@@ -30,8 +30,12 @@ pub struct ProxyConfig {
   pub listen_sockets: Vec<SocketAddr>,
   /// http port
   pub http_port: Option<u16>,
-  /// https port
+  /// https port listening for TLS by default
   pub https_port: Option<u16>,
+  /// https redirection port that notifies the client the port to connect to.
+  /// Tis is used when the reverse proxy is behind a middlebox mapping the https port A to the reverse proxy's https port B.
+  /// Typically, it is the container environment. (e.g. the host exposes 443 and the container exposes 8443 for https, then the redirection port is 443)
+  pub https_redirection_port: Option<u16>,
   /// tcp listen backlog
   pub tcp_listen_backlog: u32,
 
@@ -85,6 +89,7 @@ impl Default for ProxyConfig {
       listen_sockets: Vec::new(),
       http_port: None,
       https_port: None,
+      https_redirection_port: None,
       tcp_listen_backlog: TCP_LISTEN_BACKLOG,
 
       // TODO: Reconsider each timeout values

diff --git a/rpxy-lib/src/message_handler/handler_main.rs b/rpxy-lib/src/message_handler/handler_main.rs
@@ -121,7 +121,11 @@ where
         "Redirect to secure connection: {}",
         <&ServerName as TryInto<String>>::try_into(&backend_app.server_name).unwrap_or_default()
       );
-      return secure_redirection_response(&backend_app.server_name, self.globals.proxy_config.https_port, &req);
+      return secure_redirection_response(
+        &backend_app.server_name,
+        self.globals.proxy_config.https_redirection_port,
+        &req,
+      );
     }
 
     // Find reverse proxy for given path and choose one of upstream host