Skip to content

Commit

Permalink
feat: add initial acme support (ugly!)
Browse files Browse the repository at this point in the history
  • Loading branch information
junkurihara committed Jul 17, 2024
1 parent d6136f9 commit 7b0ca08
Show file tree
Hide file tree
Showing 11 changed files with 277 additions and 89 deletions.
9 changes: 9 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,15 @@

## 0.9.0 (Unreleased)

### Important Changes

- Breaking: Experimental ACME support is added. Check the new configuration options and README.md for ACME support. Note that it is still under development and may have some issues.

### Improvement

- Refactor: lots of minor improvements
- Deps

## 0.8.1

### Improvement
Expand Down
34 changes: 31 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# rpxy: A simple and ultrafast reverse-proxy serving multiple domain names with TLS termination, written in pure Rust
# rpxy: A simple and ultrafast reverse-proxy serving multiple domain names with TLS termination, written in Rust

[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
![Unit Test](https://github.com/junkurihara/rust-rpxy/actions/workflows/ci.yml/badge.svg)
Expand All @@ -10,9 +10,11 @@
## Introduction

`rpxy` [ahr-pik-see] is an implementation of simple and lightweight reverse-proxy with some additional features. The implementation is based on [`hyper`](https://github.com/hyperium/hyper), [`rustls`](https://github.com/rustls/rustls) and [`tokio`](https://github.com/tokio-rs/tokio), i.e., written in pure Rust. Our `rpxy` routes multiple host names to appropriate backend application servers while serving TLS connections.
`rpxy` [ahr-pik-see] is an implementation of simple and lightweight reverse-proxy with some additional features. The implementation is based on [`hyper`](https://github.com/hyperium/hyper), [`rustls`](https://github.com/rustls/rustls) and [`tokio`](https://github.com/tokio-rs/tokio), i.e., written in Rust^[^pure_rust]. Our `rpxy` routes multiple host names to appropriate backend application servers while serving TLS connections.

As default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib]
[^pure_rust]: Doubtfully can be claimed to be written in pure Rust since current `rpxy` is based on `aws-lc-rs` for cryptographic operations.

As default, `rpxy` provides the *TLS connection sanitization* by correctly binding a certificate used to establish a secure channel with the backend application. Specifically, it always keeps the consistency between the given SNI (server name indication) in `ClientHello` of the underlying TLS and the domain name given by the overlaid HTTP HOST header (or URL in Request line) [^1]. Additionally, as a somewhat unstable feature, our `rpxy` can handle the brand-new HTTP/3 connection thanks to [`quinn`](https://github.com/quinn-rs/quinn), [`s2n-quic`](https://github.com/aws/s2n-quic) and [`hyperium/h3`](https://github.com/hyperium/h3).[^h3lib] Furthermore, `rpxy` supports the automatic issuance and renewal of certificates via [TLS-ALPN-01 (RFC8737)](https://www.rfc-editor.org/rfc/rfc8737) of [ACME protocol (RFC8555)](https://www.rfc-editor.org/rfc/rfc8555) thanks to [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme).

[^h3lib]: HTTP/3 libraries are mutually exclusive. You need to explicitly specify `s2n-quic` with `--no-default-features` flag. Also note that if you build `rpxy` with `s2n-quic`, then it requires `openssl` just for building the package.

Expand Down Expand Up @@ -298,6 +300,32 @@ max_cache_each_size_on_memory = 4096 # optional. default is 4k if 0, it is alway

A *storable* (in the context of an HTTP message) response is stored if its size is less than or equal to `max_cache_each_size` in bytes. If it is also less than or equal to `max_cache_each_size_on_memory`, it is stored as an on-memory object. Otherwise, it is stored as a temporary file. Note that `max_cache_each_size` must be larger or equal to `max_cache_each_size_on_memory`. Also note that once `rpxy` restarts or the config is updated, the cache is totally eliminated not only from the on-memory table but also from the file system.

### Automated Certificate Issuance and Renewal via TLS-ALPN-01 ACME protocol

This is a brand-new feature and maybe still unstable. Thanks to the [`rustls-acme`](https://github.com/FlorianUekermann/rustls-acme), the automatic issuance and renewal of certificates are finally available in `rpxy`. To enable this feature, you need to specify the following entries in `config.toml`.

```toml
# ACME enabled domain name.
# ACME will be used to get a certificate for the server_name with ACME tls-alpn-01 protocol.
# Note that acme option must be specified in the experimental section.
[apps.localhost_with_acme]
server_name = 'example.org'
reverse_proxy = [{ upstream = [{ location = 'example.com', tls = true }] }]
tls = { https_redirection = true, acme = true } # do not specify tls_cert_path and/or tls_cert_key_path
```

For the ACME enabled domain, the following settings are referred to acquire a certificate.

```toml
# Global ACME settings. Unless specified, ACME is disabled.
[experimental.acme]
dir_url = "https://localhost:14000/dir" # optional. default is "https://acme-v02.api.letsencrypt.org/directory"
email = "[email protected]"
registry_path = "./acme_registry" # optional. default is "./acme_registry" relative to the current working directory
```

The above configuration is common to all ACME enabled domains. Note that the https port must be open to the public to verify the domain ownership.

## TIPS

### Using Private Key Issued by Let's Encrypt
Expand Down
14 changes: 14 additions & 0 deletions config-example.toml
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,14 @@ server_name = 'localhost.localdomain'
reverse_proxy = [{ upstream = [{ location = 'www.google.com', tls = true }] }]
######################################################################

######################################################################
# ACME enabled example. ACME will be used to get a certificate for the server_name with ACME tls-alpn-01 protocol.
# Note that acme option must be specified in the experimental section.
[apps.localhost_with_acme]
server_name = 'kubernetes.docker.internal'
reverse_proxy = [{ upstream = [{ location = 'example.com', tls = true }] }]
tls = { https_redirection = true, acme = true }

###################################
# Experimantal settings #
###################################
Expand Down Expand Up @@ -119,3 +127,9 @@ cache_dir = './cache' # optional. default is "./cache" relative t
max_cache_entry = 1000 # optional. default is 1k
max_cache_each_size = 65535 # optional. default is 64k
max_cache_each_size_on_memory = 4096 # optional. default is 4k if 0, it is always file cache.

# ACME settings. Unless specified, ACME is disabled.
[experimental.acme]
dir_url = "https://localhost:14000/dir" # optional. default is "https://acme-v02.api.letsencrypt.org/directory"
email = "[email protected]"
registry_path = "./acme_registry" # optional. default is "./acme_registry" relative to the current working directory
4 changes: 4 additions & 0 deletions rpxy-acme/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,7 @@ pub use constants::{ACME_DIR_URL, ACME_REGISTRY_PATH};
pub use dir_cache::DirCache;
pub use error::RpxyAcmeError;
pub use manager::AcmeManager;

pub mod reexports {
pub use rustls_acme::is_tls_alpn_challenge;
}
40 changes: 27 additions & 13 deletions rpxy-acme/src/manager.rs
Original file line number Diff line number Diff line change
Expand Up @@ -72,9 +72,10 @@ impl AcmeManager {

/// Start ACME manager to manage certificates for each domain.
/// Returns a Vec<JoinHandle<()>> as a tasks handles and a map of domain to ServerConfig for challenge.
pub fn spawn_manager_tasks(&self) -> (Vec<tokio::task::JoinHandle<()>>, HashMap<String, Arc<ServerConfig>>) {
info!("rpxy ACME manager started");

pub fn spawn_manager_tasks(
&self,
term_notify: Option<Arc<tokio::sync::Notify>>,
) -> (Vec<tokio::task::JoinHandle<()>>, HashMap<String, Arc<ServerConfig>>) {
let rustls_client_config = rustls::ClientConfig::builder()
.dangerous() // The `Verifier` we're using is actually safe
.with_custom_certificate_verifier(Arc::new(rustls_platform_verifier::Verifier::new()))
Expand All @@ -94,17 +95,30 @@ impl AcmeManager {
.client_tls_config(rustls_client_config.clone());
let mut state = config.state();
server_configs_for_challenge.insert(domain.to_ascii_lowercase(), state.challenge_rustls_config());
self.runtime_handle.spawn(async move {
info!("rpxy ACME manager task for {domain} started");
// infinite loop unless the return value is None
loop {
let Some(res) = state.next().await else {
error!("rpxy ACME manager task for {domain} exited");
break;
self.runtime_handle.spawn({
let term_notify = term_notify.clone();
async move {
info!("rpxy ACME manager task for {domain} started");
// infinite loop unless the return value is None
let task = async {
loop {
let Some(res) = state.next().await else {
error!("rpxy ACME manager task for {domain} exited");
break;
};
match res {
Ok(ok) => info!("rpxy ACME event: {ok:?}"),
Err(err) => error!("rpxy ACME error: {err:?}"),
}
}
};
match res {
Ok(ok) => info!("rpxy ACME event: {ok:?}"),
Err(err) => error!("rpxy ACME error: {err:?}"),
if let Some(notify) = term_notify.as_ref() {
tokio::select! {
_ = task => {},
_ = notify.notified() => { info!("rpxy ACME manager task for {domain} terminated") }
}
} else {
task.await;
}
}
})
Expand Down
Loading

0 comments on commit 7b0ca08

Please sign in to comment.