Github/aralez
1
0
Fork 0
mirror of https://github.com/sadoyan/aralez.git synced 2026-04-29 22:38:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

Dynamic load of SSL certificates from disk.

Browse Source
This commit is contained in:
Ara Sadoyan
2025-06-19 18:32:44 +02:00
parent 60b7b3aa7a
commit 8d4e434d6a
9 changed files with 205 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/utils/structs.rs
View File

@@ -78,3 +78,9 @@ pub struct AppConfig {
pub local_server: Option<(String, u16)>,
pub proxy_certificates: Option<String>,
}
// #[derive(Debug)]
// pub struct CertificateMove {
// pub cert_tx: Sender<CertificateConfig>,
// pub cert_rx: Receiver<CertificateConfig>,
// }

57
src/utils/tls.rs
View File

@@ -1,9 +1,12 @@
use openssl::ssl::{select_next_proto, AlpnError, NameType, SniError, SslAlert, SslContext, SslFiletype, SslMethod, SslRef};
use dashmap::DashMap;
use log::error;
use pingora::tls::ssl::{select_next_proto, AlpnError, NameType, SniError, SslAlert, SslContext, SslFiletype, SslMethod, SslRef};
use rustls_pemfile::{read_one, Item};
use serde::Deserialize;
use std::collections::HashSet;
use std::fs::File;
use std::io::BufReader;
// use tokio::time::Instant;
use x509_parser::extensions::GeneralName;
use x509_parser::nom::Err as NomErr;
use x509_parser::prelude::*;
@@ -28,43 +31,56 @@ struct CertificateInfo {
#[derive(Debug)]
pub struct Certificates {
configs: Vec<CertificateInfo>,
name_map: DashMap<String, SslContext>,
pub default_cert_path: String,
pub default_key_path: String,
}
impl Certificates {
pub fn new(configs: &Vec<CertificateConfig>) -> Self {
let default_cert = configs.first().expect("atleast one TLS certificate required");
pub fn new(configs: &Vec<CertificateConfig>) -> Option<Self> {
let default_cert = configs.first().expect("At least one TLS certificate required");
let mut cert_infos = Vec::new();
let name_map: DashMap<String, SslContext> = DashMap::new();
for config in configs {
cert_infos.push(
load_cert_info(&config.cert_path, &config.key_path)
.unwrap_or_else(|| panic!("unable to load certificate info | public: {}, private: {}", &config.cert_path, &config.key_path)),
);
let cert_info = load_cert_info(&config.cert_path, &config.key_path);
match cert_info {
Some(cert) => {
for name in &cert.common_names {
name_map.insert(name.clone(), cert.ssl_context.clone());
}
for name in &cert.alt_names {
name_map.insert(name.clone(), cert.ssl_context.clone());
}
cert_infos.push(cert)
}
None => {
error!("Unable to load certificate info | public: {}, private: {}", &config.cert_path, &config.key_path);
return None;
}
}
}
Self {
Some(Self {
name_map: name_map,
configs: cert_infos,
default_cert_path: default_cert.cert_path.clone(),
default_key_path: default_cert.key_path.clone(),
}
})
}
fn find_ssl_context(&self, server_name: &str) -> Option<&SslContext> {
fn find_ssl_context(&self, server_name: &str) -> Option<SslContext> {
if let Some(ctx) = self.name_map.get(server_name) {
return Some(ctx.clone());
}
for config in &self.configs {
// Exact name match
if config.common_names.contains(&server_name.to_string()) || config.alt_names.contains(&server_name.to_string()) {
return Some(&config.ssl_context);
}
// Wildcard match
for name in &config.common_names {
if name.starts_with("*.") && server_name.ends_with(&name[1..]) {
return Some(&config.ssl_context);
return Some(config.ssl_context.clone());
}
}
for name in &config.alt_names {
if name.starts_with("*.") && server_name.ends_with(&name[1..]) {
return Some(&config.ssl_context);
return Some(config.ssl_context.clone());
}
}
}
@@ -74,16 +90,18 @@ impl Certificates {
pub fn server_name_callback(&self, ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert) -> Result<(), SniError> {
let server_name = ssl_ref.servername(NameType::HOST_NAME);
log::debug!("TLS connect: server_name = {:?}, ssl_ref = {:?}, ssl_alert = {:?}", server_name, ssl_ref, ssl_alert);
// let start_time = Instant::now();
if let Some(name) = server_name {
match self.find_ssl_context(name) {
Some(ctx) => {
ssl_ref.set_ssl_context(ctx).map_err(|_| SniError::ALERT_FATAL)?;
ssl_ref.set_ssl_context(&*ctx).map_err(|_| SniError::ALERT_FATAL)?;
}
None => {
log::debug!("No matching server name found");
}
}
}
// println!("Context ==> {:?} <==", start_time.elapsed());
Ok(())
}
}
@@ -160,7 +178,6 @@ fn load_cert_info(cert_path: &str, key_path: &str) -> Option<CertificateInfo> {
fn create_ssl_context(cert_path: &str, key_path: &str) -> Result<SslContext, Box<dyn std::error::Error>> {
let mut ctx = SslContext::builder(SslMethod::tls())?;
ctx.set_certificate_chain_file(cert_path)?;
ctx.set_private_key_file(key_path, SslFiletype::PEM)?;
ctx.set_alpn_select_callback(prefer_h2);

36
src/utils/tools.rs
View File

@@ -1,12 +1,17 @@
use crate::utils::structs::{UpstreamsDashMap, UpstreamsIdMap};
use crate::utils::tls;
use crate::utils::tls::CertificateConfig;
use dashmap::DashMap;
use log::{error, info};
use notify::{event::ModifyKind, Config, EventKind, RecommendedWatcher, RecursiveMode, Watcher};
use sha2::{Digest, Sha256};
use std::any::type_name;
use std::collections::{HashMap, HashSet};
use std::fmt::Write;
use std::fs;
use std::sync::atomic::AtomicUsize;
use std::sync::mpsc::{channel, Sender};
use std::time::{Duration, Instant};
#[allow(dead_code)]
pub fn print_upstreams(upstreams: &UpstreamsDashMap) {
@@ -162,7 +167,7 @@ pub fn listdir(dir: String) -> Vec<tls::CertificateConfig> {
inner.push(name.clone() + ".crt");
inner.push(name.clone() + ".key");
f.insert(domain[domain.len() - 1].to_owned(), inner);
let y = tls::CertificateConfig {
let y = CertificateConfig {
cert_path: name.clone() + ".crt",
key_path: name.clone() + ".key",
};
@@ -170,7 +175,7 @@ pub fn listdir(dir: String) -> Vec<tls::CertificateConfig> {
}
}
for (_, v) in f.iter() {
let y = tls::CertificateConfig {
let y = CertificateConfig {
cert_path: v[0].clone(),
key_path: v[1].clone(),
};
@@ -178,3 +183,30 @@ pub fn listdir(dir: String) -> Vec<tls::CertificateConfig> {
}
certificate_configs
}
pub fn watch_folder(path: String, sender: Sender<Vec<CertificateConfig>>) -> notify::Result<()> {
let (tx, rx) = channel();
let mut watcher = RecommendedWatcher::new(tx, Config::default())?;
watcher.watch(path.as_ref(), RecursiveMode::Recursive)?;
info!("Watching for certificates in : {}", path);
let certificate_configs = listdir(path.clone());
sender.send(certificate_configs)?;
let mut start = Instant::now();
loop {
match rx.recv_timeout(Duration::from_secs(1)) {
Ok(Ok(event)) => match &event.kind {
EventKind::Modify(ModifyKind::Data(_)) | EventKind::Create(_) | EventKind::Remove(_) => {
if start.elapsed() > Duration::from_secs(1) {
start = Instant::now();
let certificate_configs = listdir(path.clone());
sender.send(certificate_configs)?;
info!("Certificate changed: {:?}, {:?}", event.kind, event.paths);
}
}
_ => {}
},
Ok(Err(e)) => error!("Watch error: {:?}", e),
Err(_) => {}
}
}
}

2
src/web/bgservice.rs
View File

@@ -30,6 +30,8 @@ impl BackgroundService for LB {
let _ = tokio::spawn(async move { file_load.start(tx_file).await });
let _ = tokio::spawn(async move { consul_load.start(tx_consul).await });
// let _ = tokio::spawn(tls::watch_certs(self.config.proxy_certificates.clone().unwrap(), self.cert_tx.clone()));
// let _ = tokio::spawn(tls::watch_certs(self.config.proxy_certificates.clone().unwrap(), self.cert_tx.clone())).await;
let api_load = APIUpstreamProvider {
address: self.config.config_address.clone(),

1
src/web/proxyhttp.rs
View File

@@ -15,6 +15,7 @@ use pingora_proxy::{ProxyHttp, Session};
use std::sync::Arc;
use tokio::time::Instant;
#[derive(Clone)]
pub struct LB {
pub ump_upst: Arc<UpstreamsDashMap>,
pub ump_full: Arc<UpstreamsDashMap>,

79
src/web/start.rs
View File

@@ -1,17 +1,19 @@
// use rustls::crypto::ring::default_provider;
use crate::utils::structs::Extraparams;
use crate::utils::tls;
use crate::utils::tools::listdir;
use crate::utils::tls::CertificateConfig;
use crate::utils::tools::*;
use crate::web::proxyhttp::LB;
use arc_swap::ArcSwap;
use dashmap::DashMap;
use log::info;
use openssl::ssl::{SslAlert, SslRef};
use pingora::tls::ssl::{SslAlert, SslRef};
use pingora_core::listeners::tls::TlsSettings;
use pingora_core::prelude::{background_service, Opt};
use pingora_core::server::Server;
use std::env;
use std::sync::mpsc::{channel, Receiver, Sender};
use std::sync::Arc;
use std::{env, thread};
pub fn run() {
// default_provider().install_default().expect("Failed to install rustls crypto provider");
@@ -42,14 +44,15 @@ pub fn run() {
headers: hh_config.clone(),
extraparams: ec_config.clone(),
};
let bg = LB {
ump_upst: uf_config.clone(),
ump_full: ff_config.clone(),
ump_byid: im_config.clone(),
config: cfg.clone(),
headers: hh_config.clone(),
extraparams: ec_config.clone(),
};
// let bg = LB {
// ump_upst: uf_config.clone(),
// ump_full: ff_config.clone(),
// ump_byid: im_config.clone(),
// config: cfg.clone(),
// headers: hh_config.clone(),
// extraparams: ec_config.clone(),
// config_rx: Arc::from(Mutex::new(rx)),
// };
// env_logger::Env::new();
// env_logger::init();
@@ -69,35 +72,49 @@ pub fn run() {
}
}
}
env_logger::builder()
// .format_timestamp(None)
// .format_module_path(false)
// .format_source_path(false)
// .format_target(false)
.init();
env_logger::builder().init();
let bg_srvc = background_service("bgsrvc", bg);
let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb);
let bg_srvc = background_service("bgsrvc", lb.clone());
let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone());
let bind_address_http = cfg.proxy_address_http.clone();
let bind_address_tls = cfg.proxy_address_tls.clone();
// let foo = crate::utils::tls::build_ssl_context_builder();
match bind_address_tls {
Some(bind_address_tls) => {
info!("Running TLS listener on :{}", bind_address_tls);
// let cert_path = cfg.tls_certificate.clone().unwrap();
// let key_path = cfg.tls_key_file.clone().unwrap();
// let mut tls_settings = tls::TlsSettings::intermediate(&cert_path, &key_path).unwrap();
// tls_settings.enable_h2();
// proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
let (tx, rx): (Sender<Vec<CertificateConfig>>, Receiver<Vec<CertificateConfig>>) = channel();
let certs_path = cfg.proxy_certificates.clone().unwrap();
thread::spawn(move || {
watch_folder(certs_path, tx).unwrap();
});
let certificate_configs = rx.recv().unwrap();
let first_set = tls::Certificates::new(&certificate_configs).unwrap_or_else(|| panic!("Unable to load initial certificate info"));
let certificates = Arc::new(ArcSwap::from_pointee(first_set));
let certs_for_callback = certificates.clone();
let certificate_configs = listdir(cfg.proxy_certificates.clone().unwrap());
let certificates = tls::Certificates::new(&certificate_configs);
let mut tls_settings = TlsSettings::intermediate(&certificates.default_cert_path, &certificates.default_key_path).expect("unable to load or parse cert/key");
tls_settings.enable_h2();
tls_settings.set_servername_callback(move |ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert| certificates.server_name_callback(ssl_ref, ssl_alert));
let certs_for_watcher = certificates.clone();
let new_certs = tls::Certificates::new(&certificate_configs);
certs_for_watcher.store(Arc::new(new_certs.unwrap()));
let mut tls_settings =
TlsSettings::intermediate(&certs_for_callback.load().default_cert_path, &certs_for_callback.load().default_key_path).expect("unable to load or parse cert/key");
tls_settings.set_servername_callback(move |ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert| certs_for_callback.load().server_name_callback(ssl_ref, ssl_alert));
tls_settings.set_alpn_select_callback(tls::prefer_h2);
proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
let certs_for_watcher = certificates.clone();
thread::spawn(move || {
while let Ok(new_configs) = rx.recv() {
let new_certs = tls::Certificates::new(&new_configs);
match new_certs {
Some(new_certs) => {
certs_for_watcher.store(Arc::new(new_certs));
info!("Reload TLS certificates from {}", cfg.proxy_certificates.clone().unwrap())
}
None => {}
};
}
});
}
None => {}
}