diff --git a/Cargo.lock b/Cargo.lock index 5167355..b10b7ec 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -135,7 +135,6 @@ dependencies = [ "axum", "base16ct 1.0.0", "base64", - "ctrlc", "dashmap", "futures", "instant-acme", @@ -409,15 +408,6 @@ dependencies = [ "hybrid-array", ] -[[package]] -name = "block2" -version = "0.6.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cdeb9d870516001442e364c5220d3574d2da8dc765554b4a617230d33fa58ef5" -dependencies = [ - "objc2", -] - [[package]] name = "brotli" version = "3.5.0" @@ -730,17 +720,6 @@ dependencies = [ "hybrid-array", ] -[[package]] -name = "ctrlc" -version = "3.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e0b1fab2ae45819af2d0731d60f2afe17227ebb1a1538a236da84c93e9a60162" -dependencies = [ - "dispatch2", - "nix 0.31.2", - "windows-sys 0.61.2", -] - [[package]] name = "curve25519-dalek" version = "4.1.3" @@ -967,18 +946,6 @@ dependencies = [ "crypto-common 0.2.1", ] -[[package]] -name = "dispatch2" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e0e367e4e7da84520dedcac1901e4da967309406d1e51017ae1abfb97adbd38" -dependencies = [ - "bitflags 2.11.1", - "block2", - "libc", - "objc2", -] - [[package]] name = "displaydoc" version = "0.2.5" @@ -2195,18 +2162,6 @@ dependencies = [ "libc", ] -[[package]] -name = "nix" -version = "0.31.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5d6d0705320c1e6ba1d912b5e37cf18071b6c2e9b7fa8215a1e8a7651966f5d3" -dependencies = [ - "bitflags 2.11.1", - "cfg-if", - "cfg_aliases", - "libc", -] - [[package]] name = "nom" version = "7.1.3" @@ -2308,15 +2263,6 @@ dependencies = [ "libm", ] -[[package]] -name = "objc2" -version = "0.6.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3a12a8ed07aefc768292f076dc3ac8c48f3781c8f2d5851dd3d98950e8c5a89f" -dependencies = [ - "objc2-encode", -] - [[package]] name = "objc2-core-foundation" version = "0.3.2" @@ -2336,12 +2282,6 @@ dependencies = [ "objc2-core-foundation", ] -[[package]] -name = "objc2-encode" -version = "4.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ef25abbcd74fb2609453eb695bd2f860d389e457f67dc17cafc8b8cbc89d0c33" - [[package]] name = "object" version = "0.37.3" diff --git a/Cargo.toml b/Cargo.toml index cced22c..a427942 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -39,7 +39,6 @@ x509-parser = "0.18.1" rustls-pemfile = "2.2.0" tower-http = { version = "0.6.11", features = ["fs"] } privdrop = "0.5.6" -ctrlc = "3.5.2" serde_json = "1.0.150" subtle = "2.6.1" moka = { version = "0.12.15", features = ["sync"] } diff --git a/README.md b/README.md index 9333970..3bef067 100644 --- a/README.md +++ b/README.md @@ -50,31 +50,28 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers ### `main.yaml` -| Key | Example Value | Description | -|----------------------------------|--------------------------|----------------------------------------------------------------------------------------------------| -| **threads** | 12 | Number of running daemon threads. Optional, defaults to 1 | -| **runuser** | aralez | Optional, Username for running aralez after dropping root privileges, requires to launch as root | -| **rungroup** | aralez | Optional,Group for running aralez after dropping root privileges, requires to launch as root | -| **daemon** | false | Run in background (boolean) | -| **upstream_keepalive_pool_size** | 500 | Pool size for upstream keepalive connections | -| **pid_file** | /tmp/aralez.pid | Path to PID file | -| **error_log** | /tmp/aralez_err.log | Path to error log file | -| **upgrade_sock** | /tmp/aralez.sock | Path to live upgrade socket file | -| **config_address** | 0.0.0.0:3000 | HTTP API address for pushing upstreams.yaml from remote location | -| **proxy_tls_grade** | (high, medium, unsafe) | Grade of TLS ciphers, for easy configuration. High matches Qualys SSL Labs A+ (defaults to medium) | -| **config_tls_key_file** | etc/key.pem | Private Key file path. Mandatory if proxy_address_tls is set, else optional | -| **proxy_address_http** | 0.0.0.0:6193 | Aralez HTTP bind address | -| **proxy_address_tls** | 0.0.0.0:6194 | Aralez HTTPS bind address (Optional) | -| **proxy_configs** | etc/ | The top directory of config files | -| **upstreams_conf** | etc/upstreams.yaml | The location of upstreams file | -| **log_level** | info | Log level , possible values : info, warn, error, debug, trace, off | -| **log_file** | /full/path/to/aralez.log | Optional, the location of log file. If thi entry does not exist logs will be emitted to stdout. | -| **hc_method** | HEAD | Healthcheck method (HEAD, GET, POST are supported) UPPERCASE | -| **hc_interval** | 2 | Interval for health checks in seconds | -| **master_key** | Random long string | Master key for working with API server and JWT Secret generation | -| **file_server_folder** | /some/local/folder | Optional, local folder to serve | -| **file_server_address** | 127.0.0.1:3002 | Optional, Local address for file server. Can set as upstream for public access | -| **config_api_enabled** | true | Boolean to enable/disable remote config push capability | +| Key | Example Value | Description | +|----------------------------------|----------------------------|-------------------------------------------------------------------------------------------------| +| **threads** | 12 | Number of running daemon threads. Optional, defaults to 1 | +| **runuser** | aralez | Optional. Username for running aralez after dropping root privileges (requires launch as root) | +| **rungroup** | aralez | Optional. Group for running aralez after dropping root privileges (requires launch as root) | +| **daemon** | false | Run in background (boolean) | +| **upstream_keepalive_pool_size** | 500 | Pool size for upstream keepalive connections | +| **pid_file** | /tmp/aralez.pid | Path to PID file | +| **error_log** | /tmp/aralez_err.log | Path to error log file | +| **config_address** | 0.0.0.0:3000 | HTTP API address for pushing upstreams.yaml from remote location | +| **proxy_tls_grade** | high, medium, unsafe | Grade of TLS ciphers. `high` matches Qualys SSL Labs A+ (defaults to `medium`) | +| **proxy_address_http** | 0.0.0.0:6193 | Aralez HTTP bind address | +| **proxy_address_tls** | 0.0.0.0:6194 | Aralez HTTPS bind address (Optional) | +| **proxy_configs** | /etc/aralez/ | Direcotry containing configuration files, must be writeable by user `aralez` | +| **upstreams_conf** | /etc/aralez/upstreams.yaml | Location of the upstreams file | +| **log_level** | info | Log level: `info`, `warn`, `error`, `debug`, `trace`, `off` | +| **log_file** | /full/path/to/aralez.log | Optional, the location of log file. If thi entry does not exist logs will be emitted to stdout. | +| **hc_method** | HEAD | Healthcheck method: HEAD, GET, POST (UPPERCASE) | +| **hc_interval** | 2 | Interval for health checks in seconds | +| **file_server_folder** | /some/local/folder | Optional. Local folder to serve | +| **file_server_address** | 127.0.0.1:3002 | Optional. Local address for file server | +| **config_api_enabled** | true | Enable/disable remote config push capability | --- @@ -269,11 +266,20 @@ DEFAULT: To enable TLS for the proxy server. - Set `proxy_address_tls` in `main.yaml` -- Provide at least on `tls_certificate/tls_key_file` pair. +- Provide at least one `tls_certificate/tls_key_file` pair. - First pair is required to create the TLS listener. - This pair can be anything, even self-signed with dummy domain. - After getting normal certificate it can be deleted +```shell +mkdir -p /etc/aralez/certificates +chown -R aralez:aralez /etc/aralez +cd /etc/aralez/certificates +openssl req -x509 -newkey rsa:4096 \ + -keyout dummy.key -out dummy.crt -sha256 -days 3650 -nodes \ + -subj "/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN=CommonNameOrHostname" +``` + --- ## Remote Config API diff --git a/src/web/bgservice.rs b/src/web/bgservice.rs index 290202f..d9fafc7 100644 --- a/src/web/bgservice.rs +++ b/src/web/bgservice.rs @@ -60,19 +60,13 @@ impl BackgroundService for LB { masterkey: self.config.master_key.clone(), config_api_enabled: self.config.config_api_enabled, upstreams_file: self.config.upstreams_conf.clone(), - // certs_dir: self.config.proxy_certificates.clone().unwrap_or_else(|| "/tmp".to_string()), config_dir: confdir.clone(), certs_dir: certdir.clone(), - // tls_address: self.config.config_tls_address.clone(), - // tls_certificate: self.config.config_tls_certificate.clone(), - // tls_key_file: self.config.config_tls_key_file.clone(), file_server_address: self.config.file_server_address.clone(), file_server_folder: self.config.file_server_folder.clone(), current_upstreams: self.ump_upst.clone(), full_upstreams: self.ump_full.clone(), }; - // let crtdir = api_load.certs_dir.clone(); - // let tx_api = tx.clone(); drop(tokio::spawn(async move { api_load.start(tx_api).await })); let uu = self.ump_upst.clone();