Github/aralez
1
0
Fork 0
mirror of https://github.com/sadoyan/aralez.git synced 2026-04-30 23:08:40 +08:00
Code Issues Packages Projects Releases Wiki Activity

TLS grades change

Browse Source
This commit is contained in:
Ara Sadoyan
2025-08-05 19:08:58 +02:00
parent f654312466
commit f8118f9596
4 changed files with 42 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -79,7 +79,7 @@ Built on Rust, on top of **Cloudflares Pingora engine**, **Aralez** delivers
| **config_address** | 0.0.0.0:3000 | HTTP API address for pushing upstreams.yaml from remote location | | **config_address** | 0.0.0.0:3000 | HTTP API address for pushing upstreams.yaml from remote location |
| **config_tls_address** | 0.0.0.0:3001 | HTTPS API address for pushing upstreams.yaml from remote location | | **config_tls_address** | 0.0.0.0:3001 | HTTPS API address for pushing upstreams.yaml from remote location |
| **config_tls_certificate** | etc/server.crt | Certificate file path for API. Mandatory if proxy_address_tls is set, else optional | | **config_tls_certificate** | etc/server.crt | Certificate file path for API. Mandatory if proxy_address_tls is set, else optional |
| **proxy_tls_grade** | (a+, a, b, c, unsafe) | Grade of TLS ciphers, matching grades of Qualys SSL Labs (Optional defaults to b) | | **proxy_tls_grade** | (high, medium, unsafe) | Grade of TLS ciphers, matching grades of Qualys SSL Labs (Optional defaults to b) |
| **config_tls_key_file** | etc/key.pem | Private Key file path. Mandatory if proxy_address_tls is set, else optional | | **config_tls_key_file** | etc/key.pem | Private Key file path. Mandatory if proxy_address_tls is set, else optional |
| **proxy_address_http** | 0.0.0.0:6193 | Aralez HTTP bind address | | **proxy_address_http** | 0.0.0.0:6193 | Aralez HTTP bind address |
| **proxy_address_tls** | 0.0.0.0:6194 | Aralez HTTPS bind address (Optional) | | **proxy_address_tls** | 0.0.0.0:6194 | Aralez HTTPS bind address (Optional) |

26
src/utils/parceyaml.rs
View File

@@ -167,29 +167,21 @@ pub fn parce_main_config(path: &str) -> AppConfig {
fn parce_tls_grades(what: Option<String>) -> Option<String> { fn parce_tls_grades(what: Option<String>) -> Option<String> {
match what { match what {
Some(g) => match g.to_ascii_lowercase().as_str() { Some(g) => match g.to_ascii_lowercase().as_str() {
"a+" => { "high" => {
info!("TLS grade set to: [ A+ ]"); // info!("TLS grade set to: [ HIGH ]");
Some("a+".to_string()) Some("high".to_string())
} }
"a" => { "medium" => {
info!("TLS grade set to: [ A ]"); // info!("TLS grade set to: [ MEDIUM ]");
Some("a".to_string()) Some("medium".to_string())
}
"b" => {
info!("TLS grade set to: [ B ]");
Some("b".to_string())
}
"c" => {
info!("TLS grade set to: [ C ]");
Some("c".to_string())
} }
"unsafe" => { "unsafe" => {
info!("TLS grade set to: [ UNSAFE ]"); // info!("TLS grade set to: [ UNSAFE ]");
Some("unsafe".to_string()) Some("unsafe".to_string())
} }
_ => { _ => {
warn!("Error parsing TLS grade, defaulting to: `B`"); warn!("Error parsing TLS grade, defaulting to: `medium`");
Some("b".to_string()) Some("medium".to_string())
} }
}, },
None => { None => {

86
src/utils/tls.rs
View File

@@ -1,6 +1,6 @@
use dashmap::DashMap; use dashmap::DashMap;
use log::{error, info, warn}; use log::{error, info, warn};
use pingora::tls::ssl::{select_next_proto, AlpnError, NameType, SniError, SslAlert, SslContext, SslFiletype, SslMethod, SslOptions, SslRef, SslVersion}; use pingora::tls::ssl::{select_next_proto, AlpnError, NameType, SniError, SslAlert, SslContext, SslFiletype, SslMethod, SslRef, SslVersion};
use pingora_core::listeners::tls::TlsSettings; use pingora_core::listeners::tls::TlsSettings;
use rustls_pemfile::{read_one, Item}; use rustls_pemfile::{read_one, Item};
use serde::Deserialize; use serde::Deserialize;
@@ -187,45 +187,31 @@ fn create_ssl_context(cert_path: &str, key_path: &str) -> Result<SslContext, Box
#[derive(Debug)] #[derive(Debug)]
pub struct CipherSuite { pub struct CipherSuite {
pub ap: &'static str, pub high: &'static str,
pub aa: &'static str, pub medium: &'static str,
pub bb: &'static str, pub legacy: &'static str,
pub cc: &'static str,
pub ff: &'static str,
} }
const CIPHERS: CipherSuite = CipherSuite { const CIPHERS: CipherSuite = CipherSuite {
ap: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305", high: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305",
aa: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256", // aa: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256",
bb: "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES128-GCM-SHA256", medium: "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES128-GCM-SHA256",
cc: "AES128-SHA:DES-CBC3-SHA", // cc: "AES128-SHA:DES-CBC3-SHA",
ff: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", legacy: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH",
}; };
// const CIPHERS: CipherSuite = CipherSuite {
// ap: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256",
// aa: "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256",
// bb: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256",
// cc: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256",
// ff: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH",
// };
#[derive(Debug)] #[derive(Debug)]
pub enum TlsGrade { pub enum TlsGrade {
AP, HIGH,
AA, MEDIUM,
BB, LEGACY,
CC,
UN,
} }
impl TlsGrade { impl TlsGrade {
pub fn from_str(s: &str) -> Option<Self> { pub fn from_str(s: &str) -> Option<Self> {
match s.to_ascii_lowercase().as_str() { match s.to_ascii_lowercase().as_str() {
"a+" => Some(TlsGrade::AP), "high" => Some(TlsGrade::HIGH),
"a" => Some(TlsGrade::AA), "medium" => Some(TlsGrade::MEDIUM),
"b" => Some(TlsGrade::BB), "unsafe" => Some(TlsGrade::LEGACY),
"c" => Some(TlsGrade::CC),
"unsafe" => Some(TlsGrade::UN),
_ => None, _ => None,
} }
} }
@@ -240,43 +226,31 @@ pub fn prefer_h2<'a>(_ssl: &mut SslRef, alpn_in: &'a [u8]) -> Result<&'a [u8], A
pub fn set_tsl_grade(tls_settings: &mut TlsSettings, grade: &str) { pub fn set_tsl_grade(tls_settings: &mut TlsSettings, grade: &str) {
let config_grade = TlsGrade::from_str(grade); let config_grade = TlsGrade::from_str(grade);
match config_grade { match config_grade {
Some(TlsGrade::AP) => { Some(TlsGrade::HIGH) => {
let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1_2)); let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1_2));
// let _ = tls_settings.set_max_proto_version(Some(SslVersion::TLS1_3)); // let _ = tls_settings.set_max_proto_version(Some(SslVersion::TLS1_3));
let _ = tls_settings.set_cipher_list(CIPHERS.ap); let _ = tls_settings.set_cipher_list(CIPHERS.high);
let _ = tls_settings.set_ciphersuites(CIPHERS.ap); let _ = tls_settings.set_ciphersuites(CIPHERS.high);
info!("TLS grade: {:?}, => AP", tls_settings.options()); info!("TLS grade: {:?}, => HIGH", tls_settings.options());
} }
Some(TlsGrade::AA) => { Some(TlsGrade::MEDIUM) => {
let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1_1));
let _ = tls_settings.set_cipher_list(CIPHERS.aa);
let _ = tls_settings.set_ciphersuites(CIPHERS.aa);
info!("TLS grade: {:?}, => AA", tls_settings.options());
}
Some(TlsGrade::BB) => {
let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1)); let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1));
let _ = tls_settings.set_cipher_list(CIPHERS.bb); let _ = tls_settings.set_cipher_list(CIPHERS.medium);
let _ = tls_settings.set_ciphersuites(CIPHERS.bb); let _ = tls_settings.set_ciphersuites(CIPHERS.medium);
info!("TLS grade: {:?}, => BB", tls_settings.options()); info!("TLS grade: {:?}, => MEDIUM", tls_settings.options());
} }
Some(TlsGrade::CC) => { Some(TlsGrade::LEGACY) => {
let _ = tls_settings.set_min_proto_version(Some(SslVersion::SSL3)); let _ = tls_settings.set_min_proto_version(Some(SslVersion::SSL3));
let _ = tls_settings.set_cipher_list(CIPHERS.cc); let _ = tls_settings.set_cipher_list(CIPHERS.legacy);
let _ = tls_settings.set_ciphersuites(CIPHERS.cc); let _ = tls_settings.set_ciphersuites(CIPHERS.legacy);
info!("TLS grade: {:?}, => CC", tls_settings.options());
}
Some(TlsGrade::UN) => {
let _ = tls_settings.set_min_proto_version(Some(SslVersion::SSL3));
let _ = tls_settings.set_cipher_list(CIPHERS.ff);
let _ = tls_settings.set_ciphersuites(CIPHERS.ff);
warn!("TLS grade: {:?}, => UNSAFE", tls_settings.options()); warn!("TLS grade: {:?}, => UNSAFE", tls_settings.options());
} }
None => { None => {
// Defaults to BB // Defaults to MEDIUM
let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1)); let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1));
let _ = tls_settings.set_cipher_list(CIPHERS.bb); let _ = tls_settings.set_cipher_list(CIPHERS.medium);
let _ = tls_settings.set_ciphersuites(CIPHERS.bb); let _ = tls_settings.set_ciphersuites(CIPHERS.medium);
warn!("TLS grade is not detected defaulting top BB"); warn!("TLS grade is not detected defaulting top MEDIUM");
} }
} }
} }

4
src/web/start.rs
View File

@@ -64,8 +64,8 @@ pub fn run() {
} }
env_logger::builder().init(); env_logger::builder().init();
*/ */
let grade = cfg.proxy_tls_grade.clone().unwrap_or("b".to_string()); let grade = cfg.proxy_tls_grade.clone().unwrap_or("medium".to_string());
info!("TLS grade set to: {}", grade); info!("TLS grade set to: [ {} ]", grade);
let bg_srvc = background_service("bgsrvc", lb.clone()); let bg_srvc = background_service("bgsrvc", lb.clone());
let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone()); let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone());