mirror of
https://github.com/sadoyan/aralez.git
synced 2026-04-30 14:58:38 +08:00
Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
f8118f9596 | ||
|
|
f654312466 | ||
|
|
b44f7069a0 | ||
|
|
a44979ec82 |
@@ -79,6 +79,7 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
|
|||||||
| **config_address** | 0.0.0.0:3000 | HTTP API address for pushing upstreams.yaml from remote location |
|
| **config_address** | 0.0.0.0:3000 | HTTP API address for pushing upstreams.yaml from remote location |
|
||||||
| **config_tls_address** | 0.0.0.0:3001 | HTTPS API address for pushing upstreams.yaml from remote location |
|
| **config_tls_address** | 0.0.0.0:3001 | HTTPS API address for pushing upstreams.yaml from remote location |
|
||||||
| **config_tls_certificate** | etc/server.crt | Certificate file path for API. Mandatory if proxy_address_tls is set, else optional |
|
| **config_tls_certificate** | etc/server.crt | Certificate file path for API. Mandatory if proxy_address_tls is set, else optional |
|
||||||
|
| **proxy_tls_grade** | (high, medium, unsafe) | Grade of TLS ciphers, matching grades of Qualys SSL Labs (Optional defaults to b) |
|
||||||
| **config_tls_key_file** | etc/key.pem | Private Key file path. Mandatory if proxy_address_tls is set, else optional |
|
| **config_tls_key_file** | etc/key.pem | Private Key file path. Mandatory if proxy_address_tls is set, else optional |
|
||||||
| **proxy_address_http** | 0.0.0.0:6193 | Aralez HTTP bind address |
|
| **proxy_address_http** | 0.0.0.0:6193 | Aralez HTTP bind address |
|
||||||
| **proxy_address_tls** | 0.0.0.0:6194 | Aralez HTTPS bind address (Optional) |
|
| **proxy_address_tls** | 0.0.0.0:6194 | Aralez HTTPS bind address (Optional) |
|
||||||
|
|||||||
@@ -10,12 +10,13 @@ upgrade_sock: /tmp/aralez.sock # Path to socket file
|
|||||||
config_api_enabled: true # Boolean to enable/disable remote config push capability.
|
config_api_enabled: true # Boolean to enable/disable remote config push capability.
|
||||||
config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
|
config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
|
||||||
config_tls_address: 0.0.0.0:3001 # HTTP TLS API address for pushing upstreams.yaml from remote location
|
config_tls_address: 0.0.0.0:3001 # HTTP TLS API address for pushing upstreams.yaml from remote location
|
||||||
config_tls_certificate: /opt/Rust/Projects/asyncweb/etc/server.crt # Mandatory if config_tls_address is set
|
config_tls_certificate: /etc/server.crt # Mandatory if config_tls_address is set
|
||||||
config_tls_key_file: /opt/Rust/Projects/asyncweb/etc/key.pem # Mandatory if config_tls_address is set
|
config_tls_key_file: /etc/key.pem # Mandatory if config_tls_address is set
|
||||||
proxy_address_http: 0.0.0.0:6193 # Proxy HTTP bind address
|
proxy_address_http: 0.0.0.0:6193 # Proxy HTTP bind address
|
||||||
proxy_address_tls: 0.0.0.0:6194 # Optional, Proxy TLS bind address
|
proxy_address_tls: 0.0.0.0:6194 # Optional, Proxy TLS bind address
|
||||||
proxy_certificates: /opt/Rust/Projects/asyncweb/etc/yoyo # Mandatory if proxy_address_tls set, should contain certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
|
proxy_certificates: /etc/yoyo # Mandatory if proxy_address_tls set, should contain a certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
|
||||||
upstreams_conf: /opt/Rust/Projects/asyncweb/etc/upstreams.yaml # the location of upstreams file
|
proxy_tls_grade: a+ # Grade of TLS suite for proxy (a+, a, b, c, unsafe), matching grades of Qualys SSL Labs
|
||||||
|
upstreams_conf: /etc/upstreams.yaml # the location of upstreams file
|
||||||
file_server_folder: /opt/storage # Optional, local folder to serve
|
file_server_folder: /opt/storage # Optional, local folder to serve
|
||||||
file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access.
|
file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access.
|
||||||
log_level: info # info, warn, error, debug, trace, off
|
log_level: info # info, warn, error, debug, trace, off
|
||||||
|
|||||||
@@ -61,27 +61,3 @@ pub fn calc_metrics(metric_types: &MetricTypes) {
|
|||||||
REQUESTS_BY_METHOD.with_label_values(&[&metric_types.method]).inc();
|
REQUESTS_BY_METHOD.with_label_values(&[&metric_types.method]).inc();
|
||||||
RESPONSE_LATENCY.observe(metric_types.latency.as_secs_f64());
|
RESPONSE_LATENCY.observe(metric_types.latency.as_secs_f64());
|
||||||
}
|
}
|
||||||
/*
|
|
||||||
pub fn calc_metrics(method: String, code: u16, latency: Duration) {
|
|
||||||
REQUEST_COUNT.inc();
|
|
||||||
let timer = REQUEST_LATENCY.start_timer();
|
|
||||||
timer.observe_duration();
|
|
||||||
RESPONSE_CODES.with_label_values(&[&code.to_string()]).inc();
|
|
||||||
REQUESTS_BY_METHOD.with_label_values(&[&method]).inc();
|
|
||||||
RESPONSE_LATENCY.observe(latency.as_secs_f64());
|
|
||||||
}
|
|
||||||
|
|
||||||
tokio::spawn(async move {
|
|
||||||
let mut interval = tokio::time::interval(std::time::Duration::from_secs(5));
|
|
||||||
loop {
|
|
||||||
interval.tick().await;
|
|
||||||
|
|
||||||
// read Pingora stats
|
|
||||||
let stats = pingora.get_stats();
|
|
||||||
|
|
||||||
// update Prometheus metrics accordingly
|
|
||||||
REQUEST_COUNT.set(stats.requests_total);
|
|
||||||
// ... etc
|
|
||||||
}
|
|
||||||
});
|
|
||||||
*/
|
|
||||||
|
|||||||
@@ -2,8 +2,8 @@ use crate::utils::structs::*;
|
|||||||
use dashmap::DashMap;
|
use dashmap::DashMap;
|
||||||
use log::{error, info, warn};
|
use log::{error, info, warn};
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
use std::fs;
|
|
||||||
use std::sync::atomic::AtomicUsize;
|
use std::sync::atomic::AtomicUsize;
|
||||||
|
use std::{env, fs};
|
||||||
|
|
||||||
pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
|
pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
|
||||||
let yaml_data = match kind {
|
let yaml_data = match kind {
|
||||||
@@ -116,14 +116,6 @@ fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
|
|||||||
header_list.insert(path.clone(), hl);
|
header_list.insert(path.clone(), hl);
|
||||||
|
|
||||||
for server in &path_config.servers {
|
for server in &path_config.servers {
|
||||||
// let mut rate: Option<isize> = None;
|
|
||||||
// let size: isize = path_config.servers.len() as isize;
|
|
||||||
// if let Some(limit) = &path_config.rate_limit {
|
|
||||||
// if size > 0 {
|
|
||||||
// rate = Some(limit / size);
|
|
||||||
// }
|
|
||||||
// }
|
|
||||||
|
|
||||||
if let Some((ip, port_str)) = server.split_once(':') {
|
if let Some((ip, port_str)) = server.split_once(':') {
|
||||||
if let Ok(port) = port_str.parse::<u16>() {
|
if let Ok(port) = port_str.parse::<u16>() {
|
||||||
server_list.push(InnerMap {
|
server_list.push(InnerMap {
|
||||||
@@ -138,10 +130,8 @@ fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
path_map.insert(path.clone(), (server_list, AtomicUsize::new(0)));
|
path_map.insert(path.clone(), (server_list, AtomicUsize::new(0)));
|
||||||
}
|
}
|
||||||
|
|
||||||
config.headers.insert(hostname.clone(), header_list);
|
config.headers.insert(hostname.clone(), header_list);
|
||||||
config.upstreams.insert(hostname.clone(), path_map);
|
config.upstreams.insert(hostname.clone(), path_map);
|
||||||
}
|
}
|
||||||
@@ -149,11 +139,11 @@ fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub fn parce_main_config(path: &str) -> AppConfig {
|
pub fn parce_main_config(path: &str) -> AppConfig {
|
||||||
info!("Parsing configuration");
|
|
||||||
let data = fs::read_to_string(path).unwrap();
|
let data = fs::read_to_string(path).unwrap();
|
||||||
let reply = DashMap::new();
|
let reply = DashMap::new();
|
||||||
let cfg: HashMap<String, String> = serde_yaml::from_str(&*data).expect("Failed to parse main config file");
|
let cfg: HashMap<String, String> = serde_yaml::from_str(&*data).expect("Failed to parse main config file");
|
||||||
let mut cfo: AppConfig = serde_yaml::from_str(&*data).expect("Failed to parse main config file");
|
let mut cfo: AppConfig = serde_yaml::from_str(&*data).expect("Failed to parse main config file");
|
||||||
|
log_builder(&cfo);
|
||||||
cfo.hc_method = cfo.hc_method.to_uppercase();
|
cfo.hc_method = cfo.hc_method.to_uppercase();
|
||||||
for (k, v) in cfg {
|
for (k, v) in cfg {
|
||||||
reply.insert(k.to_string(), v.to_string());
|
reply.insert(k.to_string(), v.to_string());
|
||||||
@@ -170,5 +160,52 @@ pub fn parce_main_config(path: &str) -> AppConfig {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
cfo.proxy_tls_grade = parce_tls_grades(cfo.proxy_tls_grade.clone());
|
||||||
cfo
|
cfo
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn parce_tls_grades(what: Option<String>) -> Option<String> {
|
||||||
|
match what {
|
||||||
|
Some(g) => match g.to_ascii_lowercase().as_str() {
|
||||||
|
"high" => {
|
||||||
|
// info!("TLS grade set to: [ HIGH ]");
|
||||||
|
Some("high".to_string())
|
||||||
|
}
|
||||||
|
"medium" => {
|
||||||
|
// info!("TLS grade set to: [ MEDIUM ]");
|
||||||
|
Some("medium".to_string())
|
||||||
|
}
|
||||||
|
"unsafe" => {
|
||||||
|
// info!("TLS grade set to: [ UNSAFE ]");
|
||||||
|
Some("unsafe".to_string())
|
||||||
|
}
|
||||||
|
_ => {
|
||||||
|
warn!("Error parsing TLS grade, defaulting to: `medium`");
|
||||||
|
Some("medium".to_string())
|
||||||
|
}
|
||||||
|
},
|
||||||
|
None => {
|
||||||
|
warn!("TLS grade not set, defaulting to: medium");
|
||||||
|
Some("b".to_string())
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
fn log_builder(conf: &AppConfig) {
|
||||||
|
let log_level = conf.log_level.clone();
|
||||||
|
unsafe {
|
||||||
|
match log_level.as_str() {
|
||||||
|
"info" => env::set_var("RUST_LOG", "info"),
|
||||||
|
"error" => env::set_var("RUST_LOG", "error"),
|
||||||
|
"warn" => env::set_var("RUST_LOG", "warn"),
|
||||||
|
"debug" => env::set_var("RUST_LOG", "debug"),
|
||||||
|
"trace" => env::set_var("RUST_LOG", "trace"),
|
||||||
|
"off" => env::set_var("RUST_LOG", "off"),
|
||||||
|
_ => {
|
||||||
|
println!("Error reading log level, defaulting to: INFO");
|
||||||
|
env::set_var("RUST_LOG", "info")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
env_logger::builder().init();
|
||||||
|
}
|
||||||
|
|||||||
@@ -3,25 +3,8 @@ use serde::{Deserialize, Serialize};
|
|||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
use std::sync::atomic::AtomicUsize;
|
use std::sync::atomic::AtomicUsize;
|
||||||
|
|
||||||
// pub type InnerMap = BackendConfig;
|
|
||||||
pub type UpstreamsDashMap = DashMap<String, DashMap<String, (Vec<InnerMap>, AtomicUsize)>>;
|
pub type UpstreamsDashMap = DashMap<String, DashMap<String, (Vec<InnerMap>, AtomicUsize)>>;
|
||||||
|
|
||||||
// #[derive(Debug, Default)]
|
|
||||||
// pub struct UpstreamsMap {
|
|
||||||
// pub upstreams: DashMap<String, DashMap<String, (Vec<InnerMap>, AtomicUsize)>>,
|
|
||||||
// pub ratelimit: DashMap<String, Option<isize>>,
|
|
||||||
// }
|
|
||||||
// impl UpstreamsMap {
|
|
||||||
// pub fn new() -> Self {
|
|
||||||
// Self {
|
|
||||||
// upstreams: Default::default(),
|
|
||||||
// ratelimit: Default::default(),
|
|
||||||
// }
|
|
||||||
// }
|
|
||||||
// }
|
|
||||||
//
|
|
||||||
// pub type XUpstreamsDashMap = DashMap<String, UpstreamsMap>;
|
|
||||||
|
|
||||||
pub type UpstreamsIdMap = DashMap<String, InnerMap>;
|
pub type UpstreamsIdMap = DashMap<String, InnerMap>;
|
||||||
pub type Headers = DashMap<String, DashMap<String, Vec<(String, String)>>>;
|
pub type Headers = DashMap<String, DashMap<String, Vec<(String, String)>>>;
|
||||||
|
|
||||||
@@ -103,6 +86,7 @@ pub struct AppConfig {
|
|||||||
pub proxy_port_tls: Option<u16>,
|
pub proxy_port_tls: Option<u16>,
|
||||||
pub local_server: Option<(String, u16)>,
|
pub local_server: Option<(String, u16)>,
|
||||||
pub proxy_certificates: Option<String>,
|
pub proxy_certificates: Option<String>,
|
||||||
|
pub proxy_tls_grade: Option<String>,
|
||||||
pub file_server_address: Option<String>,
|
pub file_server_address: Option<String>,
|
||||||
pub file_server_folder: Option<String>,
|
pub file_server_folder: Option<String>,
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,12 +1,12 @@
|
|||||||
use dashmap::DashMap;
|
use dashmap::DashMap;
|
||||||
use log::error;
|
use log::{error, info, warn};
|
||||||
use pingora::tls::ssl::{select_next_proto, AlpnError, NameType, SniError, SslAlert, SslContext, SslFiletype, SslMethod, SslRef};
|
use pingora::tls::ssl::{select_next_proto, AlpnError, NameType, SniError, SslAlert, SslContext, SslFiletype, SslMethod, SslRef, SslVersion};
|
||||||
|
use pingora_core::listeners::tls::TlsSettings;
|
||||||
use rustls_pemfile::{read_one, Item};
|
use rustls_pemfile::{read_one, Item};
|
||||||
use serde::Deserialize;
|
use serde::Deserialize;
|
||||||
use std::collections::HashSet;
|
use std::collections::HashSet;
|
||||||
use std::fs::File;
|
use std::fs::File;
|
||||||
use std::io::BufReader;
|
use std::io::BufReader;
|
||||||
// use tokio::time::Instant;
|
|
||||||
use x509_parser::extensions::GeneralName;
|
use x509_parser::extensions::GeneralName;
|
||||||
use x509_parser::nom::Err as NomErr;
|
use x509_parser::nom::Err as NomErr;
|
||||||
use x509_parser::prelude::*;
|
use x509_parser::prelude::*;
|
||||||
@@ -37,12 +37,12 @@ pub struct Certificates {
|
|||||||
}
|
}
|
||||||
|
|
||||||
impl Certificates {
|
impl Certificates {
|
||||||
pub fn new(configs: &Vec<CertificateConfig>) -> Option<Self> {
|
pub fn new(configs: &Vec<CertificateConfig>, _grade: &str) -> Option<Self> {
|
||||||
let default_cert = configs.first().expect("At least one TLS certificate required");
|
let default_cert = configs.first().expect("At least one TLS certificate required");
|
||||||
let mut cert_infos = Vec::new();
|
let mut cert_infos = Vec::new();
|
||||||
let name_map: DashMap<String, SslContext> = DashMap::new();
|
let name_map: DashMap<String, SslContext> = DashMap::new();
|
||||||
for config in configs {
|
for config in configs {
|
||||||
let cert_info = load_cert_info(&config.cert_path, &config.key_path);
|
let cert_info = load_cert_info(&config.cert_path, &config.key_path, _grade);
|
||||||
match cert_info {
|
match cert_info {
|
||||||
Some(cert) => {
|
Some(cert) => {
|
||||||
for name in &cert.common_names {
|
for name in &cert.common_names {
|
||||||
@@ -106,7 +106,7 @@ impl Certificates {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn load_cert_info(cert_path: &str, key_path: &str) -> Option<CertificateInfo> {
|
fn load_cert_info(cert_path: &str, key_path: &str, _grade: &str) -> Option<CertificateInfo> {
|
||||||
let mut common_names = HashSet::new();
|
let mut common_names = HashSet::new();
|
||||||
let mut alt_names = HashSet::new();
|
let mut alt_names = HashSet::new();
|
||||||
|
|
||||||
@@ -185,9 +185,72 @@ fn create_ssl_context(cert_path: &str, key_path: &str) -> Result<SslContext, Box
|
|||||||
Ok(built)
|
Ok(built)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub struct CipherSuite {
|
||||||
|
pub high: &'static str,
|
||||||
|
pub medium: &'static str,
|
||||||
|
pub legacy: &'static str,
|
||||||
|
}
|
||||||
|
const CIPHERS: CipherSuite = CipherSuite {
|
||||||
|
high: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305",
|
||||||
|
// aa: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256",
|
||||||
|
medium: "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES128-GCM-SHA256",
|
||||||
|
// cc: "AES128-SHA:DES-CBC3-SHA",
|
||||||
|
legacy: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH",
|
||||||
|
};
|
||||||
|
|
||||||
|
#[derive(Debug)]
|
||||||
|
pub enum TlsGrade {
|
||||||
|
HIGH,
|
||||||
|
MEDIUM,
|
||||||
|
LEGACY,
|
||||||
|
}
|
||||||
|
|
||||||
|
impl TlsGrade {
|
||||||
|
pub fn from_str(s: &str) -> Option<Self> {
|
||||||
|
match s.to_ascii_lowercase().as_str() {
|
||||||
|
"high" => Some(TlsGrade::HIGH),
|
||||||
|
"medium" => Some(TlsGrade::MEDIUM),
|
||||||
|
"unsafe" => Some(TlsGrade::LEGACY),
|
||||||
|
_ => None,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
pub fn prefer_h2<'a>(_ssl: &mut SslRef, alpn_in: &'a [u8]) -> Result<&'a [u8], AlpnError> {
|
pub fn prefer_h2<'a>(_ssl: &mut SslRef, alpn_in: &'a [u8]) -> Result<&'a [u8], AlpnError> {
|
||||||
match select_next_proto("\x02h2\x08http/1.1".as_bytes(), alpn_in) {
|
match select_next_proto("\x02h2\x08http/1.1".as_bytes(), alpn_in) {
|
||||||
Some(p) => Ok(p),
|
Some(p) => Ok(p),
|
||||||
_ => Err(AlpnError::NOACK),
|
_ => Err(AlpnError::NOACK),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub fn set_tsl_grade(tls_settings: &mut TlsSettings, grade: &str) {
|
||||||
|
let config_grade = TlsGrade::from_str(grade);
|
||||||
|
match config_grade {
|
||||||
|
Some(TlsGrade::HIGH) => {
|
||||||
|
let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1_2));
|
||||||
|
// let _ = tls_settings.set_max_proto_version(Some(SslVersion::TLS1_3));
|
||||||
|
let _ = tls_settings.set_cipher_list(CIPHERS.high);
|
||||||
|
let _ = tls_settings.set_ciphersuites(CIPHERS.high);
|
||||||
|
info!("TLS grade: {:?}, => HIGH", tls_settings.options());
|
||||||
|
}
|
||||||
|
Some(TlsGrade::MEDIUM) => {
|
||||||
|
let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1));
|
||||||
|
let _ = tls_settings.set_cipher_list(CIPHERS.medium);
|
||||||
|
let _ = tls_settings.set_ciphersuites(CIPHERS.medium);
|
||||||
|
info!("TLS grade: {:?}, => MEDIUM", tls_settings.options());
|
||||||
|
}
|
||||||
|
Some(TlsGrade::LEGACY) => {
|
||||||
|
let _ = tls_settings.set_min_proto_version(Some(SslVersion::SSL3));
|
||||||
|
let _ = tls_settings.set_cipher_list(CIPHERS.legacy);
|
||||||
|
let _ = tls_settings.set_ciphersuites(CIPHERS.legacy);
|
||||||
|
warn!("TLS grade: {:?}, => UNSAFE", tls_settings.options());
|
||||||
|
}
|
||||||
|
None => {
|
||||||
|
// Defaults to MEDIUM
|
||||||
|
let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1));
|
||||||
|
let _ = tls_settings.set_cipher_list(CIPHERS.medium);
|
||||||
|
let _ = tls_settings.set_ciphersuites(CIPHERS.medium);
|
||||||
|
warn!("TLS grade is not detected defaulting top MEDIUM");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|||||||
@@ -214,7 +214,6 @@ impl ProxyHttp for LB {
|
|||||||
redirect_response.insert_header("Content-Length", "0")?;
|
redirect_response.insert_header("Content-Length", "0")?;
|
||||||
session.write_response_header(Box::new(redirect_response), false).await?;
|
session.write_response_header(Box::new(redirect_response), false).await?;
|
||||||
}
|
}
|
||||||
// match return_header_host(&session) {
|
|
||||||
match ctx.hostname.as_ref() {
|
match ctx.hostname.as_ref() {
|
||||||
Some(host) => {
|
Some(host) => {
|
||||||
let path = session.req_header().uri.path();
|
let path = session.req_header().uri.path();
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ use pingora_core::prelude::{background_service, Opt};
|
|||||||
use pingora_core::server::Server;
|
use pingora_core::server::Server;
|
||||||
use std::sync::mpsc::{channel, Receiver, Sender};
|
use std::sync::mpsc::{channel, Receiver, Sender};
|
||||||
use std::sync::Arc;
|
use std::sync::Arc;
|
||||||
use std::{env, thread};
|
use std::thread;
|
||||||
|
|
||||||
pub fn run() {
|
pub fn run() {
|
||||||
// default_provider().install_default().expect("Failed to install rustls crypto provider");
|
// default_provider().install_default().expect("Failed to install rustls crypto provider");
|
||||||
@@ -46,23 +46,26 @@ pub fn run() {
|
|||||||
headers: hh_config,
|
headers: hh_config,
|
||||||
extraparams: ec_config,
|
extraparams: ec_config,
|
||||||
};
|
};
|
||||||
|
/*
|
||||||
let log_level = cfg.log_level.clone();
|
let log_level = cfg.log_level.clone();
|
||||||
unsafe {
|
unsafe {
|
||||||
match log_level.as_str() {
|
match log_level.as_str() {
|
||||||
"info" => env::set_var("RUST_LOG", "info"),
|
"info" => env::set_var("RUST_LOG", "info"),
|
||||||
"error" => env::set_var("RUST_LOG", "error"),
|
"error" => env::set_var("RUST_LOG", "error"),
|
||||||
"warn" => env::set_var("RUST_LOG", "warn"),
|
"warn" => env::set_var("RUST_LOG", "warn"),
|
||||||
"debug" => env::set_var("RUST_LOG", "debug"),
|
"debug" => env::set_var("RUST_LOG", "debug"),
|
||||||
"trace" => env::set_var("RUST_LOG", "trace"),
|
"trace" => env::set_var("RUST_LOG", "trace"),
|
||||||
"off" => env::set_var("RUST_LOG", "off"),
|
"off" => env::set_var("RUST_LOG", "off"),
|
||||||
_ => {
|
_ => {
|
||||||
println!("Error reading log level, defaulting to: INFO");
|
println!("Error reading log level, defaulting to: INFO");
|
||||||
env::set_var("RUST_LOG", "info")
|
env::set_var("RUST_LOG", "info")
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
env_logger::builder().init();
|
||||||
env_logger::builder().init();
|
*/
|
||||||
|
let grade = cfg.proxy_tls_grade.clone().unwrap_or("medium".to_string());
|
||||||
|
info!("TLS grade set to: [ {} ]", grade);
|
||||||
|
|
||||||
let bg_srvc = background_service("bgsrvc", lb.clone());
|
let bg_srvc = background_service("bgsrvc", lb.clone());
|
||||||
let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone());
|
let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone());
|
||||||
@@ -77,25 +80,27 @@ pub fn run() {
|
|||||||
watch_folder(certs_path, tx).unwrap();
|
watch_folder(certs_path, tx).unwrap();
|
||||||
});
|
});
|
||||||
let certificate_configs = rx.recv().unwrap();
|
let certificate_configs = rx.recv().unwrap();
|
||||||
let first_set = tls::Certificates::new(&certificate_configs).unwrap_or_else(|| panic!("Unable to load initial certificate info"));
|
let first_set = tls::Certificates::new(&certificate_configs, grade.as_str()).unwrap_or_else(|| panic!("Unable to load initial certificate info"));
|
||||||
let certificates = Arc::new(ArcSwap::from_pointee(first_set));
|
let certificates = Arc::new(ArcSwap::from_pointee(first_set));
|
||||||
let certs_for_callback = certificates.clone();
|
let certs_for_callback = certificates.clone();
|
||||||
|
|
||||||
let certs_for_watcher = certificates.clone();
|
let certs_for_watcher = certificates.clone();
|
||||||
let new_certs = tls::Certificates::new(&certificate_configs);
|
let new_certs = tls::Certificates::new(&certificate_configs, grade.as_str());
|
||||||
certs_for_watcher.store(Arc::new(new_certs.unwrap()));
|
certs_for_watcher.store(Arc::new(new_certs.unwrap()));
|
||||||
|
|
||||||
let mut tls_settings =
|
let mut tls_settings =
|
||||||
TlsSettings::intermediate(&certs_for_callback.load().default_cert_path, &certs_for_callback.load().default_key_path).expect("unable to load or parse cert/key");
|
TlsSettings::intermediate(&certs_for_callback.load().default_cert_path, &certs_for_callback.load().default_key_path).expect("unable to load or parse cert/key");
|
||||||
|
|
||||||
|
tls::set_tsl_grade(&mut tls_settings, grade.as_str());
|
||||||
tls_settings.set_servername_callback(move |ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert| certs_for_callback.load().server_name_callback(ssl_ref, ssl_alert));
|
tls_settings.set_servername_callback(move |ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert| certs_for_callback.load().server_name_callback(ssl_ref, ssl_alert));
|
||||||
tls_settings.set_alpn_select_callback(tls::prefer_h2);
|
tls_settings.set_alpn_select_callback(tls::prefer_h2);
|
||||||
|
|
||||||
proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
|
proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
|
||||||
|
|
||||||
let certs_for_watcher = certificates.clone();
|
let certs_for_watcher = certificates.clone();
|
||||||
thread::spawn(move || {
|
thread::spawn(move || {
|
||||||
while let Ok(new_configs) = rx.recv() {
|
while let Ok(new_configs) = rx.recv() {
|
||||||
let new_certs = tls::Certificates::new(&new_configs);
|
let new_certs = tls::Certificates::new(&new_configs, grade.as_str());
|
||||||
match new_certs {
|
match new_certs {
|
||||||
Some(new_certs) => {
|
Some(new_certs) => {
|
||||||
certs_for_watcher.store(Arc::new(new_certs));
|
certs_for_watcher.store(Arc::new(new_certs));
|
||||||
|
|||||||
Reference in New Issue
Block a user