TLS grades change

README.md

@@ -79,6 +79,7 @@ Built on Rust, on top of **Cloudflare’s Pingora engine**, **Aralez** delivers
 | **config_address**               | 0.0.0.0:3000                         | HTTP API address for pushing upstreams.yaml from remote location                                 |
 | **config_tls_address**           | 0.0.0.0:3001                         | HTTPS API address for pushing upstreams.yaml from remote location                                |
 | **config_tls_certificate**       | etc/server.crt                       | Certificate file path for API. Mandatory if proxy_address_tls is set, else optional              |
+| **proxy_tls_grade**              | (high, medium, unsafe)               | Grade of TLS ciphers, matching grades of Qualys SSL Labs (Optional defaults to b)                |
 | **config_tls_key_file**          | etc/key.pem                          | Private Key file path. Mandatory if proxy_address_tls is set, else optional                      |
 | **proxy_address_http**           | 0.0.0.0:6193                         | Aralez HTTP bind address                                                                         |
 | **proxy_address_tls**            | 0.0.0.0:6194                         | Aralez HTTPS bind address (Optional)                                                             |

etc/main.yaml

@@ -10,12 +10,13 @@ upgrade_sock: /tmp/aralez.sock # Path to socket file
 config_api_enabled: true # Boolean to enable/disable remote config push capability.
 config_address: 0.0.0.0:3000 # HTTP API address for pushing upstreams.yaml from remote location
 config_tls_address: 0.0.0.0:3001 # HTTP TLS API address for pushing upstreams.yaml from remote location
-config_tls_certificate: /opt/Rust/Projects/asyncweb/etc/server.crt # Mandatory if config_tls_address is set
-config_tls_key_file: /opt/Rust/Projects/asyncweb/etc/key.pem # Mandatory if config_tls_address is set
+config_tls_certificate: /etc/server.crt # Mandatory if config_tls_address is set
+config_tls_key_file: /etc/key.pem # Mandatory if config_tls_address is set
 proxy_address_http: 0.0.0.0:6193 # Proxy HTTP bind address
 proxy_address_tls: 0.0.0.0:6194 # Optional, Proxy TLS bind address
-proxy_certificates: /opt/Rust/Projects/asyncweb/etc/yoyo # Mandatory if proxy_address_tls set, should contain certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
-upstreams_conf: /opt/Rust/Projects/asyncweb/etc/upstreams.yaml # the location of upstreams file
+proxy_certificates: /etc/yoyo # Mandatory if proxy_address_tls set, should contain a certificate and key files strictly in a format {NAME}.crt, {NAME}.key.
+proxy_tls_grade: a+ # Grade of TLS suite for proxy (a+, a, b, c, unsafe), matching grades of Qualys SSL Labs
+upstreams_conf: /etc/upstreams.yaml # the location of upstreams file
 file_server_folder: /opt/storage # Optional, local folder to serve
 file_server_address: 127.0.0.1:3002 # Optional, Local address for file server. Can set as upstream for public access.
 log_level: info # info, warn, error, debug, trace, off

src/utils/metrics.rs

@@ -61,27 +61,3 @@ pub fn calc_metrics(metric_types: &MetricTypes) {
     REQUESTS_BY_METHOD.with_label_values(&[&metric_types.method]).inc();
     RESPONSE_LATENCY.observe(metric_types.latency.as_secs_f64());
 }
-/*
-pub fn calc_metrics(method: String, code: u16, latency: Duration) {
-    REQUEST_COUNT.inc();
-    let timer = REQUEST_LATENCY.start_timer();
-    timer.observe_duration();
-    RESPONSE_CODES.with_label_values(&[&code.to_string()]).inc();
-    REQUESTS_BY_METHOD.with_label_values(&[&method]).inc();
-    RESPONSE_LATENCY.observe(latency.as_secs_f64());
-}
-
-tokio::spawn(async move {
-    let mut interval = tokio::time::interval(std::time::Duration::from_secs(5));
-    loop {
-        interval.tick().await;
-
-        // read Pingora stats
-        let stats = pingora.get_stats();
-
-        // update Prometheus metrics accordingly
-        REQUEST_COUNT.set(stats.requests_total);
-        // ... etc
-    }
-});
-*/

src/utils/parceyaml.rs

@@ -2,8 +2,8 @@ use crate::utils::structs::*;
 use dashmap::DashMap;
 use log::{error, info, warn};
 use std::collections::HashMap;
-use std::fs;
 use std::sync::atomic::AtomicUsize;
+use std::{env, fs};
 
 pub fn load_configuration(d: &str, kind: &str) -> Option<Configuration> {
     let yaml_data = match kind {
@@ -116,14 +116,6 @@ fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
                 header_list.insert(path.clone(), hl);
 
                 for server in &path_config.servers {
-                    // let mut rate: Option<isize> = None;
-                    // let size: isize = path_config.servers.len() as isize;
-                    // if let Some(limit) = &path_config.rate_limit {
-                    //     if size > 0 {
-                    //         rate = Some(limit / size);
-                    //     }
-                    // }
-
                     if let Some((ip, port_str)) = server.split_once(':') {
                         if let Ok(port) = port_str.parse::<u16>() {
                             server_list.push(InnerMap {
@@ -138,10 +130,8 @@ fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
                         }
                     }
                 }
-
                 path_map.insert(path.clone(), (server_list, AtomicUsize::new(0)));
             }
-
             config.headers.insert(hostname.clone(), header_list);
             config.upstreams.insert(hostname.clone(), path_map);
         }
@@ -149,11 +139,11 @@ fn populate_file_upstreams(config: &mut Configuration, parsed: &Config) {
 }
 
 pub fn parce_main_config(path: &str) -> AppConfig {
-    info!("Parsing configuration");
     let data = fs::read_to_string(path).unwrap();
     let reply = DashMap::new();
     let cfg: HashMap<String, String> = serde_yaml::from_str(&*data).expect("Failed to parse main config file");
     let mut cfo: AppConfig = serde_yaml::from_str(&*data).expect("Failed to parse main config file");
+    log_builder(&cfo);
     cfo.hc_method = cfo.hc_method.to_uppercase();
     for (k, v) in cfg {
         reply.insert(k.to_string(), v.to_string());
@@ -170,5 +160,52 @@ pub fn parce_main_config(path: &str) -> AppConfig {
             }
         }
     };
+    cfo.proxy_tls_grade = parce_tls_grades(cfo.proxy_tls_grade.clone());
     cfo
 }
+
+fn parce_tls_grades(what: Option<String>) -> Option<String> {
+    match what {
+        Some(g) => match g.to_ascii_lowercase().as_str() {
+            "high" => {
+                // info!("TLS grade set to: [ HIGH ]");
+                Some("high".to_string())
+            }
+            "medium" => {
+                // info!("TLS grade set to: [ MEDIUM ]");
+                Some("medium".to_string())
+            }
+            "unsafe" => {
+                // info!("TLS grade set to: [ UNSAFE ]");
+                Some("unsafe".to_string())
+            }
+            _ => {
+                warn!("Error parsing TLS grade, defaulting to: `medium`");
+                Some("medium".to_string())
+            }
+        },
+        None => {
+            warn!("TLS grade not set, defaulting to: medium");
+            Some("b".to_string())
+        }
+    }
+}
+
+fn log_builder(conf: &AppConfig) {
+    let log_level = conf.log_level.clone();
+    unsafe {
+        match log_level.as_str() {
+            "info" => env::set_var("RUST_LOG", "info"),
+            "error" => env::set_var("RUST_LOG", "error"),
+            "warn" => env::set_var("RUST_LOG", "warn"),
+            "debug" => env::set_var("RUST_LOG", "debug"),
+            "trace" => env::set_var("RUST_LOG", "trace"),
+            "off" => env::set_var("RUST_LOG", "off"),
+            _ => {
+                println!("Error reading log level, defaulting to: INFO");
+                env::set_var("RUST_LOG", "info")
+            }
+        }
+    }
+    env_logger::builder().init();
+}

src/utils/structs.rs

@@ -3,25 +3,8 @@ use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::sync::atomic::AtomicUsize;
 
-// pub type InnerMap = BackendConfig;
 pub type UpstreamsDashMap = DashMap<String, DashMap<String, (Vec<InnerMap>, AtomicUsize)>>;
 
-// #[derive(Debug, Default)]
-// pub struct UpstreamsMap {
-//     pub upstreams: DashMap<String, DashMap<String, (Vec<InnerMap>, AtomicUsize)>>,
-//     pub ratelimit: DashMap<String, Option<isize>>,
-// }
-// impl UpstreamsMap {
-//     pub fn new() -> Self {
-//         Self {
-//             upstreams: Default::default(),
-//             ratelimit: Default::default(),
-//         }
-//     }
-// }
-//
-// pub type XUpstreamsDashMap = DashMap<String, UpstreamsMap>;
-
 pub type UpstreamsIdMap = DashMap<String, InnerMap>;
 pub type Headers = DashMap<String, DashMap<String, Vec<(String, String)>>>;
 
@@ -103,6 +86,7 @@ pub struct AppConfig {
     pub proxy_port_tls: Option<u16>,
     pub local_server: Option<(String, u16)>,
     pub proxy_certificates: Option<String>,
+    pub proxy_tls_grade: Option<String>,
     pub file_server_address: Option<String>,
     pub file_server_folder: Option<String>,
 }

src/utils/tls.rs

@@ -1,12 +1,12 @@
 use dashmap::DashMap;
-use log::error;
-use pingora::tls::ssl::{select_next_proto, AlpnError, NameType, SniError, SslAlert, SslContext, SslFiletype, SslMethod, SslRef};
+use log::{error, info, warn};
+use pingora::tls::ssl::{select_next_proto, AlpnError, NameType, SniError, SslAlert, SslContext, SslFiletype, SslMethod, SslRef, SslVersion};
+use pingora_core::listeners::tls::TlsSettings;
 use rustls_pemfile::{read_one, Item};
 use serde::Deserialize;
 use std::collections::HashSet;
 use std::fs::File;
 use std::io::BufReader;
-// use tokio::time::Instant;
 use x509_parser::extensions::GeneralName;
 use x509_parser::nom::Err as NomErr;
 use x509_parser::prelude::*;
@@ -37,12 +37,12 @@ pub struct Certificates {
 }
 
 impl Certificates {
-    pub fn new(configs: &Vec<CertificateConfig>) -> Option<Self> {
+    pub fn new(configs: &Vec<CertificateConfig>, _grade: &str) -> Option<Self> {
         let default_cert = configs.first().expect("At least one TLS certificate required");
         let mut cert_infos = Vec::new();
         let name_map: DashMap<String, SslContext> = DashMap::new();
         for config in configs {
-            let cert_info = load_cert_info(&config.cert_path, &config.key_path);
+            let cert_info = load_cert_info(&config.cert_path, &config.key_path, _grade);
             match cert_info {
                 Some(cert) => {
                     for name in &cert.common_names {
@@ -106,7 +106,7 @@ impl Certificates {
     }
 }
 
-fn load_cert_info(cert_path: &str, key_path: &str) -> Option<CertificateInfo> {
+fn load_cert_info(cert_path: &str, key_path: &str, _grade: &str) -> Option<CertificateInfo> {
     let mut common_names = HashSet::new();
     let mut alt_names = HashSet::new();
 
@@ -185,9 +185,72 @@ fn create_ssl_context(cert_path: &str, key_path: &str) -> Result<SslContext, Box
     Ok(built)
 }
 
+#[derive(Debug)]
+pub struct CipherSuite {
+    pub high: &'static str,
+    pub medium: &'static str,
+    pub legacy: &'static str,
+}
+const CIPHERS: CipherSuite = CipherSuite {
+    high: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305",
+    // aa: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256",
+    medium: "ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES128-GCM-SHA256",
+    // cc: "AES128-SHA:DES-CBC3-SHA",
+    legacy: "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH",
+};
+
+#[derive(Debug)]
+pub enum TlsGrade {
+    HIGH,
+    MEDIUM,
+    LEGACY,
+}
+
+impl TlsGrade {
+    pub fn from_str(s: &str) -> Option<Self> {
+        match s.to_ascii_lowercase().as_str() {
+            "high" => Some(TlsGrade::HIGH),
+            "medium" => Some(TlsGrade::MEDIUM),
+            "unsafe" => Some(TlsGrade::LEGACY),
+            _ => None,
+        }
+    }
+}
 pub fn prefer_h2<'a>(_ssl: &mut SslRef, alpn_in: &'a [u8]) -> Result<&'a [u8], AlpnError> {
     match select_next_proto("\x02h2\x08http/1.1".as_bytes(), alpn_in) {
         Some(p) => Ok(p),
         _ => Err(AlpnError::NOACK),
     }
 }
+
+pub fn set_tsl_grade(tls_settings: &mut TlsSettings, grade: &str) {
+    let config_grade = TlsGrade::from_str(grade);
+    match config_grade {
+        Some(TlsGrade::HIGH) => {
+            let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1_2));
+            // let _ = tls_settings.set_max_proto_version(Some(SslVersion::TLS1_3));
+            let _ = tls_settings.set_cipher_list(CIPHERS.high);
+            let _ = tls_settings.set_ciphersuites(CIPHERS.high);
+            info!("TLS grade: {:?}, => HIGH", tls_settings.options());
+        }
+        Some(TlsGrade::MEDIUM) => {
+            let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1));
+            let _ = tls_settings.set_cipher_list(CIPHERS.medium);
+            let _ = tls_settings.set_ciphersuites(CIPHERS.medium);
+            info!("TLS grade: {:?}, => MEDIUM", tls_settings.options());
+        }
+        Some(TlsGrade::LEGACY) => {
+            let _ = tls_settings.set_min_proto_version(Some(SslVersion::SSL3));
+            let _ = tls_settings.set_cipher_list(CIPHERS.legacy);
+            let _ = tls_settings.set_ciphersuites(CIPHERS.legacy);
+            warn!("TLS grade: {:?}, => UNSAFE", tls_settings.options());
+        }
+        None => {
+            // Defaults to MEDIUM
+            let _ = tls_settings.set_min_proto_version(Some(SslVersion::TLS1));
+            let _ = tls_settings.set_cipher_list(CIPHERS.medium);
+            let _ = tls_settings.set_ciphersuites(CIPHERS.medium);
+            warn!("TLS grade is not detected defaulting top MEDIUM");
+        }
+    }
+}

src/web/proxyhttp.rs

@@ -214,7 +214,6 @@ impl ProxyHttp for LB {
             redirect_response.insert_header("Content-Length", "0")?;
             session.write_response_header(Box::new(redirect_response), false).await?;
         }
-        // match return_header_host(&session) {
         match ctx.hostname.as_ref() {
             Some(host) => {
                 let path = session.req_header().uri.path();

src/web/start.rs

@@ -13,7 +13,7 @@ use pingora_core::prelude::{background_service, Opt};
 use pingora_core::server::Server;
 use std::sync::mpsc::{channel, Receiver, Sender};
 use std::sync::Arc;
-use std::{env, thread};
+use std::thread;
 
 pub fn run() {
     // default_provider().install_default().expect("Failed to install rustls crypto provider");
@@ -46,23 +46,26 @@ pub fn run() {
         headers: hh_config,
         extraparams: ec_config,
     };
-
-    let log_level = cfg.log_level.clone();
-    unsafe {
-        match log_level.as_str() {
-            "info" => env::set_var("RUST_LOG", "info"),
-            "error" => env::set_var("RUST_LOG", "error"),
-            "warn" => env::set_var("RUST_LOG", "warn"),
-            "debug" => env::set_var("RUST_LOG", "debug"),
-            "trace" => env::set_var("RUST_LOG", "trace"),
-            "off" => env::set_var("RUST_LOG", "off"),
-            _ => {
-                println!("Error reading log level, defaulting to: INFO");
-                env::set_var("RUST_LOG", "info")
+    /*
+        let log_level = cfg.log_level.clone();
+        unsafe {
+            match log_level.as_str() {
+                "info" => env::set_var("RUST_LOG", "info"),
+                "error" => env::set_var("RUST_LOG", "error"),
+                "warn" => env::set_var("RUST_LOG", "warn"),
+                "debug" => env::set_var("RUST_LOG", "debug"),
+                "trace" => env::set_var("RUST_LOG", "trace"),
+                "off" => env::set_var("RUST_LOG", "off"),
+                _ => {
+                    println!("Error reading log level, defaulting to: INFO");
+                    env::set_var("RUST_LOG", "info")
+                }
             }
         }
-    }
-    env_logger::builder().init();
+        env_logger::builder().init();
+    */
+    let grade = cfg.proxy_tls_grade.clone().unwrap_or("medium".to_string());
+    info!("TLS grade set to: [ {} ]", grade);
 
     let bg_srvc = background_service("bgsrvc", lb.clone());
     let mut proxy = pingora_proxy::http_proxy_service(&server.configuration, lb.clone());
@@ -77,25 +80,27 @@ pub fn run() {
                 watch_folder(certs_path, tx).unwrap();
             });
             let certificate_configs = rx.recv().unwrap();
-            let first_set = tls::Certificates::new(&certificate_configs).unwrap_or_else(|| panic!("Unable to load initial certificate info"));
+            let first_set = tls::Certificates::new(&certificate_configs, grade.as_str()).unwrap_or_else(|| panic!("Unable to load initial certificate info"));
             let certificates = Arc::new(ArcSwap::from_pointee(first_set));
             let certs_for_callback = certificates.clone();
 
             let certs_for_watcher = certificates.clone();
-            let new_certs = tls::Certificates::new(&certificate_configs);
+            let new_certs = tls::Certificates::new(&certificate_configs, grade.as_str());
             certs_for_watcher.store(Arc::new(new_certs.unwrap()));
 
             let mut tls_settings =
                 TlsSettings::intermediate(&certs_for_callback.load().default_cert_path, &certs_for_callback.load().default_key_path).expect("unable to load or parse cert/key");
 
+            tls::set_tsl_grade(&mut tls_settings, grade.as_str());
             tls_settings.set_servername_callback(move |ssl_ref: &mut SslRef, ssl_alert: &mut SslAlert| certs_for_callback.load().server_name_callback(ssl_ref, ssl_alert));
             tls_settings.set_alpn_select_callback(tls::prefer_h2);
+
             proxy.add_tls_with_settings(&bind_address_tls, None, tls_settings);
 
             let certs_for_watcher = certificates.clone();
             thread::spawn(move || {
                 while let Ok(new_configs) = rx.recv() {
-                    let new_certs = tls::Certificates::new(&new_configs);
+                    let new_certs = tls::Certificates::new(&new_configs, grade.as_str());
                     match new_certs {
                         Some(new_certs) => {
                             certs_for_watcher.store(Arc::new(new_certs));