tricot/src/https.rs

358 lines
9.9 KiB
Rust
Raw Normal View History

2021-12-09 14:43:19 +00:00
use std::convert::Infallible;
2021-12-07 14:20:45 +00:00
use std::net::SocketAddr;
2021-12-07 15:37:22 +00:00
use std::sync::{atomic::Ordering, Arc};
2022-01-24 18:38:13 +00:00
use std::time::Duration;
2021-12-07 14:20:45 +00:00
use anyhow::Result;
use log::*;
2021-12-09 14:43:19 +00:00
use accept_encoding_fork::Encoding;
use async_compression::tokio::bufread::*;
use futures::stream::FuturesUnordered;
use futures::{StreamExt, TryStreamExt};
use http::header::{HeaderName, HeaderValue};
use http::method::Method;
2021-12-07 14:20:45 +00:00
use hyper::server::conn::Http;
use hyper::service::service_fn;
2021-12-09 14:43:19 +00:00
use hyper::{header, Body, Request, Response, StatusCode};
2021-12-07 14:20:45 +00:00
use tokio::net::TcpListener;
use tokio::select;
2021-12-07 14:20:45 +00:00
use tokio::sync::watch;
use tokio_rustls::TlsAcceptor;
2021-12-09 14:43:19 +00:00
use tokio_util::io::{ReaderStream, StreamReader};
2021-12-07 14:20:45 +00:00
use crate::cert_store::{CertStore, StoreResolver};
use crate::proxy_config::ProxyConfig;
use crate::reverse_proxy;
2022-01-24 18:49:14 +00:00
const MAX_CONNECTION_LIFETIME: Duration = Duration::from_secs(24 * 3600);
2021-12-09 14:43:19 +00:00
pub struct HttpsConfig {
pub bind_addr: SocketAddr,
pub enable_compression: bool,
pub compress_mime_types: Vec<String>,
}
2021-12-07 14:20:45 +00:00
pub async fn serve_https(
2021-12-09 14:43:19 +00:00
config: HttpsConfig,
2021-12-07 14:20:45 +00:00
cert_store: Arc<CertStore>,
2021-12-09 14:43:19 +00:00
rx_proxy_config: watch::Receiver<Arc<ProxyConfig>>,
mut must_exit: watch::Receiver<bool>,
2021-12-07 14:20:45 +00:00
) -> Result<()> {
2021-12-09 14:43:19 +00:00
let config = Arc::new(config);
let mut tls_cfg = rustls::ServerConfig::builder()
2021-12-07 14:20:45 +00:00
.with_safe_defaults()
.with_no_client_auth()
.with_cert_resolver(Arc::new(StoreResolver(cert_store)));
2021-12-09 14:43:19 +00:00
tls_cfg.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
let tls_acceptor = Arc::new(TlsAcceptor::from(Arc::new(tls_cfg)));
2021-12-07 14:20:45 +00:00
2021-12-09 14:43:19 +00:00
info!("Starting to serve on https://{}.", config.bind_addr);
2021-12-07 14:20:45 +00:00
2021-12-09 14:43:19 +00:00
let tcp = TcpListener::bind(config.bind_addr).await?;
let mut connections = FuturesUnordered::new();
while !*must_exit.borrow() {
2022-01-24 19:06:31 +00:00
let wait_conn_finished = async {
if connections.is_empty() {
futures::future::pending().await
} else {
connections.next().await
}
};
let (socket, remote_addr) = select! {
a = tcp.accept() => a?,
2022-01-24 19:06:31 +00:00
_ = wait_conn_finished => continue,
_ = must_exit.changed() => continue,
};
2021-12-07 14:20:45 +00:00
2021-12-09 14:43:19 +00:00
let rx_proxy_config = rx_proxy_config.clone();
2021-12-07 14:20:45 +00:00
let tls_acceptor = tls_acceptor.clone();
2021-12-09 14:43:19 +00:00
let config = config.clone();
2021-12-07 14:20:45 +00:00
let mut must_exit_2 = must_exit.clone();
let conn = tokio::spawn(async move {
2021-12-07 14:20:45 +00:00
match tls_acceptor.accept(socket).await {
Ok(stream) => {
debug!("TLS handshake was successfull");
let http_conn = Http::new().serve_connection(
stream,
service_fn(move |req: Request<Body>| {
let https_config = config.clone();
let proxy_config: Arc<ProxyConfig> = rx_proxy_config.borrow().clone();
handle_outer(remote_addr, req, https_config, proxy_config)
}),
);
2022-01-24 18:49:14 +00:00
let timeout = tokio::time::sleep(MAX_CONNECTION_LIFETIME);
tokio::pin!(http_conn, timeout);
let http_result = loop {
select! (
2022-01-24 18:49:14 +00:00
r = &mut http_conn => break r.map_err(Into::into),
_ = &mut timeout => break Err(anyhow!("Connection lived more than 24h, killing it.")),
_ = must_exit_2.changed() => {
if *must_exit_2.borrow() {
http_conn.as_mut().graceful_shutdown();
}
}
2021-12-07 14:20:45 +00:00
)
};
2021-12-07 14:20:45 +00:00
if let Err(http_err) = http_result {
2021-12-08 10:24:25 +00:00
warn!("HTTP error: {}", http_err);
2021-12-07 14:20:45 +00:00
}
}
2021-12-08 10:24:25 +00:00
Err(e) => warn!("Error in TLS connection: {}", e),
2021-12-07 14:20:45 +00:00
}
});
connections.push(conn);
}
2022-01-24 18:49:14 +00:00
drop(tcp);
info!("HTTPS server shutting down, draining remaining connections...");
2022-01-24 19:06:31 +00:00
while connections.next().await.is_some() {}
Ok(())
2021-12-07 14:20:45 +00:00
}
2021-12-09 14:43:19 +00:00
async fn handle_outer(
remote_addr: SocketAddr,
req: Request<Body>,
https_config: Arc<HttpsConfig>,
proxy_config: Arc<ProxyConfig>,
) -> Result<Response<Body>, Infallible> {
match handle(remote_addr, req, https_config, proxy_config).await {
Err(e) => {
warn!("Handler error: {}", e);
Ok(Response::builder()
.status(StatusCode::INTERNAL_SERVER_ERROR)
.body(Body::from(format!("{}", e)))
.unwrap())
}
Ok(r) => Ok(r),
}
}
2021-12-07 14:20:45 +00:00
// Custom echo service, handling two different routes and a
// catch-all 404 responder.
async fn handle(
remote_addr: SocketAddr,
req: Request<Body>,
2021-12-09 14:43:19 +00:00
https_config: Arc<HttpsConfig>,
2021-12-07 14:20:45 +00:00
proxy_config: Arc<ProxyConfig>,
) -> Result<Response<Body>, anyhow::Error> {
2021-12-08 21:58:19 +00:00
let method = req.method().clone();
let uri = req.uri().to_string();
2021-12-07 14:20:45 +00:00
let host = if let Some(auth) = req.uri().authority() {
auth.as_str()
} else {
req.headers()
.get("host")
.ok_or_else(|| anyhow!("Missing host header"))?
.to_str()?
};
let path = req.uri().path();
2021-12-09 22:38:56 +00:00
let accept_encoding = accept_encoding_fork::encodings(req.headers()).unwrap_or_else(|_| vec![]);
2021-12-07 14:20:45 +00:00
2021-12-08 21:58:19 +00:00
let best_match = proxy_config
2021-12-07 14:20:45 +00:00
.entries
.iter()
.filter(|ent| {
ent.host.matches(host)
2021-12-07 14:20:45 +00:00
&& ent
.path_prefix
.as_ref()
.map(|prefix| path.starts_with(prefix))
.unwrap_or(true)
})
2021-12-08 21:29:08 +00:00
.max_by_key(|ent| {
2021-12-07 14:20:45 +00:00
(
ent.priority,
2021-12-08 21:29:08 +00:00
ent.path_prefix
2021-12-07 14:20:45 +00:00
.as_ref()
.map(|x| x.len() as i32)
2021-12-08 21:29:08 +00:00
.unwrap_or(0),
ent.same_node,
ent.same_site,
2021-12-08 21:29:08 +00:00
-ent.calls.load(Ordering::SeqCst),
2021-12-07 14:20:45 +00:00
)
});
2021-12-08 21:58:19 +00:00
if let Some(proxy_to) = best_match {
proxy_to.calls.fetch_add(1, Ordering::SeqCst);
2021-12-08 21:24:58 +00:00
debug!("{}{} -> {}", host, path, proxy_to);
2021-12-08 12:28:07 +00:00
trace!("Request: {:?}", req);
2021-12-07 14:20:45 +00:00
2021-12-08 21:58:19 +00:00
let mut response = if proxy_to.https_target {
let to_addr = format!("https://{}", proxy_to.target_addr);
handle_error(reverse_proxy::call_https(remote_addr.ip(), &to_addr, req).await)
2021-12-08 21:58:19 +00:00
} else {
let to_addr = format!("http://{}", proxy_to.target_addr);
handle_error(reverse_proxy::call(remote_addr.ip(), &to_addr, req).await)
2021-12-08 21:58:19 +00:00
};
2021-12-07 17:19:51 +00:00
if response.status().is_success() {
// (TODO: maybe we want to add these headers even if it's not a success?)
for (header, value) in proxy_to.add_headers.iter() {
response.headers_mut().insert(
HeaderName::from_bytes(header.as_bytes())?,
HeaderValue::from_str(value)?,
);
}
2022-01-24 18:38:13 +00:00
}
2021-12-09 14:43:19 +00:00
if https_config.enable_compression {
response =
try_compress(response, method.clone(), accept_encoding, &https_config).await?
};
trace!("Final response: {:?}", response);
info!("{} {} {}", method, response.status().as_u16(), uri);
Ok(response)
2021-12-07 14:20:45 +00:00
} else {
2021-12-08 21:58:19 +00:00
debug!("{}{} -> NOT FOUND", host, path);
info!("{} 404 {}", method, uri);
2021-12-07 14:20:45 +00:00
Ok(Response::builder()
.status(StatusCode::NOT_FOUND)
.body(Body::from("No matching proxy entry"))?)
}
}
2021-12-09 14:43:19 +00:00
fn handle_error(resp: Result<Response<Body>>) -> Response<Body> {
match resp {
Ok(resp) => resp,
Err(e) => Response::builder()
.status(StatusCode::BAD_GATEWAY)
.body(Body::from(format!("Proxy error: {}", e)))
.unwrap(),
}
2022-01-24 18:38:13 +00:00
}
async fn try_compress(
2021-12-09 14:43:19 +00:00
response: Response<Body>,
method: Method,
2021-12-09 15:03:19 +00:00
accept_encoding: Vec<(Option<Encoding>, f32)>,
2021-12-09 14:43:19 +00:00
https_config: &HttpsConfig,
) -> Result<Response<Body>> {
// Don't bother compressing successfull responses for HEAD and PUT (they should have an empty body)
// Don't compress partial content as it causes issues
// Don't bother compressing non-2xx results
// Don't compress Upgrade responses (e.g. websockets)
// Don't compress responses that are already compressed
if (response.status().is_success() && (method == Method::HEAD || method == Method::PUT))
|| response.status() == StatusCode::PARTIAL_CONTENT
|| !response.status().is_success()
|| response.headers().get(header::CONNECTION) == Some(&HeaderValue::from_static("Upgrade"))
|| response.headers().get(header::CONTENT_ENCODING).is_some()
{
return Ok(response);
}
// Select preferred encoding among those proposed in accept_encoding
2021-12-09 15:03:19 +00:00
let max_q: f32 = accept_encoding
.iter()
.max_by_key(|(_, q)| (q * 10000f32) as i64)
.unwrap_or(&(None, 1.))
.1;
let preference = [
Encoding::Zstd,
//Encoding::Brotli,
2021-12-09 15:03:19 +00:00
Encoding::Deflate,
Encoding::Gzip,
];
2021-12-09 22:38:56 +00:00
#[allow(clippy::float_cmp)]
2021-12-09 15:03:19 +00:00
let encoding_opt = accept_encoding
.iter()
.filter(|(_, q)| *q == max_q)
.filter_map(|(enc, _)| *enc)
.filter(|enc| preference.contains(enc))
.min_by_key(|enc| preference.iter().position(|x| x == enc).unwrap());
// If preferred encoding is none, return as is
let encoding = match encoding_opt {
2021-12-09 14:43:19 +00:00
None | Some(Encoding::Identity) => return Ok(response),
Some(enc) => enc,
};
// If content type not in mime types for which to compress, return as is
match response.headers().get(header::CONTENT_TYPE) {
Some(ct) => {
let ct_str = ct.to_str()?;
2021-12-09 15:03:19 +00:00
let mime_type = match ct_str.split_once(';') {
Some((mime_type, _params)) => mime_type,
None => ct_str,
};
2021-12-09 15:19:41 +00:00
if !https_config
.compress_mime_types
.iter()
.any(|x| x == mime_type)
{
2021-12-09 14:43:19 +00:00
return Ok(response);
}
}
None => return Ok(response), // don't compress if unknown mime type
2021-12-09 14:43:19 +00:00
};
let (mut head, mut body) = response.into_parts();
2021-12-09 14:43:19 +00:00
// ---- If body is smaller than 1400 bytes, don't compress ----
let mut chunks = vec![];
let mut sum_lengths = 0;
while sum_lengths < 1400 {
match body.next().await {
Some(chunk) => {
let chunk = chunk?;
sum_lengths += chunk.len();
chunks.push(chunk);
}
None => {
return Ok(Response::from_parts(head, Body::from(chunks.concat())));
}
}
}
// put beginning chunks back into body
2021-12-09 22:38:56 +00:00
let body = futures::stream::iter(chunks.into_iter().map(Ok)).chain(body);
// make an async reader from that for compressor
2021-12-09 14:43:19 +00:00
let body_rd =
StreamReader::new(body.map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, e)));
trace!(
2021-12-09 22:38:56 +00:00
"Compressing response body as {:?} (at least {} bytes)",
encoding,
sum_lengths
2021-12-09 22:38:56 +00:00
);
// we don't know the compressed content-length so remove that header
head.headers.remove(header::CONTENT_LENGTH);
let (encoding, compressed_body) = match encoding {
Encoding::Gzip => (
"gzip",
Body::wrap_stream(ReaderStream::new(GzipEncoder::new(body_rd))),
),
// Encoding::Brotli => {
// head.headers.insert(header::CONTENT_ENCODING, "br".parse()?);
// Body::wrap_stream(ReaderStream::new(BrotliEncoder::new(body_rd)))
// }
Encoding::Deflate => (
"deflate",
Body::wrap_stream(ReaderStream::new(DeflateEncoder::new(body_rd))),
),
Encoding::Zstd => (
"zstd",
Body::wrap_stream(ReaderStream::new(ZstdEncoder::new(body_rd))),
),
2021-12-09 14:43:19 +00:00
_ => unreachable!(),
};
head.headers
.insert(header::CONTENT_ENCODING, encoding.parse()?);
2021-12-09 14:43:19 +00:00
Ok(Response::from_parts(head, compressed_body))
}