Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS support #366

Merged
merged 3 commits into from
Jul 25, 2024
Merged

Add TLS support #366

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5018843
Add TLS support
the-sun-will-rise-tomorrow Jul 22, 2024
558f9c6
add test for tls
Mic92 Jul 25, 2024
54f8858
Merge branch 'master' into tls
mergify[bot] Jul 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 128 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,8 @@ is `info,actix_web=debug`. To only log errors use the following
`RUST_LOG=error` and to only disable access logging, use
`RUST_LOG=info,actix_web::middleware=error`

To enable TLS on the HTTP server, specify `tls_cert_path` and `tls_key_path`.

## Build

### Whole application
Expand Down
1 change: 1 addition & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
t01-signing = import ./tests/t01-signing.nix testArgs;
t02-varnish = import ./tests/t02-varnish.nix testArgs;
t03-chroot = import ./tests/t03-chroot.nix testArgs;
t04-tls = import ./tests/t04-tls.nix testArgs;
} // {
clippy = config.packages.harmonia.override ({
enableClippy = true;
Expand Down
3 changes: 2 additions & 1 deletion harmonia/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ repository = "https://github.com/nix-community/harmonia.git"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
actix-web = { version = "4", default-features = false, features = ["macros", "compress-zstd", "cookies"] }
actix-web = { version = "4", default-features = false, features = ["macros", "compress-zstd", "cookies", "openssl"] }
openssl = { version = "0.10" }
actix-files = "0.6.6"
log = "0.4"
env_logger = "0.11"
Expand Down
4 changes: 4 additions & 0 deletions harmonia/src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,10 @@ pub(crate) struct Config {
pub(crate) sign_key_path: Option<String>,
#[serde(default)]
pub(crate) sign_key_paths: Vec<String>,
#[serde(default)]
pub(crate) tls_cert_path: Option<String>,
#[serde(default)]
pub(crate) tls_key_path: Option<String>,

#[serde(skip, default)]
pub(crate) secret_keys: Vec<String>,
Expand Down
17 changes: 12 additions & 5 deletions harmonia/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
use std::{fmt::Display, time::Duration};

use actix_web::{http, web, App, HttpResponse, HttpServer};
use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};

mod buildlog;
mod cacheinfo;
Expand Down Expand Up @@ -109,7 +110,7 @@ async fn main() -> std::io::Result<()> {
let config_data = c.clone();

log::info!("listening on {}", c.bind);
HttpServer::new(move || {
let mut server = HttpServer::new(move || {
App::new()
.app_data(config_data.clone())
.route("/", web::get().to(root::get))
Expand Down Expand Up @@ -140,8 +141,14 @@ async fn main() -> std::io::Result<()> {
// default is 5 seconds, which is too small when doing mass requests on slow machines
.client_request_timeout(Duration::from_secs(30))
.workers(c.workers)
.max_connection_rate(c.max_connection_rate)
.bind(c.bind.clone())?
.run()
.await
.max_connection_rate(c.max_connection_rate);
if c.tls_cert_path.is_some() || c.tls_key_path.is_some() {
let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls())?;
builder.set_private_key_file(c.tls_key_path.clone().unwrap(), SslFiletype::PEM)?;
builder.set_certificate_chain_file(c.tls_cert_path.clone().unwrap())?;
server = server.bind_openssl(c.bind.clone(), builder)?;
} else {
server = server.bind(c.bind.clone())?;
}
server.run().await
}
15 changes: 15 additions & 0 deletions tests/t04-tls.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
(import ./lib.nix) {
name = "t04-tls";

nodes.harmonia = {
imports = [ ../module.nix ];

services.harmonia-dev.enable = true;
services.harmonia-dev.settings.tls_cert_path = ./tls-cert.pem;
services.harmonia-dev.settings.tls_key_path = ./tls-key.pem;
};

testScript = ''
harmonia.wait_until_succeeds("curl --cacert ${./tls-cert.pem} https://localhost:5000/version")
'';
}
20 changes: 20 additions & 0 deletions tests/tls-cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDOTCCAiECFAc5lyBrKjhrcgYBeGP7LA7nGzQiMA0GCSqGSIb3DQEBCwUAMFkx
CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0yNDA3
MjUxMjQ3MTNaFw0yNTA3MjUxMjQ3MTNaMFkxCzAJBgNVBAYTAkFVMRMwEQYDVQQI
DApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQx
EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKB6EDoExUqUIX5ANiA2VRNS6Q5otiecHpg7aL/0fkXKUm/iqmvLdib6AlrB
GDo0GHNfKrJatSFTDtaaVh6RgwoWFxZbml46NdMfzNy7h2E2YEtyuHO7bpuh+vKC
73jK9Z9estGkg2xYrgubGcaiZGO5KF97MGrB6mf3xM214SJDU+0znvH7Xbtwkl8D
kOjf7WmuWopBKCeoj/x1CFURHF1rr2fPaOh01qnRDCZQDpeKv41K0EFbTue7yKtj
Y54/y0rY1rdrNA/DU2MhHNxy/CjvO+tkliM9gieD4S6J60lIDSrp5UW6shPLXX2C
GAC1fKZTNNWOVgWi/pfZVXTaTCUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAZ8WP
Th+RS/FAC5ms5Ed/TdrwN3JVzZsUwDlVm2L7oohHh4y49dVSsznFOxCzn9IhYepS
ZVIL5LiHYYXnFSoM/e4hVn1QD59Hws4IL/UlHMNg8wLb/GnwjRrPa5dXrEADj/Pr
nJMzYcCPkQVdaQQLuLVvLTe9U6skVsLjKyu9y7CC+C2mQ4c0G5H8SLh19nZFFBmT
djWL1Qdxyn2VFf406u7GheJo+hRg+4IL643eRCNH6AK5YHtgVnceoMTJVKT650mH
iOCHCmgsUpypdi1++BYc4k7xnxP5BGdrVf8/uGiYtk5N9MaRyjd+tU1d6EYLHeaN
C+eX1d5j/cM+i2qj4w==
-----END CERTIFICATE-----
17 changes: 17 additions & 0 deletions tests/tls-csr.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9j
YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoHoQOgTFSpQh
fkA2IDZVE1LpDmi2J5wemDtov/R+RcpSb+Kqa8t2JvoCWsEYOjQYc18qslq1IVMO
1ppWHpGDChYXFluaXjo10x/M3LuHYTZgS3K4c7tum6H68oLveMr1n16y0aSDbFiu
C5sZxqJkY7koX3swasHqZ/fEzbXhIkNT7TOe8ftdu3CSXwOQ6N/taa5aikEoJ6iP
/HUIVREcXWuvZ89o6HTWqdEMJlAOl4q/jUrQQVtO57vIq2Njnj/LStjWt2s0D8NT
YyEc3HL8KO8762SWIz2CJ4PhLonrSUgNKunlRbqyE8tdfYIYALV8plM01Y5WBaL+
l9lVdNpMJQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBACjz0ki1Nm7wf9VrZopz
JxLv0ZCvcdXUWLMUqd4MKcDO2y0EoGfMeG9LJyvoB5Ptyi3gMLHgHZcBMwF0oeu6
zs9lBVOXFVtVq+qw7iBj4/RQCBdr4757Po2iiinDXqHHkqskuHhyY4uHfajSyy7G
zdFCdsxy1yI8Om6qMarkXt31LwqF8XTGaFJna4x00Xg3tRNlDBCWbYQ9nuafEz4w
OdHFnud7OU13BnV2PNHWJfmY/smZ6mum28suxYlXUZx+fuSUklRqMFD8hbp5fuWO
2XEPAorbTL3xobYxF6et9UhcIUgJqNlIZNIxlY68t/KjpDmCRYJuuK72NFWLIItg
7Og=
-----END CERTIFICATE REQUEST-----
28 changes: 28 additions & 0 deletions tests/tls-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCgehA6BMVKlCF+
QDYgNlUTUukOaLYnnB6YO2i/9H5FylJv4qpry3Ym+gJawRg6NBhzXyqyWrUhUw7W
mlYekYMKFhcWW5peOjXTH8zcu4dhNmBLcrhzu26bofrygu94yvWfXrLRpINsWK4L
mxnGomRjuShfezBqwepn98TNteEiQ1PtM57x+127cJJfA5Do3+1prlqKQSgnqI/8
dQhVERxda69nz2jodNap0QwmUA6Xir+NStBBW07nu8irY2OeP8tK2Na3azQPw1Nj
IRzccvwo7zvrZJYjPYIng+EuietJSA0q6eVFurITy119ghgAtXymUzTVjlYFov6X
2VV02kwlAgMBAAECggEAEDkcIta7SzV7x/5IeoEuS0HP0GZtjnDjTD3VR8fjwWfE
EGONxE/7+ydoeDGaeBKEK5sB/1Mu3yuSYxzpz9/4q1sIV85IO3ZkXUToZPg1phzl
Jzt1wjK/P885m1f5SvDZsT7Vkl6wmpIXJj02dzTmM96oDN8F9K+d5DImxypilB/+
hb8BBee1i06K5plhynQfJuxg0Rwv9cstVoBrVY4S8G/Tb4hFMLTc3+DkY6lKFn3F
Fgf45jCKpTfknB6ZvCXoKm9pX8DqabszXZNnPbSxPpjuQgBRvlKwB/tU6fiRuugs
CBqE2exLy6uXcFNk5oXoemGJzzyxHjauOmk7DBoVEQKBgQDdmshrk0YMVFk3cT66
S/wOCqKzzcFZeq7KsATEMtcwHzVYr3fyrudFJjc87uVqBHKB235mBPh1psg/kW1x
BV6CkN8xvN7v7JnXfVP59jOyy7v6g1nmOwl4Qcf0Fca7b61q36st12My5RFZNpME
HseQbET6HPFvXVFqtql3mr9u1wKBgQC5Ym8Ph2Fc05Z4qbNo4gG+R/ujiUAJVM7J
GQF638NouE86QTBHdX5pgaBXkSZqQ1keymJGWKqICumSvCykIUQI4XSTwIAGG9Xg
iV8cXXc5x/eqfut56mbmgOI41Nqjyfi/2v0YbM2q306vRfLXvJ+0DzdwA4dM90ET
CfWyRD4pYwKBgAV1/gBgpbZCEdzC5qfSnYh/DJlftacN1ebaxZNMKW9fJYJk+JC7
bKmQkoXm4TJmn6fBj/DVqIXFsWOXotnJJxYSmd1w6RGChBwCU6JyRb3fNWer+vgo
dkhHXrUOIFKYIu7iSiacCy7C5FWNebv9Qi+161E6i1ySMSJvE+gFoTgLAoGAdM41
pfYp/X//xiU+uq30ZT0bq23WIEsEQ6byzMXibL/8g3sBfXTlYnrfWW1GZBvtMj5Y
b3R8dl1R0DeqdPvUzzem6VWYFMFDIEfN2qR1c72wKgfwPI/ZqBC6+Q38eMjQZ6oG
YHZlm+05uav8F7xsb9pKltRSUsdThDh5S4o+FHsCgYBX6fv/GvvDDYkYtDKEcj4O
AA3bTzOX5SvfN0Wi438zI8c8R6GajimLVmJciHAlFGsCXQjUH799wo08qdSIR00m
uZhX/sevoOw8c8HQVKHzdtjxjKCfwwmxi0Wd+JtXRve5XXoni51jqNconhMBjKWz
4sCtAFYiGENU+vEgo+ON0A==
-----END PRIVATE KEY-----