examples/https-tls/cert-watch/src/main.rs

use std::{fs::File, io::BufReader, path::Path};

use actix_web::{
    http::header::ContentType, middleware, web, App, HttpRequest, HttpResponse, HttpServer,
};
use log::debug;
use notify::{Event, RecursiveMode, Watcher as _};
use rustls::{Certificate, PrivateKey, ServerConfig};
use rustls_pemfile::{certs, pkcs8_private_keys};
use tokio::sync::mpsc;

#[derive(Debug)]
struct TlsUpdated;

async fn index(req: HttpRequest) -> HttpResponse {
    debug!("{req:?}");

    HttpResponse::Ok().content_type(ContentType::html()).body(
        "<!DOCTYPE html><html><body>\
            <p>Welcome to your TLS-secured homepage!</p>\
        </body></html>",
    )
}

#[tokio::main(worker_threads = 2)]
async fn main() -> eyre::Result<()> {
    color_eyre::install()?;
    env_logger::init_from_env(env_logger::Env::default().default_filter_or("info"));

    // signal channel used to notify main event loop of cert/key file changes
    let (reload_tx, mut reload_rx) = mpsc::channel(1);

    let mut file_watcher =
        notify::recommended_watcher(move |res: notify::Result<Event>| match res {
            Ok(ev) => {
                log::info!("files changed: {:?}", ev.paths);
                reload_tx.blocking_send(TlsUpdated).unwrap();
            }
            Err(err) => {
                log::error!("file watch error: {err}");
            }
        })
        .unwrap();

    file_watcher
        .watch(Path::new("cert.pem"), RecursiveMode::NonRecursive)
        .unwrap();
    file_watcher
        .watch(Path::new("key.pem"), RecursiveMode::NonRecursive)
        .unwrap();

    // start HTTP server reload loop
    //
    // loop reloads on TLS changes and exits on normal ctrl-c (etc.) signals
    loop {
        // load TLS cert/key files and
        let config = load_rustls_config();

        log::info!("starting HTTPS server at https://localhost:8443");

        let mut server = HttpServer::new(|| {
            App::new()
                .service(web::resource("/").to(index))
                .wrap(middleware::Logger::default())
        })
        .workers(2)
        .bind_rustls_021("127.0.0.1:8443", config)?
        .run();

        let server_hnd = server.handle();

        tokio::select! {
            // poll server continuously
            res = &mut server => {
                log::info!("server shut down via signal or manual command");
                res?;
                break;
            },

            // receiving a message to reload the server
            Some(_) = reload_rx.recv() => {
                log::info!("TLS cert or key updated");

                // send stop signal; no need to wait for completion signal here
                // since we're about to await the server itself
                drop(server_hnd.stop(true));

                // poll and await server shutdown before
                server.await?;

                // restart loop to reload cert/key files
                continue;
            }
        }
    }

    Ok(())
}

fn load_rustls_config() -> rustls::ServerConfig {
    // init server config builder with safe defaults
    let config = ServerConfig::builder()
        .with_safe_defaults()
        .with_no_client_auth();

    // load TLS key/cert files
    let cert_file = &mut BufReader::new(File::open("cert.pem").unwrap());
    let key_file = &mut BufReader::new(File::open("key.pem").unwrap());

    // convert files to key/cert objects
    let cert_chain = certs(cert_file)
        .unwrap()
        .into_iter()
        .map(Certificate)
        .collect();
    let mut keys: Vec<PrivateKey> = pkcs8_private_keys(key_file)
        .unwrap()
        .into_iter()
        .map(PrivateKey)
        .collect();

    // exit if no keys could be parsed
    if keys.is_empty() {
        eprintln!("Could not locate PKCS 8 private keys.");
        std::process::exit(1);
    }

    config.with_single_cert(cert_chain, keys.remove(0)).unwrap()
}
feat: add cert-watch example 2024-02-06 03:50:23 +01:00			`use std::{fs::File, io::BufReader, path::Path};`

			`use actix_web::{`
			`http::header::ContentType, middleware, web, App, HttpRequest, HttpResponse, HttpServer,`
			`};`
			`use log::debug;`
			`use notify::{Event, RecursiveMode, Watcher as _};`
			`use rustls::{Certificate, PrivateKey, ServerConfig};`
			`use rustls_pemfile::{certs, pkcs8_private_keys};`
			`use tokio::sync::mpsc;`

			`#[derive(Debug)]`
			`struct TlsUpdated;`

			`async fn index(req: HttpRequest) -> HttpResponse {`
			`debug!("{req:?}");`

			`HttpResponse::Ok().content_type(ContentType::html()).body(`
			`"<!DOCTYPE html><html><body>\`
			`<p>Welcome to your TLS-secured homepage!</p>\`
			`</body></html>",`
			`)`
			`}`

			`#[tokio::main(worker_threads = 2)]`
			`async fn main() -> eyre::Result<()> {`
			`color_eyre::install()?;`
			`env_logger::init_from_env(env_logger::Env::default().default_filter_or("info"));`

			`// signal channel used to notify main event loop of cert/key file changes`
			`let (reload_tx, mut reload_rx) = mpsc::channel(1);`

			`let mut file_watcher =`
			`notify::recommended_watcher(move \|res: notify::Result<Event>\| match res {`
			`Ok(ev) => {`
			`log::info!("files changed: {:?}", ev.paths);`
			`reload_tx.blocking_send(TlsUpdated).unwrap();`
			`}`
			`Err(err) => {`
			`log::error!("file watch error: {err}");`
			`}`
			`})`
			`.unwrap();`

			`file_watcher`
			`.watch(Path::new("cert.pem"), RecursiveMode::NonRecursive)`
			`.unwrap();`
			`file_watcher`
			`.watch(Path::new("key.pem"), RecursiveMode::NonRecursive)`
			`.unwrap();`

			`// start HTTP server reload loop`
			`//`
			`// loop reloads on TLS changes and exits on normal ctrl-c (etc.) signals`
			`loop {`
			`// load TLS cert/key files and`
			`let config = load_rustls_config();`

			`log::info!("starting HTTPS server at https://localhost:8443");`

			`let mut server = HttpServer::new(\|\| {`
			`App::new()`
			`.service(web::resource("/").to(index))`
			`.wrap(middleware::Logger::default())`
			`})`
			`.workers(2)`
			`.bind_rustls_021("127.0.0.1:8443", config)?`
			`.run();`

			`let server_hnd = server.handle();`

			`tokio::select! {`
			`// poll server continuously`
			`res = &mut server => {`
			`log::info!("server shut down via signal or manual command");`
			`res?;`
			`break;`
			`},`

			`// receiving a message to reload the server`
			`Some(_) = reload_rx.recv() => {`
			`log::info!("TLS cert or key updated");`

			`// send stop signal; no need to wait for completion signal here`
			`// since we're about to await the server itself`
			`drop(server_hnd.stop(true));`

			`// poll and await server shutdown before`
			`server.await?;`

			`// restart loop to reload cert/key files`
			`continue;`
			`}`
			`}`
			`}`

			`Ok(())`
			`}`

			`fn load_rustls_config() -> rustls::ServerConfig {`
			`// init server config builder with safe defaults`
			`let config = ServerConfig::builder()`
			`.with_safe_defaults()`
			`.with_no_client_auth();`

			`// load TLS key/cert files`
			`let cert_file = &mut BufReader::new(File::open("cert.pem").unwrap());`
			`let key_file = &mut BufReader::new(File::open("key.pem").unwrap());`

			`// convert files to key/cert objects`
			`let cert_chain = certs(cert_file)`
			`.unwrap()`
			`.into_iter()`
			`.map(Certificate)`
			`.collect();`
			`let mut keys: Vec<PrivateKey> = pkcs8_private_keys(key_file)`
			`.unwrap()`
			`.into_iter()`
			`.map(PrivateKey)`
			`.collect();`

			`// exit if no keys could be parsed`
			`if keys.is_empty() {`
			`eprintln!("Could not locate PKCS 8 private keys.");`
			`std::process::exit(1);`
			`}`

			`config.with_single_cert(cert_chain, keys.remove(0)).unwrap()`
			`}`