actix/examples
1
0
Fork 0
mirror of https://github.com/actix/examples synced 2025-04-22 08:34:52 +02:00
Code Issues Releases Wiki Activity

Merge pull request #1046 from ogtn/master

Browse Source 
Simplify rustls usage
This commit is contained in:
Rob Ede 2025-04-04 15:49:02 +00:00 committed by GitHub
commit f328e04374
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 62 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Cargo.lock generated
View File

@ -2047,7 +2047,6 @@ dependencies = [
"log", "log",
"notify 6.1.1", "notify 6.1.1",
"rustls 0.23.25", "rustls 0.23.25",
"rustls-pemfile 2.2.0",
"tokio", "tokio",
] ]
@ -5094,7 +5093,6 @@ dependencies = [
"futures-util", "futures-util",
"log", "log",
"rustls 0.23.25", "rustls 0.23.25",
"rustls-pemfile 2.2.0",
] ]
[[package]] [[package]]
@ -6995,7 +6993,6 @@ dependencies = [
"env_logger", "env_logger",
"log", "log",
"rustls 0.23.25", "rustls 0.23.25",
"rustls-pemfile 2.2.0",
] ]
[[package]] [[package]]
@ -7007,7 +7004,6 @@ dependencies = [
"env_logger", "env_logger",
"log", "log",
"rustls 0.23.25", "rustls 0.23.25",
"rustls-pemfile 2.2.0",
] ]
[[package]] [[package]]
@ -8412,7 +8408,6 @@ dependencies = [
"eyre", "eyre",
"log", "log",
"rustls 0.23.25", "rustls 0.23.25",
"rustls-pemfile 2.2.0",
"tokio", "tokio",
] ]

1
Cargo.toml
View File

@ -112,7 +112,6 @@ rand = "0.9"
redis = { version = "0.27" } redis = { version = "0.27" }
reqwest = { version = "0.12", features = ["json", "stream"] } reqwest = { version = "0.12", features = ["json", "stream"] }
rustls = "0.23" rustls = "0.23"
rustls-pemfile = "2"
serde = { version = "1", features = ["derive"] } serde = { version = "1", features = ["derive"] }
serde_json = "1" serde_json = "1"
time = "0.3" time = "0.3"

1
https-tls/acme-letsencrypt/Cargo.toml
View File

@ -12,5 +12,4 @@ env_logger.workspace = true
eyre.workspace = true eyre.workspace = true
log.workspace = true log.workspace = true
rustls.workspace = true rustls.workspace = true
rustls-pemfile.workspace = true
tokio = { workspace = true, features = ["fs"] } tokio = { workspace = true, features = ["fs"] }

9
https-tls/acme-letsencrypt/src/main.rs
View File

@ -4,7 +4,7 @@ use acme::{Certificate, Directory, DirectoryUrl, create_p256_key};
use actix_files::Files; use actix_files::Files;
use actix_web::{App, HttpRequest, HttpServer, Responder, rt, web}; use actix_web::{App, HttpRequest, HttpServer, Responder, rt, web};
use eyre::eyre; use eyre::eyre;
use rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer}; use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer, pem::PemObject};
use tokio::fs; use tokio::fs;
const CHALLENGE_DIR: &str = "./acme-challenges"; const CHALLENGE_DIR: &str = "./acme-challenges";
@ -188,10 +188,9 @@ fn load_rustls_config(cert: Certificate) -> eyre::Result<rustls::ServerConfig> {
let private_key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(cert.private_key_der()?)); let private_key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(cert.private_key_der()?));
// convert ACME-obtained certificate chain // convert ACME-obtained certificate chain
let cert_chain = let cert_chain = CertificateDer::pem_slice_iter(cert.certificate().as_bytes())
rustls_pemfile::certs(&mut std::io::BufReader::new(cert.certificate().as_bytes())) .flatten()
.collect::<Result<Vec<_>, _>>() .collect();
.unwrap();
Ok(config.with_single_cert(cert_chain, private_key)?) Ok(config.with_single_cert(cert_chain, private_key)?)
} }

1
https-tls/cert-watch/Cargo.toml
View File

@ -11,5 +11,4 @@ eyre.workspace = true
log.workspace = true log.workspace = true
notify = "6" notify = "6"
rustls.workspace = true rustls.workspace = true
rustls-pemfile.workspace = true
tokio = { workspace = true, features = ["time", "rt", "macros"] } tokio = { workspace = true, features = ["time", "rt", "macros"] }

44
https-tls/cert-watch/src/main.rs
View File

@ -1,12 +1,14 @@
use std::{fs::File, io::BufReader, path::Path}; use std::path::Path;
use actix_web::{ use actix_web::{
App, HttpRequest, HttpResponse, HttpServer, http::header::ContentType, middleware, web, App, HttpRequest, HttpResponse, HttpServer, http::header::ContentType, middleware, web,
}; };
use log::debug; use log::debug;
use notify::{Event, RecursiveMode, Watcher as _}; use notify::{Event, RecursiveMode, Watcher as _};
use rustls::{ServerConfig, pki_types::PrivateKeyDer}; use rustls::{
use rustls_pemfile::{certs, pkcs8_private_keys}; ServerConfig,
pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject},
};
use tokio::sync::mpsc; use tokio::sync::mpsc;
#[derive(Debug)] #[derive(Debug)]
@ -27,6 +29,11 @@ async fn main() -> eyre::Result<()> {
color_eyre::install()?; color_eyre::install()?;
env_logger::init_from_env(env_logger::Env::default().default_filter_or("info")); env_logger::init_from_env(env_logger::Env::default().default_filter_or("info"));
// Load default provider, to be done once for the process
rustls::crypto::aws_lc_rs::default_provider()
.install_default()
.unwrap();
// signal channel used to notify main event loop of cert/key file changes // signal channel used to notify main event loop of cert/key file changes
let (reload_tx, mut reload_rx) = mpsc::channel(1); let (reload_tx, mut reload_rx) = mpsc::channel(1);
@ -100,29 +107,16 @@ async fn main() -> eyre::Result<()> {
} }
fn load_rustls_config() -> eyre::Result<rustls::ServerConfig> { fn load_rustls_config() -> eyre::Result<rustls::ServerConfig> {
rustls::crypto::aws_lc_rs::default_provider()
.install_default()
.unwrap();
// init server config builder with safe defaults
let config = ServerConfig::builder().with_no_client_auth();
// load TLS key/cert files // load TLS key/cert files
let cert_file = &mut BufReader::new(File::open("cert.pem")?); let cert_chain = CertificateDer::pem_file_iter("cert.pem")
let key_file = &mut BufReader::new(File::open("key.pem")?); .unwrap()
.flatten()
.collect();
// convert files to key/cert objects let key_der =
let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap(); PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys.");
let mut keys = pkcs8_private_keys(key_file)
.map(|key| key.map(PrivateKeyDer::Pkcs8))
.collect::<Result<Vec<_>, _>>()
.unwrap();
// exit if no keys could be parsed Ok(ServerConfig::builder()
if keys.is_empty() { .with_no_client_auth()
eprintln!("Could not locate PKCS 8 private keys."); .with_single_cert(cert_chain, key_der)?)
std::process::exit(1);
}
Ok(config.with_single_cert(cert_chain, keys.remove(0))?)
} }

1
https-tls/rustls-client-cert/Cargo.toml
View File

@ -9,4 +9,3 @@ actix-web = { workspace = true, features = ["rustls-0_23"] }
env_logger.workspace = true env_logger.workspace = true
log.workspace = true log.workspace = true
rustls.workspace = true rustls.workspace = true
rustls-pemfile.workspace = true

31
https-tls/rustls-client-cert/src/main.rs
View File

@ -1,7 +1,7 @@
//! This example shows how to use `actix_web::HttpServer::on_connect` to access client certificates //! This example shows how to use `actix_web::HttpServer::on_connect` to access client certificates
//! pass them to a handler through connection-local data. //! pass them to a handler through connection-local data.
use std::{any::Any, fs::File, io::BufReader, net::SocketAddr, sync::Arc}; use std::{any::Any, net::SocketAddr, sync::Arc};
use actix_tls::accept::rustls_0_23::TlsStream; use actix_tls::accept::rustls_0_23::TlsStream;
use actix_web::{ use actix_web::{
@ -10,10 +10,9 @@ use actix_web::{
use log::info; use log::info;
use rustls::{ use rustls::{
RootCertStore, ServerConfig, RootCertStore, ServerConfig,
pki_types::{CertificateDer, PrivateKeyDer}, pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject},
server::WebPkiClientVerifier, server::WebPkiClientVerifier,
}; };
use rustls_pemfile::{certs, pkcs8_private_keys};
const CA_CERT: &str = "certs/rootCA.pem"; const CA_CERT: &str = "certs/rootCA.pem";
const SERVER_CERT: &str = "certs/server-cert.pem"; const SERVER_CERT: &str = "certs/server-cert.pem";
@ -80,29 +79,27 @@ async fn main() -> std::io::Result<()> {
let mut cert_store = RootCertStore::empty(); let mut cert_store = RootCertStore::empty();
// import CA cert // import CA cert
let ca_cert = &mut BufReader::new(File::open(CA_CERT)?); CertificateDer::pem_file_iter(CA_CERT)
let ca_cert = certs(ca_cert).collect::<Result<Vec<_>, _>>().unwrap(); .unwrap()
.flatten()
for cert in ca_cert { .for_each(|der| cert_store.add(der).unwrap());
cert_store.add(cert).expect("root CA not added to store");
}
// set up client authentication requirements // set up client authentication requirements
let client_auth = WebPkiClientVerifier::builder(Arc::new(cert_store)) let client_auth = WebPkiClientVerifier::builder(Arc::new(cert_store))
.build() .build()
.unwrap(); .unwrap();
let config = ServerConfig::builder().with_client_cert_verifier(client_auth);
// import server cert and key // import server cert and key
let cert_file = &mut BufReader::new(File::open(SERVER_CERT)?); let key_der = PrivateKeyDer::from_pem_file(SERVER_KEY).unwrap();
let key_file = &mut BufReader::new(File::open(SERVER_KEY)?); let cert_chain = CertificateDer::pem_file_iter(SERVER_CERT)
.unwrap()
.flatten()
.collect();
let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap(); let config = ServerConfig::builder()
let mut keys = pkcs8_private_keys(key_file) .with_client_cert_verifier(client_auth)
.map(|key| key.map(PrivateKeyDer::Pkcs8)) .with_single_cert(cert_chain, key_der)
.collect::<Result<Vec<_>, _>>()
.unwrap(); .unwrap();
let config = config.with_single_cert(cert_chain, keys.remove(0)).unwrap();
log::info!("starting HTTP server at http://localhost:8080 and https://localhost:8443"); log::info!("starting HTTP server at http://localhost:8080 and https://localhost:8443");

1
https-tls/rustls/Cargo.toml
View File

@ -10,4 +10,3 @@ actix-files.workspace = true
env_logger.workspace = true env_logger.workspace = true
log.workspace = true log.workspace = true
rustls.workspace = true rustls.workspace = true
rustls-pemfile.workspace = true

36
https-tls/rustls/src/main.rs
View File

@ -1,12 +1,12 @@
use std::{fs::File, io::BufReader};
use actix_files::Files; use actix_files::Files;
use actix_web::{ use actix_web::{
App, HttpRequest, HttpResponse, HttpServer, http::header::ContentType, middleware, web, App, HttpRequest, HttpResponse, HttpServer, http::header::ContentType, middleware, web,
}; };
use log::debug; use log::debug;
use rustls::{ServerConfig, pki_types::PrivateKeyDer}; use rustls::{
use rustls_pemfile::{certs, pkcs8_private_keys}; ServerConfig,
pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject},
};
/// simple handle /// simple handle
async fn index(req: HttpRequest) -> HttpResponse { async fn index(req: HttpRequest) -> HttpResponse {
@ -46,25 +46,17 @@ fn load_rustls_config() -> rustls::ServerConfig {
.install_default() .install_default()
.unwrap(); .unwrap();
// init server config builder with safe defaults
let config = ServerConfig::builder().with_no_client_auth();
// load TLS key/cert files // load TLS key/cert files
let cert_file = &mut BufReader::new(File::open("cert.pem").unwrap()); let cert_chain = CertificateDer::pem_file_iter("cert.pem")
let key_file = &mut BufReader::new(File::open("key.pem").unwrap()); .unwrap()
.flatten()
.collect();
// convert files to key/cert objects let key_der =
let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap(); PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys.");
let mut keys = pkcs8_private_keys(key_file)
.map(|key| key.map(PrivateKeyDer::Pkcs8))
.collect::<Result<Vec<_>, _>>()
.unwrap();
// exit if no keys could be parsed ServerConfig::builder()
if keys.is_empty() { .with_no_client_auth()
eprintln!("Could not locate PKCS 8 private keys."); .with_single_cert(cert_chain, key_der)
std::process::exit(1); .unwrap()
}
config.with_single_cert(cert_chain, keys.remove(0)).unwrap()
} }

1
middleware/http-to-https/Cargo.toml
View File

@ -9,4 +9,3 @@ env_logger.workspace = true
futures-util.workspace = true futures-util.workspace = true
log.workspace = true log.workspace = true
rustls.workspace = true rustls.workspace = true
rustls-pemfile.workspace = true

23
middleware/http-to-https/src/main.rs
View File

@ -1,9 +1,9 @@
use std::{fs::File, io::BufReader};
use actix_web::{App, HttpResponse, HttpServer, dev::Service, get, http}; use actix_web::{App, HttpResponse, HttpServer, dev::Service, get, http};
use futures_util::future::{self, Either, FutureExt}; use futures_util::future::{self, Either, FutureExt};
use rustls::{ServerConfig, pki_types::PrivateKeyDer}; use rustls::{
use rustls_pemfile::{certs, pkcs8_private_keys}; ServerConfig,
pki_types::{CertificateDer, PrivateKeyDer, pem::PemObject},
};
#[get("/")] #[get("/")]
async fn index() -> String { async fn index() -> String {
@ -18,18 +18,17 @@ async fn main() -> std::io::Result<()> {
.install_default() .install_default()
.unwrap(); .unwrap();
let cert_file = &mut BufReader::new(File::open("cert.pem").unwrap()); let cert_chain = CertificateDer::pem_file_iter("cert.pem")
let key_file = &mut BufReader::new(File::open("key.pem").unwrap()); .unwrap()
.flatten()
.collect();
let cert_chain = certs(cert_file).collect::<Result<Vec<_>, _>>().unwrap(); let key_der =
let mut keys = pkcs8_private_keys(key_file) PrivateKeyDer::from_pem_file("key.pem").expect("Could not locate PKCS 8 private keys.");
.map(|key| key.map(PrivateKeyDer::Pkcs8))
.collect::<Result<Vec<_>, _>>()
.unwrap();
let config = ServerConfig::builder() let config = ServerConfig::builder()
.with_no_client_auth() .with_no_client_auth()
.with_single_cert(cert_chain, keys.remove(0)) .with_single_cert(cert_chain, key_der)
.unwrap(); .unwrap();
log::info!( log::info!(