Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Reload server TLS certificate #659

Open
bitc opened this issue Jul 18, 2020 · 3 comments
Open

Feature Request: Reload server TLS certificate #659

bitc opened this issue Jul 18, 2020 · 3 comments
Labels
feature New feature or request

Comments

@bitc
Copy link

bitc commented Jul 18, 2020

I can currently use warp with TLS by giving it a certificate when I start the server, as shown in the example: https://github.com/seanmonstar/warp/blob/master/examples/tls.rs

The problem is that when the certificate expires, the server must be restarted. I would like to update the certificate of the currently running warp server, so that existing connections are not touched, but all new incoming TCP connections are served the updated certificate.

In terms of the API, one possible suggestion would be to initialize the warp server with a "Channel" object. Then later on I can feed a new certificate into the channel whenever I want. But any other API that works would also be welcome.

This feature would be especially useful for those using letsencrypt, which has short certificate expiry times, and would be a better solution than the restarting technique discussed in #252

Thank you

@jxs jxs added the feature New feature or request label Aug 20, 2020
@acilcenter
Copy link

I think this mechanism can be very useful for updating configurations for reverse proxies, redirects etc with zero down time. So please can you implement for a broader use case.

@acilcenter
Copy link

I did some research for inspiration and use cases:

Nginx has a product for similar use case: https://www.nginx.com/products/nginx-unit/

Envoy also picks up the configuration change with no downtime.
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/dynamic_configuration

This is cited as one of the advantages of Envoy against Nginx.

https://dropbox.tech/infrastructure/how-we-migrated-dropbox-from-nginx-to-envoy

Aside: Envoy also has a pluggable filter chain mechanism which enables wasm modules to be used with, which makes it lightweight altentative to containers.

https://webassemblyhub.io
https://istio.io/latest/blog/2020/wasm-announce/

API configurability: Perhaps most importantly, Envoy provides a set of management APIs that can be implemented by control plane services. If a control plane implements all of the APIs, it becomes possible to run Envoy across an entire infrastructure using a generic common bootstrap configuration. All further configuration changes are delivered seamlessly and dynamically via the management server in such a way that Envoy never needs to be restarted. This makes Envoy a universal data plane that, when coupled with a sophisticated enough control plane, vastly reduces overall operational complexity.

https://blog.envoyproxy.io/the-universal-data-plane-api-d15cec7a

I know these are ambitious projects and it is more than simple file watching but having this feature baked into the library opens up windows to amazing possibilities for modest projects.

@thewh1teagle
Copy link

Is there an update for that?
I need this feature because when I update the certificate, I currently have to disconnect all the connected clients.

I can try to implement it if it isn't supported yet. Hints would be appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants