feat: TLS acceptor with SNI resolver (#471)

shuttle-hq · Nov 18, 2022 · 3bd6f0f · 3bd6f0f
1 parent 74aeb46
commit 3bd6f0f
Show file tree

Hide file tree

Showing 13 changed files with 879 additions and 239 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Makefile b/Makefile
@@ -40,21 +40,24 @@ APPS_FQDN=shuttleapp.rs
 DB_FQDN=db.shuttle.rs
 CONTAINER_REGISTRY=public.ecr.aws/shuttle
 DD_ENV=production
+# make sure we only ever go to production with `--tls=enable`
+USE_TLS=enable
 else
 DOCKER_COMPOSE_FILES=-f docker-compose.yml -f docker-compose.dev.yml
 STACK=shuttle-dev
 APPS_FQDN=unstable.shuttleapp.rs
 DB_FQDN=db.unstable.shuttle.rs
 CONTAINER_REGISTRY=public.ecr.aws/shuttle-dev
 DD_ENV=unstable
+USE_TLS?=disable
 endif
 
 POSTGRES_EXTRA_PATH?=./extras/postgres
 POSTGRES_TAG?=14
 
 RUST_LOG?=debug
 
-DOCKER_COMPOSE_ENV=STACK=$(STACK) BACKEND_TAG=$(TAG) PROVISIONER_TAG=$(TAG) POSTGRES_TAG=${POSTGRES_TAG} APPS_FQDN=$(APPS_FQDN) DB_FQDN=$(DB_FQDN) POSTGRES_PASSWORD=$(POSTGRES_PASSWORD) RUST_LOG=$(RUST_LOG) CONTAINER_REGISTRY=$(CONTAINER_REGISTRY) MONGO_INITDB_ROOT_USERNAME=$(MONGO_INITDB_ROOT_USERNAME) MONGO_INITDB_ROOT_PASSWORD=$(MONGO_INITDB_ROOT_PASSWORD) DD_ENV=$(DD_ENV)
+DOCKER_COMPOSE_ENV=STACK=$(STACK) BACKEND_TAG=$(TAG) PROVISIONER_TAG=$(TAG) POSTGRES_TAG=${POSTGRES_TAG} APPS_FQDN=$(APPS_FQDN) DB_FQDN=$(DB_FQDN) POSTGRES_PASSWORD=$(POSTGRES_PASSWORD) RUST_LOG=$(RUST_LOG) CONTAINER_REGISTRY=$(CONTAINER_REGISTRY) MONGO_INITDB_ROOT_USERNAME=$(MONGO_INITDB_ROOT_USERNAME) MONGO_INITDB_ROOT_PASSWORD=$(MONGO_INITDB_ROOT_PASSWORD) DD_ENV=$(DD_ENV) USE_TLS=$(USE_TLS)
 
 .PHONY: images clean src up down deploy shuttle-% postgres docker-compose.rendered.yml test bump-% deploy-examples publish publish-% --validate-version
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -15,6 +15,7 @@ services:
     depends_on:
       - provisioner
     ports:
+      - 7999:7999
       - 8000:8000
       - 8001:8001
     deploy:
@@ -42,16 +43,18 @@ services:
     environment:
       - RUST_LOG=${RUST_LOG}
     command:
-      - "--state=/var/lib/shuttle/gateway.sqlite"
+      - "--state=/var/lib/shuttle"
       - "start"
       - "--control=0.0.0.0:8001"
       - "--user=0.0.0.0:8000"
+      - "--bouncer=0.0.0.0:7999"
       - "--image=${CONTAINER_REGISTRY}/deployer:${BACKEND_TAG}"
       - "--prefix=shuttle_"
       - "--network-name=${STACK}_user-net"
       - "--docker-host=/var/run/docker.sock"
       - "--provisioner-host=provisioner"
       - "--proxy-fqdn=${APPS_FQDN}"
+      - "--use-tls=${USE_TLS}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8001"]
       interval: 1m

diff --git a/gateway/Cargo.toml b/gateway/Cargo.toml
@@ -7,12 +7,20 @@ publish = false
 [dependencies]
 acme2 = "0.5.1"
 async-trait = "0.1.52"
+
 axum = { version = "0.5.8", features = [ "headers" ] }
+axum-server = { version = "0.4.4", features = [ "tls-rustls" ] }
+rustls = { version = "0.20.6" }
+rustls-pemfile = { version = "1.0.1" }
+pem = "1.1.0"
+
 base64 = "0.13"
 bollard = "0.13"
 chrono = "0.4"
 clap = { version = "4.0.0", features = [ "derive" ] }
+
 fqdn = "0.2.2"
+
 futures = "0.3.21"
 http = "0.2.8"
 hyper = { version = "0.14.19", features = [ "stream" ] }