shuttle-hq · brokad · Nov 18, 2022 · Nov 9, 2022 · Nov 9, 2022 · Nov 9, 2022
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Makefile b/Makefile
@@ -40,21 +40,24 @@ APPS_FQDN=shuttleapp.rs
 DB_FQDN=db.shuttle.rs
 CONTAINER_REGISTRY=public.ecr.aws/shuttle
 DD_ENV=production
+# make sure we only ever go to production with `--tls=enable`
+USE_TLS=enable
 else
 DOCKER_COMPOSE_FILES=-f docker-compose.yml -f docker-compose.dev.yml
 STACK=shuttle-dev
 APPS_FQDN=unstable.shuttleapp.rs
 DB_FQDN=db.unstable.shuttle.rs
 CONTAINER_REGISTRY=public.ecr.aws/shuttle-dev
 DD_ENV=unstable
+USE_TLS?=disable
 endif
 
 POSTGRES_EXTRA_PATH?=./extras/postgres
 POSTGRES_TAG?=14
 
 RUST_LOG?=debug
 
-DOCKER_COMPOSE_ENV=STACK=$(STACK) BACKEND_TAG=$(TAG) PROVISIONER_TAG=$(TAG) POSTGRES_TAG=${POSTGRES_TAG} APPS_FQDN=$(APPS_FQDN) DB_FQDN=$(DB_FQDN) POSTGRES_PASSWORD=$(POSTGRES_PASSWORD) RUST_LOG=$(RUST_LOG) CONTAINER_REGISTRY=$(CONTAINER_REGISTRY) MONGO_INITDB_ROOT_USERNAME=$(MONGO_INITDB_ROOT_USERNAME) MONGO_INITDB_ROOT_PASSWORD=$(MONGO_INITDB_ROOT_PASSWORD) DD_ENV=$(DD_ENV)
+DOCKER_COMPOSE_ENV=STACK=$(STACK) BACKEND_TAG=$(TAG) PROVISIONER_TAG=$(TAG) POSTGRES_TAG=${POSTGRES_TAG} APPS_FQDN=$(APPS_FQDN) DB_FQDN=$(DB_FQDN) POSTGRES_PASSWORD=$(POSTGRES_PASSWORD) RUST_LOG=$(RUST_LOG) CONTAINER_REGISTRY=$(CONTAINER_REGISTRY) MONGO_INITDB_ROOT_USERNAME=$(MONGO_INITDB_ROOT_USERNAME) MONGO_INITDB_ROOT_PASSWORD=$(MONGO_INITDB_ROOT_PASSWORD) DD_ENV=$(DD_ENV) USE_TLS=$(USE_TLS)
 
 .PHONY: images clean src up down deploy shuttle-% postgres docker-compose.rendered.yml test bump-% deploy-examples publish publish-% --validate-version
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -15,6 +15,7 @@ services:
     depends_on:
       - provisioner
     ports:
+      - 7999:7999
       - 8000:8000
       - 8001:8001
     deploy:
@@ -42,7 +43,7 @@ services:
     environment:
       - RUST_LOG=${RUST_LOG}
     command:
-      - "--state=/var/lib/shuttle/gateway.sqlite"
+      - "--state=/var/lib/shuttle"
       - "start"
       - "--control=0.0.0.0:8001"
       - "--user=0.0.0.0:8000"
@@ -52,6 +53,7 @@ services:
       - "--docker-host=/var/run/docker.sock"
       - "--provisioner-host=provisioner"
       - "--proxy-fqdn=${APPS_FQDN}"
+      - "--use-tls=${USE_TLS}"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8001"]
       interval: 1m

diff --git a/gateway/Cargo.toml b/gateway/Cargo.toml
@@ -7,12 +7,20 @@ publish = false
 [dependencies]
 acme2 = "0.5.1"
 async-trait = "0.1.52"
+
 axum = { version = "0.5.8", features = [ "headers" ] }
+axum-server = { version = "0.4.4", features = [ "tls-rustls" ] }
+rustls = { version = "0.20.6" }
+rustls-pemfile = { version = "1.0.1" }
+pem = "1.1.0"
+
 base64 = "0.13"
 bollard = "0.13"
 chrono = "0.4"
 clap = { version = "4.0.0", features = [ "derive" ] }
+
 fqdn = "0.2.2"
+
 futures = "0.3.21"
 http = "0.2.8"
 hyper = { version = "0.14.19", features = [ "stream" ] }

diff --git a/gateway/src/custom_domain.rs → gateway/src/acme.rs b/gateway/src/custom_domain.rs → gateway/src/acme.rs
@@ -5,8 +5,8 @@ use std::time::Duration;
 
 use axum::body::boxed;
 use axum::response::Response;
-use fqdn::Fqdn;
 use futures::future::BoxFuture;
+use hyper::server::conn::AddrStream;
 use hyper::{Body, Request};
 use instant_acme::{
     Account, AccountCredentials, Authorization, AuthorizationStatus, ChallengeType, Identifier,
@@ -18,6 +18,7 @@ use tokio::time::sleep;
 use tower::{Layer, Service};
 use tracing::{error, trace};
 
+use crate::proxy::AsResponderTo;
 use crate::{Error, ProjectName};
 
 #[derive(Debug, Eq, PartialEq)]
@@ -86,14 +87,14 @@ impl AcmeClient {
         Ok(credentials)
     }
 
-    /// Create a certificate and return it with the keys used to sign it
+    /// Create an ACME-signed certificate and return it and its
+    /// associated PEM-encoded private key
     pub async fn create_certificate(
         &self,
-        fqdn: &Fqdn,
+        identifier: &str,
         credentials: AccountCredentials<'_>,
-    ) -> Result<(String, Certificate), AcmeClientError> {
-        let fqdn = fqdn.to_string();
-        trace!(fqdn, "requesting acme certificate");
+    ) -> Result<(String, String), AcmeClientError> {
+        trace!(identifier, "requesting acme certificate");
 
         let account = Account::from_credentials(credentials).map_err(|error| {
             error!(
@@ -105,7 +106,7 @@ impl AcmeClient {
 
         let (mut order, state) = account
             .new_order(&NewOrder {
-                identifiers: &[Identifier::Dns(fqdn.to_string())],
+                identifiers: &[Identifier::Dns(identifier.to_string())],
             })
             .await
             .map_err(|error| {
@@ -153,7 +154,7 @@ impl AcmeClient {
                 AcmeClientError::OrderFinalizing
             })?;
 
-        Ok((certificate_chain, certificate))
+        Ok((certificate_chain, certificate.serialize_private_key_pem()))
     }
 
     async fn complete_challenge(
@@ -278,6 +279,18 @@ pub struct ChallengeResponder<S> {
     inner: S,
 }
 
+impl<'r, S> AsResponderTo<&'r AddrStream> for ChallengeResponder<S>
+where
+    S: AsResponderTo<&'r AddrStream>,
+{
+    fn as_responder_to(&self, req: &'r AddrStream) -> Self {
+        Self {
+            client: self.client.clone(),
+            inner: self.inner.as_responder_to(req),
+        }
+    }
+}
+
 impl<ReqBody, S> Service<Request<ReqBody>> for ChallengeResponder<S>
 where
     S: Service<Request<ReqBody>, Response = Response, Error = Error> + Send + 'static,