|
| 1 | +use futures_util::{ |
| 2 | + future::TryFutureExt, |
| 3 | + stream::{Stream, StreamExt, TryStreamExt}, |
| 4 | +}; |
| 5 | +use hyper::service::{make_service_fn, service_fn}; |
| 6 | +use hyper::{Body, Request, Response, Server}; |
| 7 | +use rustls::internal::pemfile; |
1 | 8 | use std::convert::Infallible; |
| 9 | +use std::io; |
2 | 10 | use std::net::SocketAddr; |
3 | | -use hyper::{Body, Request, Response, Server}; |
4 | | -use hyper::service::{make_service_fn, service_fn}; |
| 11 | +use tokio::net::{TcpListener, TcpStream}; |
| 12 | +use tokio_rustls::server::TlsStream; |
| 13 | +use tokio_rustls::TlsAcceptor; |
5 | 14 |
|
6 | 15 | async fn hello_world(_req: Request<Body>) -> Result<Response<Body>, Infallible> { |
7 | 16 | Ok(Response::new("Hello, World".into())) |
8 | 17 | } |
9 | 18 |
|
| 19 | +fn error(err: String) -> std::io::Error { |
| 20 | + std::io::Error::new(std::io::ErrorKind::Other, err) |
| 21 | +} |
| 22 | + |
10 | 23 | #[tokio::main] |
11 | | -async fn main() { |
| 24 | +async fn main() -> io::Result<()> { |
12 | 25 | // We'll bind to 127.0.0.1:3000 |
13 | 26 | let addr = SocketAddr::from(([127, 0, 0, 1], 3000)); |
14 | 27 |
|
| 28 | + // Build TLS configuration. |
| 29 | + let tls_cfg = { |
| 30 | + // Load public certificate. |
| 31 | + let certs = load_certs("./ssl_certs/server.crt")?; |
| 32 | + // Load private key. |
| 33 | + let key = load_private_key("./ssl_certs/server.key")?; |
| 34 | + // Do not use client certificate authentication. |
| 35 | + let mut cfg = rustls::ServerConfig::new(rustls::NoClientAuth::new()); |
| 36 | + // Select a certificate to use. |
| 37 | + cfg.set_single_cert(certs, key) |
| 38 | + .map_err(|e| { |
| 39 | + println!("{}", e); |
| 40 | + error(format!("{}", e)) |
| 41 | + })?; |
| 42 | + // Configure ALPN to accept HTTP/2, HTTP/1.1 in that order. |
| 43 | + cfg.set_protocols(&[b"h2".to_vec(), b"http/1.1".to_vec()]); |
| 44 | + std::sync::Arc::new(cfg) |
| 45 | + }; |
| 46 | + |
| 47 | + // Create a TCP listener via tokio. |
| 48 | + let mut tcp = TcpListener::bind(&addr).await?; |
| 49 | + let tls_acceptor = TlsAcceptor::from(tls_cfg); |
| 50 | + // Prepare a long-running future stream to accept and serve cients. |
| 51 | + let incoming_tls_stream = tcp |
| 52 | + .incoming() |
| 53 | + .map_err(|e| error(format!("Incoming failed: {:?}", e))) |
| 54 | + .and_then(move |s| { |
| 55 | + tls_acceptor.accept(s).map_err(|e| { |
| 56 | + println!("[!] Voluntary server halt due to client-connection error..."); |
| 57 | + // Errors could be handled here, instead of server aborting. |
| 58 | + // Ok(None) |
| 59 | + error(format!("TLS Error: {:?}", e)) |
| 60 | + }) |
| 61 | + }) |
| 62 | + .boxed(); |
| 63 | + |
15 | 64 | // A `Service` is needed for every connection, so this |
16 | 65 | // creates one from our `hello_world` function. |
17 | 66 | let make_svc = make_service_fn(|_conn| async { |
18 | 67 | // service_fn converts our function into a `Service` |
19 | 68 | Ok::<_, Infallible>(service_fn(hello_world)) |
20 | 69 | }); |
21 | 70 |
|
22 | | - let server = Server::bind(&addr).serve(make_svc); |
| 71 | + // let server = Server::bind(&addr).serve(make_svc); |
| 72 | + let server = Server::builder(HyperAcceptor { |
| 73 | + acceptor: incoming_tls_stream, |
| 74 | + }) |
| 75 | + .serve(make_svc); |
23 | 76 |
|
24 | 77 | // Run this server for... forever! |
25 | 78 | if let Err(e) = server.await { |
26 | 79 | eprintln!("server error: {}", e); |
27 | 80 | } |
| 81 | + Ok(()) |
| 82 | +} |
| 83 | + |
| 84 | +struct HyperAcceptor<'a> { |
| 85 | + acceptor: core::pin::Pin<Box<dyn Stream<Item = Result<TlsStream<TcpStream>, io::Error>> + 'a>>, |
| 86 | +} |
| 87 | + |
| 88 | +impl hyper::server::accept::Accept for HyperAcceptor<'_> { |
| 89 | + type Conn = TlsStream<TcpStream>; |
| 90 | + type Error = io::Error; |
| 91 | + |
| 92 | + fn poll_accept( |
| 93 | + mut self: core::pin::Pin<&mut Self>, |
| 94 | + cx: &mut core::task::Context, |
| 95 | + ) -> core::task::Poll<Option<Result<Self::Conn, Self::Error>>> { |
| 96 | + core::pin::Pin::new(&mut self.acceptor).poll_next(cx) |
| 97 | + } |
| 98 | +} |
| 99 | + |
| 100 | +// Load public certificate from file. |
| 101 | +fn load_certs(filename: &str) -> io::Result<Vec<rustls::Certificate>> { |
| 102 | + // Open certificate file. |
| 103 | + let certfile = std::fs::File::open(filename) |
| 104 | + .map_err(|e| error(format!("failed to open {}: {}", filename, e)))?; |
| 105 | + let mut reader = io::BufReader::new(certfile); |
| 106 | + |
| 107 | + // Load and return certificate. |
| 108 | + pemfile::certs(&mut reader).map_err(|_| error("failed to load certificate".into())) |
| 109 | +} |
| 110 | + |
| 111 | +// Load private key from file. |
| 112 | +fn load_private_key(filename: &str) -> io::Result<rustls::PrivateKey> { |
| 113 | + // Open keyfile. |
| 114 | + let keyfile = std::fs::File::open(filename) |
| 115 | + .map_err(|e| error(format!("failed to open {}: {}", filename, e)))?; |
| 116 | + let mut reader = io::BufReader::new(keyfile); |
| 117 | + |
| 118 | + // Load and return a single private key. |
| 119 | + let keys = pemfile::rsa_private_keys(&mut reader) |
| 120 | + .map_err(|_| error("failed to load private key".into()))?; |
| 121 | + if keys.len() != 1 { |
| 122 | + return Err(error("expected a single private key".into())); |
| 123 | + } |
| 124 | + Ok(keys[0].clone()) |
28 | 125 | } |
0 commit comments