-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support hot reloading of SSL credentials #13
Comments
Looking at what it was ( actix-net/actix-server/src/ssl/openssl.rs Line 62 in 3add906
actix-net/actix-server/src/ssl/rustls.rs Line 64 in 3add906
Based on docs, seems that using a wrapped https://docs.rs/rustls/0.16.0/rustls/struct.ResolvesServerCertUsingSNI.html might be useful with interior mutability. Would need to use an rwlock to be able to work with it though, so might require some black magic currently. |
in our reverse proxy we need to restart the server after adding a new domain or renewing a certificate. I'm really interested in implementing this feature. it's very easy in go as it accept cert resolver function. |
I don't know about openssl, but this is already doable with rustls by implementing a custom pub struct CertResolver {
registered_keys: RwLock<BTreeMap<String, Arc<CertifiedKey>>>,
}
impl ResolvesServerCert for CertResolver {
fn resolve(&self, client_hello: ClientHello) -> Option<Arc<CertifiedKey>> {
let server_name = client_hello.server_name()?;
match self.registered_keys.read() {
Err(_) => None,
Ok(registered_keys) => registered_keys.get(server_name).cloned(),
}
}
} Then you can use it when creating the server : let resolver = Arc::new(CertResolver::default());
let config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_cert_resolver(resolver);
let server = HttpServer::new(move || {
App::new()
})
.bind_rustls(listen_tls.clone(), config) Then we have some code that update this cert resolver on some events (cert are not in filesystem), but i guess someone could definitely create a worker that listen to fs events and update this CertResolver |
It would be great if there were built-in support for hot reloading of SSL credentials, along with an example for how to do it.
Per @fafhrd91 at actix/actix-web#754:
The text was updated successfully, but these errors were encountered: