Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTPS support for the Agama web server #1062

Merged
merged 25 commits into from
Mar 22, 2024
Merged

HTTPS support for the Agama web server #1062

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
fdf6662
Web server - support SSL (HTTPS) communication
lslezak Feb 29, 2024
10a6500
Fixes by clippy
lslezak Feb 29, 2024
05b1b09
fmt fixes
lslezak Feb 29, 2024
fb7cd41
Cleanup
lslezak Feb 29, 2024
f646965
Documentation update
lslezak Mar 1, 2024
0653aaa
Turned some unwrap calls into a more reasonable handling
mchf Mar 8, 2024
7b8c729
Formatting
mchf Mar 8, 2024
08b586f
Code review fixes
lslezak Mar 13, 2024
06345b1
Minor tweaks to documentation
mchf Mar 19, 2024
f959ff9
Formatting
mchf Mar 19, 2024
c85a5d5
Minor tweaks in documentation and formatting
mchf Mar 19, 2024
a9f9b1d
Use struct for command agama-server serve options
mchf Mar 19, 2024
ba44878
Added comments
lslezak Mar 20, 2024
5799151
Refactoring. Added a bit of OOP. Simplified some repetetive actions
mchf Mar 20, 2024
5232269
Small fixes
lslezak Mar 20, 2024
d3870eb
Formatting
mchf Mar 20, 2024
0881bbe
Merge remote-tracking branch 'origin/master' into https_support
lslezak Mar 21, 2024
a7ba460
code review fixes
lslezak Mar 21, 2024
3b20f95
Fix formatting
lslezak Mar 21, 2024
7972c8d
Split HTTP and HTTPS handling
lslezak Mar 22, 2024
7ed3e58
Do not continue when SSL handshake fails
lslezak Mar 22, 2024
7234398
Less qualification
lslezak Mar 22, 2024
883da06
Added TODO marks for future enhancements
lslezak Mar 22, 2024
dbec47f
More review fixes
lslezak Mar 22, 2024
1e09613
Use None as defaults
lslezak Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
866 changes: 420 additions & 446 deletions rust/Cargo.lock
View file
Open in desktop

Large diffs are not rendered by default.

43 changes: 41 additions & 2 deletions rust/WEB-SERVER.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,26 @@ $ sudo ./target/debug/agama-web-server serve

If it fails to compile, please check whether `clang-devel` and `pam-devel` are installed.

You can add a `--listen` flag if you want to use a different port:
By default the server uses port 3000 and listens on all network interfaces. You
can use the `--address` option if you want to use a different port or a specific
network interface:

```
$ sudo ./target/debug/agama-web-server serve --listen 0.0.0.0:5678
$ sudo ./target/debug/agama-web-server serve --address :::5678
```

Some more examples:

- Both IPv6 and IPv4, all interfaces: `--address :::5678`
- Both IPv6 and IPv4, only local loopback : `--address ::1:5678`
- IPv4 only, all interfaces: `--address 0.0.0.0:5678`
- IPv4 only, only local loopback : `--address 127.0.0.1:5678`
- IPv4, only specific interface: `--address 192.168.1.2:5678` (use the IP
address of that interface)

The server can optionally listen on a secondary address, use the `--address2`
option for that.

## Trying the server

You can check whether the server is up and running by just performing a ping:
Expand Down Expand Up @@ -105,3 +119,28 @@ Now, you can use the following command to connect:
$ websocat ws://localhost:3000/ws
-H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MDg1MTA5MzB9.3HmKAC5u4H_FigMqEa9e74OFAq40UldjlaExrOGqE0U"
```

## SSL/TLS (HTTPS) Support

The web server supports encrypted communication using the HTTPS protocol.

The SSL certificate used by the server can be specified by the `--cert` and
`--key` command line options which should point to the PEM files:

```
$ sudo ./target/debug/agama-web-server serve --cert certificate.pem --key key.pem
```
The certificate is expected in the PEM format, if you have a certificate in
another format you can convert it using the openSSL tools.

If a SSL certificate is not specified via command line then the server generates
a self-signed certificate. Currently it is only kept in memory and generated
again at each start.

The HTTPS protocol is required for external connections, the HTTP connections
are automatically redirected to HTTPS. *But it still means that the original
HTTP communication can be intercepted by an attacker, do not rely on this
redirection!*

For internal connections coming from the same machine (via the
`http://localhost` URL) the unencrypted HTTP communication is allowed.
5 changes: 5 additions & 0 deletions rust/agama-server/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,11 @@ chrono = { version = "0.4.34", default-features = false, features = [
] }
pam = "0.8.0"
serde_with = "3.6.1"
openssl = "0.10.64"
hyper = "1.2.0"
hyper-util = "0.1.3"
tokio-openssl = "0.6.4"
futures-util = { version = "0.3.30", default-features = false, features = ["alloc"] }

[[bin]]
name = "agama-dbus-server"
Expand Down
Loading
Loading