dearsky/numa
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 25 Wiki Activity

Merge pull request #13 from razvandimescu/fix/tls-hot-reload

Browse Source 
fix: TLS cert hot-reload when services change
This commit is contained in:
Razvan Dimescu
2026-03-23 19:46:05 +02:00
committed by GitHub
parent 9e07064c94 e0c1997056
commit 0b194256a9
9 changed files with 108 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
Cargo.lock generated
View File

@@ -67,6 +67,15 @@ dependencies = [
"windows-sys 0.61.2", "windows-sys 0.61.2",
] ]
[[package]]
name = "arc-swap"
version = "1.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a07d1f37ff60921c83bdfc7407723bdefe89b44b98a9b772f225c8f9d67141a6"
dependencies = [
"rustversion",
]
[[package]] [[package]]
name = "asn1-rs" name = "asn1-rs"
version = "0.6.2" version = "0.6.2"
@@ -934,6 +943,7 @@ dependencies = [
name = "numa" name = "numa"
version = "0.4.0" version = "0.4.0"
dependencies = [ dependencies = [
"arc-swap",
"axum", "axum",
"env_logger", "env_logger",
"futures", "futures",

1
Cargo.toml
View File

@@ -27,3 +27,4 @@ rcgen = { version = "0.13", features = ["pem", "x509-parser"] }
time = "0.3" time = "0.3"
rustls = "0.23" rustls = "0.23"
tokio-rustls = "0.26" tokio-rustls = "0.26"
arc-swap = "1"

9
src/api.rs
View File

@@ -711,7 +711,11 @@ async fn create_service(
} }
let tld = &ctx.proxy_tld; let tld = &ctx.proxy_tld;
let is_new = !ctx.services.lock().unwrap().has_name(&name);
ctx.services.lock().unwrap().insert(&name, req.target_port); ctx.services.lock().unwrap().insert(&name, req.target_port);
if is_new {
crate::tls::regenerate_tls(&ctx);
}
let localhost = std::net::SocketAddr::from(([127, 0, 0, 1], req.target_port)); let localhost = std::net::SocketAddr::from(([127, 0, 0, 1], req.target_port));
let lan_addr = let lan_addr =
@@ -740,8 +744,9 @@ async fn remove_service(State(ctx): State<Arc<ServerCtx>>, Path(name): Path<Stri
if name.eq_ignore_ascii_case("numa") { if name.eq_ignore_ascii_case("numa") {
return StatusCode::FORBIDDEN; return StatusCode::FORBIDDEN;
} }
let mut store = ctx.services.lock().unwrap(); let removed = ctx.services.lock().unwrap().remove(&name);
if store.remove(&name) { if removed {
crate::tls::regenerate_tls(&ctx);
StatusCode::NO_CONTENT StatusCode::NO_CONTENT
} else { } else {
StatusCode::NOT_FOUND StatusCode::NOT_FOUND

3
src/ctx.rs
View File

@@ -3,7 +3,9 @@ use std::path::PathBuf;
use std::sync::Mutex; use std::sync::Mutex;
use std::time::{Duration, Instant, SystemTime}; use std::time::{Duration, Instant, SystemTime};
use arc_swap::ArcSwap;
use log::{debug, error, info, warn}; use log::{debug, error, info, warn};
use rustls::ServerConfig;
use tokio::net::UdpSocket; use tokio::net::UdpSocket;
use crate::blocklist::BlocklistStore; use crate::blocklist::BlocklistStore;
@@ -45,6 +47,7 @@ pub struct ServerCtx {
pub config_found: bool, pub config_found: bool,
pub config_dir: PathBuf, pub config_dir: PathBuf,
pub data_dir: PathBuf, pub data_dir: PathBuf,
pub tls_config: Option<ArcSwap<ServerConfig>>,
} }
pub async fn handle_query( pub async fn handle_query(

24
src/lan.rs
View File

@@ -33,11 +33,18 @@ impl PeerStore {
} }
} }
pub fn update(&mut self, host: IpAddr, services: &[(String, u16)]) { /// Returns true if a previously-unseen name was inserted.
pub fn update(&mut self, host: IpAddr, services: &[(String, u16)]) -> bool {
let now = Instant::now(); let now = Instant::now();
let mut changed = false;
for (name, port) in services { for (name, port) in services {
self.peers.insert(name.to_lowercase(), (host, *port, now)); let key = name.to_lowercase();
if !self.peers.contains_key(&key) {
changed = true;
}
self.peers.insert(key, (host, *port, now));
} }
changed
} }
pub fn lookup(&mut self, name: &str) -> Option<(IpAddr, u16)> { pub fn lookup(&mut self, name: &str) -> Option<(IpAddr, u16)> {
@@ -67,6 +74,13 @@ impl PeerStore {
.collect() .collect()
} }
pub fn names(&mut self) -> Vec<String> {
let now = Instant::now();
self.peers
.retain(|_, (_, _, seen)| now.duration_since(*seen) < self.timeout);
self.peers.keys().cloned().collect()
}
pub fn clear(&mut self) { pub fn clear(&mut self) {
self.peers.clear(); self.peers.clear();
} }
@@ -189,10 +203,14 @@ pub async fn start_lan_discovery(ctx: Arc<ServerCtx>, config: &LanConfig) {
continue; continue;
} }
if !ann.services.is_empty() { if !ann.services.is_empty() {
ctx.lan_peers let changed = ctx
.lan_peers
.lock() .lock()
.unwrap() .unwrap()
.update(ann.peer_ip, &ann.services); .update(ann.peer_ip, &ann.services);
if changed {
crate::tls::regenerate_tls(&ctx);
}
debug!( debug!(
"LAN: {} services from {} (mDNS)", "LAN: {} services from {} (mDNS)",
ann.services.len(), ann.services.len(),

43
src/main.rs
View File

@@ -2,6 +2,7 @@ use std::net::SocketAddr;
use std::sync::{Arc, Mutex}; use std::sync::{Arc, Mutex};
use std::time::Duration; use std::time::Duration;
use arc_swap::ArcSwap;
use log::{error, info}; use log::{error, info};
use tokio::net::UdpSocket; use tokio::net::UdpSocket;
@@ -137,6 +138,20 @@ async fn main() -> numa::Result<()> {
let forwarding_rules = system_dns.forwarding_rules; let forwarding_rules = system_dns.forwarding_rules;
// Build initial TLS config before ServerCtx (so ArcSwap is ready at construction)
let initial_tls = if config.proxy.enabled && config.proxy.tls_port > 0 {
let service_names = service_store.names();
match numa::tls::build_tls_config(&config.proxy.tld, &service_names) {
Ok(tls_config) => Some(ArcSwap::from(tls_config)),
Err(e) => {
log::warn!("TLS setup failed, HTTPS proxy disabled: {}", e);
None
}
}
} else {
None
};
let ctx = Arc::new(ServerCtx { let ctx = Arc::new(ServerCtx {
socket: UdpSocket::bind(&config.server.bind_addr).await?, socket: UdpSocket::bind(&config.server.bind_addr).await?,
zone_map: build_zone_map(&config.zones)?, zone_map: build_zone_map(&config.zones)?,
@@ -168,6 +183,7 @@ async fn main() -> numa::Result<()> {
config_found, config_found,
config_dir: numa::config_dir(), config_dir: numa::config_dir(),
data_dir: numa::data_dir(), data_dir: numa::data_dir(),
tls_config: initial_tls,
}); });
let zone_count: usize = ctx.zone_map.values().map(|m| m.len()).sum(); let zone_count: usize = ctx.zone_map.values().map(|m| m.len()).sum();
@@ -336,27 +352,12 @@ async fn main() -> numa::Result<()> {
} }
// Spawn HTTPS reverse proxy with TLS termination // Spawn HTTPS reverse proxy with TLS termination
if config.proxy.enabled && config.proxy.tls_port > 0 { if config.proxy.enabled && config.proxy.tls_port > 0 && ctx.tls_config.is_some() {
let service_names: Vec<String> = ctx let proxy_ctx = Arc::clone(&ctx);
.services let tls_port = config.proxy.tls_port;
.lock() tokio::spawn(async move {
.unwrap() numa::proxy::start_proxy_tls(proxy_ctx, tls_port, proxy_bind).await;
.list() });
.iter()
.map(|e| e.name.clone())
.collect();
match numa::tls::build_tls_config(&config.proxy.tld, &service_names) {
Ok(tls_config) => {
let proxy_ctx = Arc::clone(&ctx);
let tls_port = config.proxy.tls_port;
tokio::spawn(async move {
numa::proxy::start_proxy_tls(proxy_ctx, tls_port, proxy_bind, tls_config).await;
});
}
Err(e) => {
log::warn!("TLS setup failed, HTTPS proxy disabled: {}", e);
}
}
} }
// Spawn network change watcher (upstream re-detection, LAN IP update, peer flush) // Spawn network change watcher (upstream re-detection, LAN IP update, peer flush)

21
src/proxy.rs
View File

@@ -11,7 +11,6 @@ use hyper::StatusCode;
use hyper_util::client::legacy::Client; use hyper_util::client::legacy::Client;
use hyper_util::rt::TokioExecutor; use hyper_util::rt::TokioExecutor;
use log::{debug, error, info, warn}; use log::{debug, error, info, warn};
use rustls::ServerConfig;
use tokio::io::copy_bidirectional; use tokio::io::copy_bidirectional;
use tokio_rustls::TlsAcceptor; use tokio_rustls::TlsAcceptor;
@@ -50,12 +49,7 @@ pub async fn start_proxy(ctx: Arc<ServerCtx>, port: u16, bind_addr: Ipv4Addr) {
axum::serve(listener, app).await.unwrap(); axum::serve(listener, app).await.unwrap();
} }
pub async fn start_proxy_tls( pub async fn start_proxy_tls(ctx: Arc<ServerCtx>, port: u16, bind_addr: Ipv4Addr) {
ctx: Arc<ServerCtx>,
port: u16,
bind_addr: Ipv4Addr,
tls_config: Arc<ServerConfig>,
) {
let addr: SocketAddr = (bind_addr, port).into(); let addr: SocketAddr = (bind_addr, port).into();
let listener = match tokio::net::TcpListener::bind(addr).await { let listener = match tokio::net::TcpListener::bind(addr).await {
Ok(l) => l, Ok(l) => l,
@@ -69,11 +63,17 @@ pub async fn start_proxy_tls(
}; };
info!("HTTPS proxy listening on {}", addr); info!("HTTPS proxy listening on {}", addr);
let acceptor = TlsAcceptor::from(tls_config); if ctx.tls_config.is_none() {
warn!("proxy: no TLS config — HTTPS proxy disabled");
return;
}
let client: HttpClient = Client::builder(TokioExecutor::new()) let client: HttpClient = Client::builder(TokioExecutor::new())
.http1_preserve_header_case(true) .http1_preserve_header_case(true)
.build_http(); .build_http();
// Hold a separate Arc so we can access tls_config after ctx moves into ProxyState
let tls_holder = Arc::clone(&ctx);
let state = ProxyState { ctx, client }; let state = ProxyState { ctx, client };
let app = Router::new().fallback(any(proxy_handler)).with_state(state); let app = Router::new().fallback(any(proxy_handler)).with_state(state);
@@ -87,7 +87,10 @@ pub async fn start_proxy_tls(
} }
}; };
let acceptor = acceptor.clone(); // Load the latest TLS config on each connection (picks up new service certs)
// unwrap safe: guarded by is_none() check above
let acceptor =
TlsAcceptor::from(Arc::clone(&*tls_holder.tls_config.as_ref().unwrap().load()));
let app = app.clone(); let app = app.clone();
tokio::spawn(async move { tokio::spawn(async move {

9
src/service_store.rs
View File

@@ -154,6 +154,15 @@ impl ServiceStore {
entries entries
} }
pub fn names(&self) -> Vec<String> {
self.entries.keys().cloned().collect()
}
/// Returns true if the name is new (not already registered).
pub fn has_name(&self, name: &str) -> bool {
self.entries.contains_key(&name.to_lowercase())
}
/// Load user-defined services from ~/.config/numa/services.json /// Load user-defined services from ~/.config/numa/services.json
pub fn load_persisted(&mut self) { pub fn load_persisted(&mut self) {
if !self.persist_path.exists() { if !self.persist_path.exists() {

23
src/tls.rs
View File

@@ -1,7 +1,10 @@
use std::collections::HashSet;
use std::path::Path; use std::path::Path;
use std::sync::Arc; use std::sync::Arc;
use log::{info, warn}; use log::{info, warn};
use crate::ctx::ServerCtx;
use rcgen::{BasicConstraints, CertificateParams, DnType, IsCa, KeyPair, KeyUsagePurpose, SanType}; use rcgen::{BasicConstraints, CertificateParams, DnType, IsCa, KeyPair, KeyUsagePurpose, SanType};
use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer}; use rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
use rustls::ServerConfig; use rustls::ServerConfig;
@@ -10,6 +13,26 @@ use time::{Duration, OffsetDateTime};
const CA_VALIDITY_DAYS: i64 = 3650; // 10 years const CA_VALIDITY_DAYS: i64 = 3650; // 10 years
const CERT_VALIDITY_DAYS: i64 = 365; // 1 year const CERT_VALIDITY_DAYS: i64 = 365; // 1 year
/// Collect all service + LAN peer names and regenerate the TLS cert.
pub fn regenerate_tls(ctx: &ServerCtx) {
let tls = match &ctx.tls_config {
Some(t) => t,
None => return,
};
let mut names: HashSet<String> = ctx.services.lock().unwrap().names().into_iter().collect();
names.extend(ctx.lan_peers.lock().unwrap().names());
let names: Vec<String> = names.into_iter().collect();
match build_tls_config(&ctx.proxy_tld, &names) {
Ok(new_config) => {
tls.store(new_config);
info!("TLS cert regenerated for {} services", names.len());
}
Err(e) => warn!("TLS regeneration failed: {}", e),
}
}
/// Build a TLS config with a cert covering all provided service names. /// Build a TLS config with a cert covering all provided service names.
/// Wildcards under single-label TLDs (*.numa) are rejected by browsers, /// Wildcards under single-label TLDs (*.numa) are rejected by browsers,
/// so we list each service explicitly as a SAN. /// so we list each service explicitly as a SAN.