dearsky/numa
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 25 Wiki Activity

fix: regenerate TLS cert when services change (hot-reload via ArcSwap)

Browse Source 
HTTPS proxy certs were generated once at startup. Services added at
runtime via API or LAN discovery got "not secure" in the browser
because their SAN wasn't in the cert. Now the cert is regenerated
on every service add/remove and swapped atomically via ArcSwap.
In-flight connections are unaffected.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Razvan Dimescu
2026-03-23 16:14:06 +02:00
parent 9e07064c94
commit e0c1997056
9 changed files with 108 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/lan.rs
View File

@@ -33,11 +33,18 @@ impl PeerStore {
}
}
pub fn update(&mut self, host: IpAddr, services: &[(String, u16)]) {
/// Returns true if a previously-unseen name was inserted.
pub fn update(&mut self, host: IpAddr, services: &[(String, u16)]) -> bool {
let now = Instant::now();
let mut changed = false;
for (name, port) in services {
self.peers.insert(name.to_lowercase(), (host, *port, now));
let key = name.to_lowercase();
if !self.peers.contains_key(&key) {
changed = true;
}
self.peers.insert(key, (host, *port, now));
}
changed
}
pub fn lookup(&mut self, name: &str) -> Option<(IpAddr, u16)> {
@@ -67,6 +74,13 @@ impl PeerStore {
.collect()
}
pub fn names(&mut self) -> Vec<String> {
let now = Instant::now();
self.peers
.retain(|_, (_, _, seen)| now.duration_since(*seen) < self.timeout);
self.peers.keys().cloned().collect()
}
pub fn clear(&mut self) {
self.peers.clear();
}
@@ -189,10 +203,14 @@ pub async fn start_lan_discovery(ctx: Arc<ServerCtx>, config: &LanConfig) {
continue;
}
if !ann.services.is_empty() {
ctx.lan_peers
let changed = ctx
.lan_peers
.lock()
.unwrap()
.update(ann.peer_ip, &ann.services);
if changed {
crate::tls::regenerate_tls(&ctx);
}
debug!(
"LAN: {} services from {} (mDNS)",
ann.services.len(),