Support hot reloading of SSL credentials #13
Comments
|
Looking at what it was ( actix-net/actix-server/src/ssl/openssl.rs Line 62 in 3add906 actix-net/actix-server/src/ssl/rustls.rs Line 64 in 3add906 Based on docs, seems that using a wrapped https://docs.rs/rustls/0.16.0/rustls/struct.ResolvesServerCertUsingSNI.html might be useful with interior mutability. Would need to use an rwlock to be able to work with it though, so might require some black magic currently. |
|
in our reverse proxy we need to restart the server after adding a new domain or renewing a certificate. I'm really interested in implementing this feature. it's very easy in go as it accept cert resolver function. |
|
I don't know about openssl, but this is already doable with rustls by implementing a custom pub struct CertResolver {
registered_keys: RwLock<BTreeMap<String, Arc<CertifiedKey>>>,
}
impl ResolvesServerCert for CertResolver {
fn resolve(&self, client_hello: ClientHello) -> Option<Arc<CertifiedKey>> {
let server_name = client_hello.server_name()?;
match self.registered_keys.read() {
Err(_) => None,
Ok(registered_keys) => registered_keys.get(server_name).cloned(),
}
}
}Then you can use it when creating the server : let resolver = Arc::new(CertResolver::default());
let config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_cert_resolver(resolver);
let server = HttpServer::new(move || {
App::new()
})
.bind_rustls(listen_tls.clone(), config)Then we have some code that update this cert resolver on some events (cert are not in filesystem), but i guess someone could definitely create a worker that listen to fs events and update this CertResolver |
It would be great if there were built-in support for hot reloading of SSL credentials, along with an example for how to do it.
Per @fafhrd91 at actix/actix-web#754:
The text was updated successfully, but these errors were encountered: