built-in https

Cargo.toml

@@ -8,7 +8,9 @@ edition = "2021"
 [dependencies]
 anyhow = "1.0.86"
 axum = "0.7.7"
+axum-server = { version = "0.7.1", features = ["tls-rustls"] }
 lazy_static = "1.4.0"
+rustls-pemfile = "2.2.0"
 serde = { version = "1.0.214", features = ["derive"] }
 serde_json = "1.0.132"
 tokio = { version = "1.37.0", features = ["full"] }

config.toml.example

@@ -4,6 +4,7 @@ cert_path = "./cert.pem"
 key_path = "./key.pem"
 mumble_server_url = "voip.ohea.xyz:64738"
 gui_path = "../mumble-web2/dist"
+serve_https = true
 
 [gui]
 proxy_url = "https://voip2.ohea.xyz"

src/main.rs

@@ -96,10 +96,12 @@ struct GuiConfig {
 
 #[derive(Clone, Deserialize)]
 struct Config {
-    proxy_listen_address: String,
+    proxy_listen_address: SocketAddr,
-    http_listen_address: String,
+    http_listen_address: SocketAddr,
     cert_path: String,
     key_path: String,
+    #[serde(default)]
+    serve_https: bool,
     mumble_server_url: String,
     gui_path: PathBuf,
     gui: GuiConfig,
@@ -131,6 +133,35 @@ async fn serve_index_html_with_config(State(config): State<Config>) -> impl Into
         .into_response()
 }
 
+fn configure_tls(config: &Config) -> Result<rustls::ServerConfig, anyhow::Error> {
+    // Thanks perplexity!
+    use rustls_pemfile::{certs, pkcs8_private_keys};
+    use std::fs::File;
+    use std::io::BufReader;
+
+    // Create a new ServerConfig with no client authentication
+    //(rustls::server::NoClientAuth::new());
+
+    // Read the certificate file
+    let cert_file = File::open(&config.cert_path)?;
+    let mut cert_reader = BufReader::new(cert_file);
+    let cert_chain = certs(&mut cert_reader).collect::<Result<_, _>>()?;
+
+    // Read the private key file
+    let key_file = File::open(&config.key_path)?;
+    let mut key_reader = BufReader::new(key_file);
+    let key = pkcs8_private_keys(&mut key_reader)
+        .next()
+        .ok_or(anyhow!("no keys in key.pem"))??;
+
+    // Set the certificate chain and private key
+    let config = rustls::ServerConfig::builder()
+        .with_no_client_auth()
+        .with_single_cert(cert_chain, key.into())?;
+
+    Ok(config)
+}
+
 #[tokio::main]
 async fn main() -> Result<()> {
     init_logging();
@@ -160,17 +191,30 @@ async fn main() -> Result<()> {
         .route("/", axum::routing::get(serve_index_html_with_config))
         .fallback_service(tower_http::services::ServeDir::new(&proxy_config.gui_path))
         .with_state(proxy_config.clone());
-    let listener = tokio::net::TcpListener::bind(proxy_config.http_listen_address)
+    if proxy_config.serve_https {
-        .await
+        tokio::spawn(
-        .unwrap();
+            axum_server::bind_rustls(
-    tokio::spawn(axum::serve(listener, app).into_future());
+                proxy_config.http_listen_address,
+                axum_server::tls_rustls::RustlsConfig::from_config(Arc::new(configure_tls(
+                    &proxy_config,
+                )?)),
+            )
+            .serve(app.into_make_service())
+            .into_future(),
+        );
+    } else {
+        tokio::spawn(
+            axum_server::bind(proxy_config.http_listen_address)
+                .serve(app.into_make_service())
+                .into_future(),
+        );
+    }
 
     // Setup WebTransport proxy listener
+    let identity = Identity::load_pemfiles(proxy_config.cert_path, proxy_config.key_path).await?;
     let config = ServerConfig::builder()
-        .with_bind_address(proxy_config.proxy_listen_address.parse()?)
+        .with_bind_address(proxy_config.proxy_listen_address)
-        .with_identity(
+        .with_identity(&identity)
-            &Identity::load_pemfiles(proxy_config.cert_path, proxy_config.key_path).await?,
-        )
         .keep_alive_interval(Some(Duration::from_secs(20)))
         .build();