1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
//! TLS interception for CONNECT-mode L7 filtering and credential injection.
//!
//! When a CONNECT request targets a host that matches a route with
//! `endpoint_rules`, `credential_key`, or `oauth2`, the proxy mints a
//! per-hostname leaf certificate (signed by an ephemeral, per-session CA)
//! and terminates TLS locally so the inner HTTP/1.1 request can be
//! inspected, filtered, and have its credentials swapped before being
//! forwarded upstream over the real TLS connection.
//!
//! ## Design constraints
//!
//! * **Selective interception** — only routes that need L7 visibility get
//! intercepted. Everything else stays an opaque CONNECT tunnel.
//! * **Hard fail on cert pinning** — if the agent rejects our minted
//! certificate (HPKP, hard-coded trust list, etc.) the connection is
//! dropped and the failure is recorded in the audit log. We never
//! silently fall back to a transparent tunnel for a route that asked
//! for L7 enforcement.
//! * **Per-session ephemeral CA** — the CA private key lives only in
//! memory (`Zeroizing<Vec<u8>>`) and is destroyed when the proxy
//! shuts down. Only the public certificate is written to disk
//! (mode `0o400`).
//! * **HTTP/1.1 only** — the inner TLS acceptor advertises only `http/1.1`
//! in ALPN, matching the existing reverse-proxy code path.
//!
//! Module layout:
//!
//! * [`ca`] — ephemeral CA generation and zeroization
//! * [`cert_cache`] — per-hostname leaf certificate minting + cache
//! * [`acceptor`] — `rustls::ServerConfig` factory using the cache
//! * [`bundle`] — combined trust bundle (parent CA + webpki-roots + ephemeral CA)
pub use build_server_config;
pub use ;
pub use EphemeralCa;
pub use CertCache;
pub use ;