vane 0.9.0

A flow-based reverse proxy with multi-layer routing and programmable pipelines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

/* src/plugins/l7/upstream/pool.rs */

use super::tls_verifier::NoVerifier;
use crate::common::config::env_loader;
use crate::common::sys::lifecycle::Error;
use bytes::Bytes;
use http_body_util::combinators::BoxBody;
use hyper_rustls::HttpsConnector;
use hyper_util::client::legacy::Client;
use hyper_util::client::legacy::connect::{HttpConnector, dns::Name};
use hyper_util::rt::{TokioExecutor, TokioTimer};
use once_cell::sync::Lazy;
use rustls::ClientConfig;
use std::future::Future;
use std::net::SocketAddr;
use std::pin::Pin;
use std::sync::Arc;
use std::task::{Context, Poll};
use std::time::Duration;
use tower_service::Service;

#[derive(Clone)]
pub struct VaneResolver;

impl Service<Name> for VaneResolver {
	type Response = std::vec::IntoIter<SocketAddr>;
	type Error = std::io::Error;
	type Future = Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>> + Send>>;

	fn poll_ready(&mut self, _cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
		Poll::Ready(Ok(()))
	}

	fn call(&mut self, name: Name) -> Self::Future {
		let host = name.as_str().to_owned();
		Box::pin(async move {
			// Call Global Resolver
			let ips = crate::layers::l4::resolver::resolve_domain_to_ips(&host).await;

			if ips.is_empty() {
				return Err(std::io::Error::other(format!(
					"Vane DNS lookup returned no IPs for {host}"
				)));
			}

			// Hyper expects SocketAddr (IP + Port).
			// DNS only gives IPs. We use port 0 as a placeholder;
			// HttpConnector will replace it with the actual port (80/443).
			let addrs: Vec<SocketAddr> = ips.into_iter().map(|ip| SocketAddr::new(ip, 0)).collect();

			Ok(addrs.into_iter())
		})
	}
}

// --- Client Types ---
pub type HttpClient = Client<HttpsConnector<HttpConnector<VaneResolver>>, BoxBody<Bytes, Error>>;

// --- Global Pools ---
pub static GLOBAL_SECURE_CLIENT: Lazy<HttpClient> = Lazy::new(|| build_client(false));
pub static GLOBAL_INSECURE_CLIENT: Lazy<HttpClient> = Lazy::new(|| build_client(true));

fn build_client(skip_verify: bool) -> HttpClient {
	let idle_timeout_s = env_loader::get_env("UPSTREAM_POOL_IDLE_TIMEOUT", "90".to_owned())
		.parse::<u64>()
		.unwrap_or(90);

	let max_idle = env_loader::get_env("UPSTREAM_POOL_MAX_IDLE", "32".to_owned())
		.parse::<usize>()
		.unwrap_or(32);

	let keepalive_s = env_loader::get_env("UPSTREAM_KEEPALIVE_INTERVAL", "30".to_owned())
		.parse::<u64>()
		.unwrap_or(30);

	// Default 2MB (2 * 1024 * 1024)
	let h2_stream_window = env_loader::get_env("UPSTREAM_H2_STREAM_WINDOW", "2097152".to_owned())
		.parse::<u32>()
		.unwrap_or(2_097_152);

	// Default 2MB (2 * 1024 * 1024)
	let h2_conn_window = env_loader::get_env("UPSTREAM_H2_CONN_WINDOW", "2097152".to_owned())
		.parse::<u32>()
		.unwrap_or(2_097_152);

	// 1. Build Base HttpConnector with Custom DNS
	let mut http_connector = HttpConnector::new_with_resolver(VaneResolver);
	http_connector.enforce_http(false); // Allow HTTPS wrapping

	// 2. Configure TLS
	let https_connector = if skip_verify {
		let mut config = ClientConfig::builder()
			.with_root_certificates(rustls::RootCertStore::empty())
			.with_no_client_auth();

		config
			.dangerous()
			.set_certificate_verifier(Arc::new(NoVerifier));

		hyper_rustls::HttpsConnectorBuilder::new()
			.with_tls_config(config)
			.https_or_http()
			.enable_all_versions()
			.wrap_connector(http_connector) // Wrap our custom DNS connector
	} else {
		// Use native roots if possible
		hyper_rustls::HttpsConnectorBuilder::new()
			.with_native_roots()
			.expect("Failed to load native roots")
			.https_or_http()
			.enable_all_versions()
			.wrap_connector(http_connector) // Wrap our custom DNS connector
	};

	// 3. Build Client
	// Explicitly supply TokioTimer for pool management
	Client::builder(TokioExecutor::new())
		.timer(TokioTimer::new())
		.pool_idle_timeout(Duration::from_secs(idle_timeout_s))
		.pool_max_idle_per_host(max_idle)
		.http2_keep_alive_interval(Some(Duration::from_secs(keepalive_s)))
		// Tuning HTTP/2 Window Sizes for High Throughput
		.http2_initial_stream_window_size(Some(h2_stream_window))
		.http2_initial_connection_window_size(Some(h2_conn_window))
		.build(https_connector)
}