vane 0.9.2

A flow-based reverse proxy with multi-layer routing and programmable pipelines.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

---
title: Certificates
description: Dynamic TLS certificate management and hot-reloading repository.
icon: LockKeyhole
---

import { Steps, Step } from 'fumadocs-ui/components/steps';

The `src/resources/certs` module serves as the central repository for TLS material. It handles the secure loading, parsing, and in-memory storage of X.509 certificate chains and private keys.

## Automated Scanning & Pairing

Vane automatically scans the `certs/` directory and groups files based on their filename stem.

For example:

- `example.com.crt` + `example.com.key` → ID: `example.com`

## The Loading Pipeline

<Mermaid
  chart='
graph LR;
    subgraph Watcher [Detection]
        Change([File Change]) --> Debounce[2s Debounce];
    end

    Debounce --> Scan[Scan Dir];

    subgraph Processor [Logic]
        Scan --> Group[Group Pairs];
        Group --> Parse[Parse PEM];
        Parse --> Validate{Valid?};
    end

    Validate -- Yes --> Update[Atomic Swap];
    Validate -- No --> Error[Log Error];

    Update --> Registry[(Global Registry)];

'
/>

## Implementation Details

<Steps>
<Step>

### Default Certificate Generation

To ensure Vane works out-of-the-box, it checks for a `default` certificate on startup.

<Mermaid
	chart="
graph LR
    Start[Startup] --> Check{default.crt exists?}
    Check -- No --> Gen[rcgen: Generate Self-Signed]
    Check -- Yes --> Exp{Expiring < 7 days?}
    Exp -- Yes --> Gen
    Exp -- No --> Use[Use Existing]
"
/>

</Step>
<Step>

### Safe Private Key Handling

Vane uses `rustls::pki_types::PrivateKeyDer` to store keys securely without cloning.

<Mermaid
	chart="
graph LR
    Key[PrivateKeyDer] --> Arc[Wrap in Arc]
    Arc --> Conn1[Thread 1: Access]
    Arc --> Conn2[Thread 2: Access]
"
/>

</Step>
<Step>

### Validation

Before accepting a pair, `format.rs` performs a cryptographic sanity check to prevent handshake failures.

<Mermaid
	chart="
graph LR
    Pair[Cert + Key Pair] --> Sanity{Test Sign}
    Sanity -- Success --> Reg[Store in Registry]
    Sanity -- Failure --> Reject[Log & Drop]
"
/>

</Step>
</Steps>

<Callout type="info" title="SNI Mapping">
	This module acts as a **Storage Repository**. The logic that maps `SNI Hostnames` to these IDs
	resides in the L4+ TLS Resolver configuration.
</Callout>