zentinel-proxy 0.6.11

A security-first reverse proxy built on Pingora with sleepable ops at the edge
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258

//! Temporary HTTP challenge server for initial ACME certificate acquisition
//!
//! During startup, when no certificate exists yet, Pingora cannot bind an
//! HTTPS listener. This module provides a minimal HTTP server that handles
//! only `/.well-known/acme-challenge/<token>` requests for HTTP-01 validation.
//!
//! The server is started before the main proxy, used to complete the initial
//! ACME challenge, and then shut down once certificates are obtained.

use std::sync::Arc;

use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::net::TcpListener;
use tokio::sync::watch;
use tracing::{debug, error, info, warn};

use super::challenge::ChallengeManager;
use super::error::AcmeError;

/// Maximum request size to read (8 KB is plenty for challenge requests)
const MAX_REQUEST_SIZE: usize = 8192;

/// ACME challenge path prefix
const CHALLENGE_PREFIX: &str = "/.well-known/acme-challenge/";

/// Run a temporary HTTP server for ACME HTTP-01 challenge validation
///
/// This server only handles `GET /.well-known/acme-challenge/<token>` requests,
/// responding with the key authorization from the challenge manager. All other
/// requests receive a 404 response.
///
/// The server shuts down when the `shutdown` watch channel receives `true`.
///
/// # Arguments
///
/// * `addr` - Socket address to bind to (e.g., "0.0.0.0:80")
/// * `challenge_manager` - Challenge manager containing pending token/key-auth pairs
/// * `shutdown` - Watch channel receiver; server stops when value becomes `true`
///
/// # Errors
///
/// Returns an error if the TCP listener cannot be bound.
pub async fn run_challenge_server(
    addr: &str,
    challenge_manager: Arc<ChallengeManager>,
    mut shutdown: watch::Receiver<bool>,
) -> Result<(), AcmeError> {
    let listener = TcpListener::bind(addr).await.map_err(|e| {
        AcmeError::Protocol(format!(
            "Failed to bind ACME challenge server on {}: {}",
            addr, e
        ))
    })?;

    info!(
        address = %addr,
        "ACME challenge server started"
    );

    loop {
        tokio::select! {
            result = listener.accept() => {
                match result {
                    Ok((mut stream, peer)) => {
                        let cm = Arc::clone(&challenge_manager);
                        tokio::spawn(async move {
                            if let Err(e) = handle_connection(&mut stream, &cm).await {
                                debug!(
                                    peer = %peer,
                                    error = %e,
                                    "Challenge server connection error"
                                );
                            }
                        });
                    }
                    Err(e) => {
                        warn!(error = %e, "Challenge server accept error");
                    }
                }
            }
            _ = shutdown.changed() => {
                if *shutdown.borrow() {
                    info!("ACME challenge server shutting down");
                    return Ok(());
                }
            }
        }
    }
}

/// Handle a single HTTP connection on the challenge server
async fn handle_connection(
    stream: &mut tokio::net::TcpStream,
    challenge_manager: &ChallengeManager,
) -> Result<(), AcmeError> {
    let mut buf = vec![0u8; MAX_REQUEST_SIZE];
    let n = stream.read(&mut buf).await.map_err(|e| {
        AcmeError::Protocol(format!("Failed to read from challenge connection: {}", e))
    })?;

    if n == 0 {
        return Ok(());
    }

    let request = String::from_utf8_lossy(&buf[..n]);

    // Parse the request line (e.g., "GET /.well-known/acme-challenge/token HTTP/1.1\r\n...")
    let path = request
        .lines()
        .next()
        .and_then(|line| line.split_whitespace().nth(1));

    let response = match path {
        Some(p) if p.starts_with(CHALLENGE_PREFIX) => {
            let token = &p[CHALLENGE_PREFIX.len()..];
            match challenge_manager.get_response(token) {
                Some(key_auth) => {
                    debug!(token = %token, "Challenge server serving token response");
                    format!(
                        "HTTP/1.1 200 OK\r\nContent-Type: text/plain\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{}",
                        key_auth.len(),
                        key_auth
                    )
                }
                None => {
                    debug!(token = %token, "Challenge server token not found");
                    http_404()
                }
            }
        }
        _ => http_404(),
    };

    stream
        .write_all(response.as_bytes())
        .await
        .map_err(|e| AcmeError::Protocol(format!("Failed to write challenge response: {}", e)))?;

    Ok(())
}

/// Build a minimal 404 response
fn http_404() -> String {
    "HTTP/1.1 404 Not Found\r\nContent-Length: 0\r\nConnection: close\r\n\r\n".to_string()
}

#[cfg(test)]
mod tests {
    use super::*;
    use tokio::io::{AsyncReadExt, AsyncWriteExt};

    #[tokio::test]
    async fn challenge_server_serves_registered_token() {
        let cm = Arc::new(ChallengeManager::new());
        cm.add_challenge("test-token-123", "key-auth-value-abc");

        let (shutdown_tx, shutdown_rx) = watch::channel(false);

        // Bind to a random port
        let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
        let addr = listener.local_addr().unwrap();
        drop(listener);

        let addr_str = addr.to_string();
        let cm_clone = Arc::clone(&cm);
        let server_handle =
            tokio::spawn(
                async move { run_challenge_server(&addr_str, cm_clone, shutdown_rx).await },
            );

        // Give server time to start
        tokio::time::sleep(std::time::Duration::from_millis(50)).await;

        // Send a challenge request
        let mut stream = tokio::net::TcpStream::connect(addr).await.unwrap();
        let request =
            "GET /.well-known/acme-challenge/test-token-123 HTTP/1.1\r\nHost: localhost\r\n\r\n";
        stream.write_all(request.as_bytes()).await.unwrap();

        let mut response = vec![0u8; 4096];
        let n = stream.read(&mut response).await.unwrap();
        let response_str = String::from_utf8_lossy(&response[..n]);

        assert!(response_str.starts_with("HTTP/1.1 200 OK"));
        assert!(response_str.contains("key-auth-value-abc"));

        // Shutdown
        shutdown_tx.send(true).unwrap();
        let _ = tokio::time::timeout(std::time::Duration::from_secs(2), server_handle).await;
    }

    #[tokio::test]
    async fn challenge_server_returns_404_for_unknown_token() {
        let cm = Arc::new(ChallengeManager::new());

        let (shutdown_tx, shutdown_rx) = watch::channel(false);

        let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
        let addr = listener.local_addr().unwrap();
        drop(listener);

        let addr_str = addr.to_string();
        let cm_clone = Arc::clone(&cm);
        let server_handle =
            tokio::spawn(
                async move { run_challenge_server(&addr_str, cm_clone, shutdown_rx).await },
            );

        tokio::time::sleep(std::time::Duration::from_millis(50)).await;

        let mut stream = tokio::net::TcpStream::connect(addr).await.unwrap();
        let request =
            "GET /.well-known/acme-challenge/unknown-token HTTP/1.1\r\nHost: localhost\r\n\r\n";
        stream.write_all(request.as_bytes()).await.unwrap();

        let mut response = vec![0u8; 4096];
        let n = stream.read(&mut response).await.unwrap();
        let response_str = String::from_utf8_lossy(&response[..n]);

        assert!(response_str.starts_with("HTTP/1.1 404 Not Found"));

        shutdown_tx.send(true).unwrap();
        let _ = tokio::time::timeout(std::time::Duration::from_secs(2), server_handle).await;
    }

    #[tokio::test]
    async fn challenge_server_returns_404_for_non_challenge_path() {
        let cm = Arc::new(ChallengeManager::new());

        let (shutdown_tx, shutdown_rx) = watch::channel(false);

        let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
        let addr = listener.local_addr().unwrap();
        drop(listener);

        let addr_str = addr.to_string();
        let cm_clone = Arc::clone(&cm);
        let server_handle =
            tokio::spawn(
                async move { run_challenge_server(&addr_str, cm_clone, shutdown_rx).await },
            );

        tokio::time::sleep(std::time::Duration::from_millis(50)).await;

        let mut stream = tokio::net::TcpStream::connect(addr).await.unwrap();
        let request = "GET /some/other/path HTTP/1.1\r\nHost: localhost\r\n\r\n";
        stream.write_all(request.as_bytes()).await.unwrap();

        let mut response = vec![0u8; 4096];
        let n = stream.read(&mut response).await.unwrap();
        let response_str = String::from_utf8_lossy(&response[..n]);

        assert!(response_str.starts_with("HTTP/1.1 404 Not Found"));

        shutdown_tx.send(true).unwrap();
        let _ = tokio::time::timeout(std::time::Duration::from_secs(2), server_handle).await;
    }
}