Module tls 

TLS termination via rustls + tokio-rustls.

axum 0.7 has no built-in TLS, so we run a small accept loop: take a TCP connection, complete the rustls handshake, then hand the encrypted stream to hyper, serving the same axum Router the plaintext path uses. Certificates come either from PEM files (load_server_config) or from ACME (which writes those same files; see crate::acme).

Functions

init_crypto

Install a process-wide default crypto provider (ring). Idempotent and best-effort: if a provider is already installed (e.g. by the JWKS HTTP client) this is a no-op. Pinning one avoids the “no process-level CryptoProvider” ambiguity when multiple providers are linked.

load_server_config

Build a rustls ServerConfig from a PEM certificate chain and private key. Uses an explicit ring provider so it doesn’t depend on which provider happens to be the process default. Advertises HTTP/1.1 via ALPN (the proxy speaks HTTP/1.1 upstream).

serve

Serve app over TLS on listener until shutdown flips true. Each connection is handshaked and served on its own task, so a slow handshake can’t block new accepts and a graceful shutdown stops accepting while letting the listener drop.