Skip to main content

TlsManager

gatel_core::tls::manager

Struct TlsManager

pub struct TlsManager { /* private fields */ }

Expand description

Manages TLS configuration for the proxy, supporting both automatic ACME certificate issuance (via certon) and manually-provided PEM certificates.

The manager builds a rustls::ServerConfig that uses a composite certificate resolver:

Sites with explicit SiteTlsConfig (cert/key PEM paths) are loaded immediately and registered as manual overrides.
Sites without explicit certs are enrolled in ACME management through certon, which obtains, caches, and auto-renews their certificates.

Additionally supports:

mTLS (mutual TLS): client certificate verification using configured CA certificates. When client_auth is configured, the server requests (and optionally requires) client certificates.
On-demand TLS: automatic certificate issuance at handshake time for previously unknown domains, with optional ask-URL gating and rate limiting.

Call TlsManager::reload to hot-swap the TLS configuration when the proxy config changes.

Implementations§

impl TlsManager

pub async fn build(config: &AppConfig) -> Result<Self, ProxyError>

Build a new TlsManager from the application configuration.

This performs the initial TLS setup:

Loads manual certificates for sites that specify cert/key paths.
Configures certon for ACME-managed sites (if ACME is enabled).
Calls manage_sync to obtain/load certificates for ACME domains.
Starts the certon maintenance loop.
Sets up mTLS client certificate verification if configured.
Configures on-demand TLS if configured.

§Errors

Returns an error if manual certificate loading fails or if ACME management cannot be initialized.

pub fn acceptor(&self) -> TlsAcceptor

Get a TlsAcceptor for use with tokio-rustls.

The returned acceptor references the current ServerConfig via an Arc, so it will continue to use the config snapshot at the time of this call. For hot-reload, call this again after reload.

pub fn server_config(&self) -> Arc<ServerConfig>

Get the current rustls::ServerConfig as an Arc.

pub fn challenge_map(&self) -> Arc<RwLock<HashMap<String, String>>>

Get a reference to the shared ACME HTTP-01 challenge map.

This is the same map that the AcmeChallengeHoop reads from to serve challenge responses.

pub async fn reload(&self, config: &AppConfig) -> Result<(), ProxyError>

Hot-reload the TLS configuration.

This rebuilds manual certificates and re-enrolls ACME domains based on the new config. The ServerConfig is atomically swapped so that in-flight connections are not affected.

§Errors

Returns an error if any manual certificate cannot be loaded.

pub fn stop_maintenance(&self)

Stop the certon maintenance loop.

This should be called during graceful shutdown. After calling this, no further certificate renewals or OCSP refreshes will occur.

Trait Implementations§

impl Drop for TlsManager

fn drop(&mut self)

Executes the destructor for this type. Read more

Auto Trait Implementations§

impl !Freeze for TlsManager

impl !RefUnwindSafe for TlsManager

impl Send for TlsManager

impl Sync for TlsManager

impl Unpin for TlsManager

impl UnsafeUnpin for TlsManager

impl !UnwindSafe for TlsManager

Blanket Implementations§

impl<T> Any for T
where T: 'static + ?Sized,

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

impl<T> Borrow<T> for T
where T: ?Sized,

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more

impl<T> BorrowMut<T> for T
where T: ?Sized,

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more

impl<T> From<T> for T

fn from(t: T) -> T

Returns the argument unchanged.

impl<T> Instrument for T

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

impl<T, U> Into<U> for T
where U: From<T>,

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

impl<T> Pointable for T

const ALIGN: usize

The alignment of pointer.

type Init = T

The type for initializers.

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more

impl<T> PolicyExt for T
where T: ?Sized,

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more

impl<T> Same for T

type Output = T

Should always be Self

impl<T, U> TryFrom<U> for T
where U: Into<T>,

type Error = Infallible

The type returned in the event of a conversion error.

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.

impl<V, T> VZip<V> for T
where V: MultiLane<T>,

fn vzip(self) -> V

impl<T> WithSubscriber for T

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more