HttpClientBuilder

hyper_custom_cert

Struct HttpClientBuilder 

Source 
pub struct HttpClientBuilder { /* private fields */ }
Expand description

Builder for configuring and creating an HttpClient.

Implementations§

Source§

impl HttpClientBuilder

Source

pub fn new() -> Self

Start a new builder with default settings.

Source

pub fn with_timeout(self, timeout: Duration) -> Self

Set a request timeout to apply to client operations.

Examples found in repository?
examples/self-signed-certs/main.rs (line 12)
6async fn main() {
7    // Default secure client (uses OS trust store when built with default features)
8    let mut headers = HashMap::new();
9    headers.insert("x-app".into(), "example".into());
10
11    let client = HttpClient::builder()
12        .with_timeout(Duration::from_secs(10))
13        .with_default_headers(headers)
14        .build();
15
16    // Demonstrate a request (now returns HttpResponse with raw body data)
17    let _response = client
18        .request_with_options("https://example.com", None)
19        .await
20        .expect("request should succeed on native targets");
21
22    // Production with rustls + custom Root CA (e.g., self-signed for your private service)
23    // Note: Requires building with: --no-default-features --features rustls
24    #[cfg(feature = "rustls")]
25    {
26        // Option 1: Load CA certificate from raw PEM bytes
27        let ca_pem: &[u8] =
28            b"-----BEGIN CERTIFICATE-----\n...your root ca...\n-----END CERTIFICATE-----\n";
29        let _rustls_client = HttpClient::builder()
30            .with_timeout(Duration::from_secs(10))
31            .with_root_ca_pem(ca_pem)
32            .build();
33        let _ = _rustls_client
34            .request_with_options("https://private.local", None)
35            .await;
36
37        // Option 2: Load CA certificate from a file path
38        // Note: This will panic if the file doesn't exist - ensure your cert file is available
39        // let _rustls_client_from_file = HttpClient::builder()
40        //     .with_timeout(Duration::from_secs(10))
41        //     .with_root_ca_file("path/to/your/root-ca.pem")
42        //     .build();
43        // let _ = _rustls_client_from_file.request("https://private.local");
44    }
45
46    // Local development only: accept invalid/self-signed certs (dangerous)
47    // Build with: --features insecure-dangerous (or with rustls,insecure-dangerous)
48    #[cfg(feature = "insecure-dangerous")]
49    {
50        // Shortcut:
51        let _dev_client = HttpClient::with_self_signed_certs();
52        let _ = _dev_client
53            .request_with_options("https://localhost:8443", None)
54            .await;
55
56        // Or explicit builder method:
57        let _dev_client2 = HttpClient::builder()
58            .insecure_accept_invalid_certs(true)
59            .build();
60        let _ = _dev_client2
61            .request_with_options("https://localhost:8443", None)
62            .await;
63    }
64
65    println!("Example finished. See README for feature flags and commands.");
66}
Source

pub fn with_default_headers(self, headers: HashMap<String, String>) -> Self

Set default headers that will be added to every request initiated by this client.

Examples found in repository?
examples/self-signed-certs/main.rs (line 13)
6async fn main() {
7    // Default secure client (uses OS trust store when built with default features)
8    let mut headers = HashMap::new();
9    headers.insert("x-app".into(), "example".into());
10
11    let client = HttpClient::builder()
12        .with_timeout(Duration::from_secs(10))
13        .with_default_headers(headers)
14        .build();
15
16    // Demonstrate a request (now returns HttpResponse with raw body data)
17    let _response = client
18        .request_with_options("https://example.com", None)
19        .await
20        .expect("request should succeed on native targets");
21
22    // Production with rustls + custom Root CA (e.g., self-signed for your private service)
23    // Note: Requires building with: --no-default-features --features rustls
24    #[cfg(feature = "rustls")]
25    {
26        // Option 1: Load CA certificate from raw PEM bytes
27        let ca_pem: &[u8] =
28            b"-----BEGIN CERTIFICATE-----\n...your root ca...\n-----END CERTIFICATE-----\n";
29        let _rustls_client = HttpClient::builder()
30            .with_timeout(Duration::from_secs(10))
31            .with_root_ca_pem(ca_pem)
32            .build();
33        let _ = _rustls_client
34            .request_with_options("https://private.local", None)
35            .await;
36
37        // Option 2: Load CA certificate from a file path
38        // Note: This will panic if the file doesn't exist - ensure your cert file is available
39        // let _rustls_client_from_file = HttpClient::builder()
40        //     .with_timeout(Duration::from_secs(10))
41        //     .with_root_ca_file("path/to/your/root-ca.pem")
42        //     .build();
43        // let _ = _rustls_client_from_file.request("https://private.local");
44    }
45
46    // Local development only: accept invalid/self-signed certs (dangerous)
47    // Build with: --features insecure-dangerous (or with rustls,insecure-dangerous)
48    #[cfg(feature = "insecure-dangerous")]
49    {
50        // Shortcut:
51        let _dev_client = HttpClient::with_self_signed_certs();
52        let _ = _dev_client
53            .request_with_options("https://localhost:8443", None)
54            .await;
55
56        // Or explicit builder method:
57        let _dev_client2 = HttpClient::builder()
58            .insecure_accept_invalid_certs(true)
59            .build();
60        let _ = _dev_client2
61            .request_with_options("https://localhost:8443", None)
62            .await;
63    }
64
65    println!("Example finished. See README for feature flags and commands.");
66}
Source

pub fn insecure_accept_invalid_certs(self, accept: bool) -> Self

Dev-only: accept self-signed/invalid TLS certificates. Requires the insecure-dangerous feature to be enabled. NEVER enable this in production.

§Security Warning

⚠️ CRITICAL SECURITY WARNING ⚠️

This method deliberately bypasses TLS certificate validation, which creates a serious security vulnerability to man-in-the-middle attacks. When enabled:

  • The client will accept ANY certificate, regardless of its validity
  • The client will accept expired certificates
  • The client will accept certificates from untrusted issuers
  • The client will accept certificates for the wrong domain

This method should ONLY be used for:

  • Local development with self-signed certificates
  • Testing environments where security is not a concern
  • Debugging TLS connection issues
§Implementation Details

When enabled, this setting:

  • For native-tls: Uses danger_accept_invalid_certs(true) on the TLS connector
  • For rustls: Implements a custom ServerCertVerifier that accepts all certificates
§Examples

Enable insecure mode during local development (dangerous):

use hyper_custom_cert::HttpClient;

// Requires: --features insecure-dangerous
let client = HttpClient::builder()
    .insecure_accept_invalid_certs(true)
    .build();
Examples found in repository?
examples/self-signed-certs/main.rs (line 58)
6async fn main() {
7    // Default secure client (uses OS trust store when built with default features)
8    let mut headers = HashMap::new();
9    headers.insert("x-app".into(), "example".into());
10
11    let client = HttpClient::builder()
12        .with_timeout(Duration::from_secs(10))
13        .with_default_headers(headers)
14        .build();
15
16    // Demonstrate a request (now returns HttpResponse with raw body data)
17    let _response = client
18        .request_with_options("https://example.com", None)
19        .await
20        .expect("request should succeed on native targets");
21
22    // Production with rustls + custom Root CA (e.g., self-signed for your private service)
23    // Note: Requires building with: --no-default-features --features rustls
24    #[cfg(feature = "rustls")]
25    {
26        // Option 1: Load CA certificate from raw PEM bytes
27        let ca_pem: &[u8] =
28            b"-----BEGIN CERTIFICATE-----\n...your root ca...\n-----END CERTIFICATE-----\n";
29        let _rustls_client = HttpClient::builder()
30            .with_timeout(Duration::from_secs(10))
31            .with_root_ca_pem(ca_pem)
32            .build();
33        let _ = _rustls_client
34            .request_with_options("https://private.local", None)
35            .await;
36
37        // Option 2: Load CA certificate from a file path
38        // Note: This will panic if the file doesn't exist - ensure your cert file is available
39        // let _rustls_client_from_file = HttpClient::builder()
40        //     .with_timeout(Duration::from_secs(10))
41        //     .with_root_ca_file("path/to/your/root-ca.pem")
42        //     .build();
43        // let _ = _rustls_client_from_file.request("https://private.local");
44    }
45
46    // Local development only: accept invalid/self-signed certs (dangerous)
47    // Build with: --features insecure-dangerous (or with rustls,insecure-dangerous)
48    #[cfg(feature = "insecure-dangerous")]
49    {
50        // Shortcut:
51        let _dev_client = HttpClient::with_self_signed_certs();
52        let _ = _dev_client
53            .request_with_options("https://localhost:8443", None)
54            .await;
55
56        // Or explicit builder method:
57        let _dev_client2 = HttpClient::builder()
58            .insecure_accept_invalid_certs(true)
59            .build();
60        let _ = _dev_client2
61            .request_with_options("https://localhost:8443", None)
62            .await;
63    }
64
65    println!("Example finished. See README for feature flags and commands.");
66}
Source

pub fn with_root_ca_pem(self, pem_bytes: &[u8]) -> Self

Provide a PEM-encoded Root CA certificate to be trusted by the client. This is the production-ready way to trust a custom CA.

§Examples
use hyper_custom_cert::HttpClient;

// Requires: --no-default-features --features rustls
let client = HttpClient::builder()
    .with_root_ca_pem(include_bytes!("../examples-data/root-ca.pem"))
    .build();
Examples found in repository?
examples/self-signed-certs/main.rs (line 31)
6async fn main() {
7    // Default secure client (uses OS trust store when built with default features)
8    let mut headers = HashMap::new();
9    headers.insert("x-app".into(), "example".into());
10
11    let client = HttpClient::builder()
12        .with_timeout(Duration::from_secs(10))
13        .with_default_headers(headers)
14        .build();
15
16    // Demonstrate a request (now returns HttpResponse with raw body data)
17    let _response = client
18        .request_with_options("https://example.com", None)
19        .await
20        .expect("request should succeed on native targets");
21
22    // Production with rustls + custom Root CA (e.g., self-signed for your private service)
23    // Note: Requires building with: --no-default-features --features rustls
24    #[cfg(feature = "rustls")]
25    {
26        // Option 1: Load CA certificate from raw PEM bytes
27        let ca_pem: &[u8] =
28            b"-----BEGIN CERTIFICATE-----\n...your root ca...\n-----END CERTIFICATE-----\n";
29        let _rustls_client = HttpClient::builder()
30            .with_timeout(Duration::from_secs(10))
31            .with_root_ca_pem(ca_pem)
32            .build();
33        let _ = _rustls_client
34            .request_with_options("https://private.local", None)
35            .await;
36
37        // Option 2: Load CA certificate from a file path
38        // Note: This will panic if the file doesn't exist - ensure your cert file is available
39        // let _rustls_client_from_file = HttpClient::builder()
40        //     .with_timeout(Duration::from_secs(10))
41        //     .with_root_ca_file("path/to/your/root-ca.pem")
42        //     .build();
43        // let _ = _rustls_client_from_file.request("https://private.local");
44    }
45
46    // Local development only: accept invalid/self-signed certs (dangerous)
47    // Build with: --features insecure-dangerous (or with rustls,insecure-dangerous)
48    #[cfg(feature = "insecure-dangerous")]
49    {
50        // Shortcut:
51        let _dev_client = HttpClient::with_self_signed_certs();
52        let _ = _dev_client
53            .request_with_options("https://localhost:8443", None)
54            .await;
55
56        // Or explicit builder method:
57        let _dev_client2 = HttpClient::builder()
58            .insecure_accept_invalid_certs(true)
59            .build();
60        let _ = _dev_client2
61            .request_with_options("https://localhost:8443", None)
62            .await;
63    }
64
65    println!("Example finished. See README for feature flags and commands.");
66}
Source

pub fn with_root_ca_file<P: AsRef<Path>>(self, path: P) -> Self

Provide a PEM-encoded Root CA certificate file to be trusted by the client. This is the production-ready way to trust a custom CA from a file path.

The file will be read during builder configuration and its contents stored in the client. This method will panic if the file cannot be read, similar to how include_bytes! macro behaves.

§Security Considerations

Only use certificate files from trusted sources. Ensure proper file permissions are set to prevent unauthorized modification of the certificate file.

§Panics

This method will panic if:

  • The file does not exist
  • The file cannot be read due to permissions or I/O errors
  • The path is invalid
§Examples
use hyper_custom_cert::HttpClient;

// Requires: --no-default-features --features rustls
let client = HttpClient::builder()
    .with_root_ca_file("path/to/root-ca.pem")
    .build();

Using a std::path::Path:

use hyper_custom_cert::HttpClient;
use std::path::Path;

// Requires: --no-default-features --features rustls
let ca_path = Path::new("certs/custom-ca.pem");
let client = HttpClient::builder()
    .with_root_ca_file(ca_path)
    .build();
Source

pub fn with_pinned_cert_sha256(self, pins: Vec<[u8; 32]>) -> Self

Configure certificate pinning using SHA256 fingerprints for additional security.

Certificate pinning provides an additional layer of security beyond CA validation by verifying that the server’s certificate matches one of the provided fingerprints. This helps protect against compromised CAs and man-in-the-middle attacks.

§Security Considerations
  • Certificate pinning should be used in conjunction with, not as a replacement for, proper CA validation.
  • Pinned certificates must be updated when the server’s certificate changes.
  • Consider having backup pins for certificate rotation scenarios.
  • This method provides additional security but requires careful maintenance.
§Parameters
  • pins - A vector of 32-byte SHA256 fingerprints of certificates to pin. Each fingerprint should be the SHA256 hash of the certificate’s DER encoding.
§Examples
use hyper_custom_cert::HttpClient;

// Example SHA256 fingerprints (these are just examples)
let pin1: [u8; 32] = [
    0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
    0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
    0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00,
    0xa1, 0xb2, 0xc3, 0xd4, 0xe5, 0xf6, 0x07, 0x18
];

let pin2: [u8; 32] = [
    0xf0, 0xe1, 0xd2, 0xc3, 0xb4, 0xa5, 0x96, 0x87,
    0x78, 0x69, 0x5a, 0x4b, 0x3c, 0x2d, 0x1e, 0x0f,
    0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
    0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff
];

// Requires: --no-default-features --features rustls
let client = HttpClient::builder()
    .with_pinned_cert_sha256(vec![pin1, pin2])
    .build();
Source

pub fn build(self) -> HttpClient

Finalize the configuration and build an HttpClient.

Examples found in repository?
examples/self-signed-certs/main.rs (line 14)
6async fn main() {
7    // Default secure client (uses OS trust store when built with default features)
8    let mut headers = HashMap::new();
9    headers.insert("x-app".into(), "example".into());
10
11    let client = HttpClient::builder()
12        .with_timeout(Duration::from_secs(10))
13        .with_default_headers(headers)
14        .build();
15
16    // Demonstrate a request (now returns HttpResponse with raw body data)
17    let _response = client
18        .request_with_options("https://example.com", None)
19        .await
20        .expect("request should succeed on native targets");
21
22    // Production with rustls + custom Root CA (e.g., self-signed for your private service)
23    // Note: Requires building with: --no-default-features --features rustls
24    #[cfg(feature = "rustls")]
25    {
26        // Option 1: Load CA certificate from raw PEM bytes
27        let ca_pem: &[u8] =
28            b"-----BEGIN CERTIFICATE-----\n...your root ca...\n-----END CERTIFICATE-----\n";
29        let _rustls_client = HttpClient::builder()
30            .with_timeout(Duration::from_secs(10))
31            .with_root_ca_pem(ca_pem)
32            .build();
33        let _ = _rustls_client
34            .request_with_options("https://private.local", None)
35            .await;
36
37        // Option 2: Load CA certificate from a file path
38        // Note: This will panic if the file doesn't exist - ensure your cert file is available
39        // let _rustls_client_from_file = HttpClient::builder()
40        //     .with_timeout(Duration::from_secs(10))
41        //     .with_root_ca_file("path/to/your/root-ca.pem")
42        //     .build();
43        // let _ = _rustls_client_from_file.request("https://private.local");
44    }
45
46    // Local development only: accept invalid/self-signed certs (dangerous)
47    // Build with: --features insecure-dangerous (or with rustls,insecure-dangerous)
48    #[cfg(feature = "insecure-dangerous")]
49    {
50        // Shortcut:
51        let _dev_client = HttpClient::with_self_signed_certs();
52        let _ = _dev_client
53            .request_with_options("https://localhost:8443", None)
54            .await;
55
56        // Or explicit builder method:
57        let _dev_client2 = HttpClient::builder()
58            .insecure_accept_invalid_certs(true)
59            .build();
60        let _ = _dev_client2
61            .request_with_options("https://localhost:8443", None)
62            .await;
63    }
64
65    println!("Example finished. See README for feature flags and commands.");
66}

Trait Implementations§

Source§

impl Default for HttpClientBuilder

Default builder state is secure and ergonomic.

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more