From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C7C0367795 for ; Tue, 12 Jan 2021 14:59:13 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id BEB9726F6B for ; Tue, 12 Jan 2021 14:58:43 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 14B5E26F61 for ; Tue, 12 Jan 2021 14:58:43 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id D22D745795 for ; Tue, 12 Jan 2021 14:58:42 +0100 (CET) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pbs-devel@lists.proxmox.com Date: Tue, 12 Jan 2021 14:58:22 +0100 Message-Id: <20210112135830.2798301-13-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210112135830.2798301-1-f.gruenbichler@proxmox.com> References: <20210112135830.2798301-1-f.gruenbichler@proxmox.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.027 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [http.rs, proxmox-backup-proxy.rs, rest.rs] Subject: [pbs-devel] [PATCH proxmox-backup 08/12] tokio 1.0: update to new tokio-openssl interface X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jan 2021 13:59:13 -0000 connect/accept are now happening on pinned SslStreams Signed-off-by: Fabian Grünbichler --- Notes: there might be further potential to improve error handling now? src/bin/proxmox-backup-proxy.rs | 27 ++++++++++++++++++++++----- src/server/rest.rs | 4 ++-- src/tools/async_io.rs | 2 +- src/tools/http.rs | 11 +++++------ 4 files changed, 30 insertions(+), 14 deletions(-) diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs index 16450244..c8eb237c 100644 --- a/src/bin/proxmox-backup-proxy.rs +++ b/src/bin/proxmox-backup-proxy.rs @@ -167,7 +167,7 @@ fn accept_connections( mut listener: tokio::net::TcpListener, acceptor: Arc, debug: bool, -) -> tokio::sync::mpsc::Receiver, Error>> { +) -> tokio::sync::mpsc::Receiver>>, Error>> { const MAX_PENDING_ACCEPTS: usize = 1024; @@ -185,7 +185,24 @@ fn accept_connections( sock.set_nodelay(true).unwrap(); let _ = set_tcp_keepalive(sock.as_raw_fd(), PROXMOX_BACKUP_TCP_KEEPALIVE_TIME); let acceptor = Arc::clone(&acceptor); - let mut sender = sender.clone(); + + let ssl = match openssl::ssl::Ssl::new(acceptor.context()) { + Ok(ssl) => ssl, + Err(err) => { + eprintln!("failed to create Ssl object from Acceptor context - {}", err); + continue; + }, + }; + let stream = match tokio_openssl::SslStream::new(ssl, sock) { + Ok(stream) => stream, + Err(err) => { + eprintln!("failed to create SslStream using ssl and connection socket - {}", err); + continue; + }, + }; + + let mut stream = Box::pin(stream); + let sender = sender.clone(); if Arc::strong_count(&accept_counter) > MAX_PENDING_ACCEPTS { eprintln!("connection rejected - to many open connections"); @@ -195,13 +212,13 @@ fn accept_connections( let accept_counter = accept_counter.clone(); tokio::spawn(async move { let accept_future = tokio::time::timeout( - Duration::new(10, 0), tokio_openssl::accept(&acceptor, sock)); + Duration::new(10, 0), stream.as_mut().accept()); let result = accept_future.await; match result { - Ok(Ok(connection)) => { - if let Err(_) = sender.send(Ok(connection)).await { + Ok(Ok(())) => { + if let Err(_) = sender.send(Ok(stream)).await { if debug { eprintln!("detect closed connection channel"); } diff --git a/src/server/rest.rs b/src/server/rest.rs index 04bdc5f9..c30d1c92 100644 --- a/src/server/rest.rs +++ b/src/server/rest.rs @@ -65,7 +65,7 @@ impl RestServer { } } -impl tower_service::Service<&tokio_openssl::SslStream> for RestServer { +impl tower_service::Service<&Pin>>> for RestServer { type Response = ApiService; type Error = Error; type Future = Pin> + Send>>; @@ -74,7 +74,7 @@ impl tower_service::Service<&tokio_openssl::SslStream> fo Poll::Ready(Ok(())) } - fn call(&mut self, ctx: &tokio_openssl::SslStream) -> Self::Future { + fn call(&mut self, ctx: &Pin>>) -> Self::Future { match ctx.get_ref().peer_addr() { Err(err) => { future::err(format_err!("unable to get peer address - {}", err)).boxed() diff --git a/src/tools/async_io.rs b/src/tools/async_io.rs index 3a5a6c9a..997c02fa 100644 --- a/src/tools/async_io.rs +++ b/src/tools/async_io.rs @@ -74,7 +74,7 @@ impl AsyncWrite for EitherStream, + Pin>>, > { fn connected(&self) -> hyper::client::connect::Connected { match self { diff --git a/src/tools/http.rs b/src/tools/http.rs index 130aa381..47d6e1f6 100644 --- a/src/tools/http.rs +++ b/src/tools/http.rs @@ -3,6 +3,7 @@ use lazy_static::lazy_static; use std::task::{Context, Poll}; use std::os::unix::io::AsRawFd; use std::collections::HashMap; +use std::pin::Pin; use hyper::{Uri, Body}; use hyper::client::{Client, HttpConnector}; @@ -101,7 +102,7 @@ impl HttpsConnector { type MaybeTlsStream = EitherStream< tokio::net::TcpStream, - tokio_openssl::SslStream, + Pin>>, >; impl hyper::service::Service for HttpsConnector { @@ -123,10 +124,6 @@ impl hyper::service::Service for HttpsConnector { .scheme() .ok_or_else(|| format_err!("missing URL scheme"))? == "https"; - let host = dst - .host() - .ok_or_else(|| format_err!("missing hostname in destination url?"))? - .to_string(); let config = this.ssl_connector.configure(); let dst_str = dst.to_string(); // for error messages @@ -139,7 +136,9 @@ impl hyper::service::Service for HttpsConnector { let _ = set_tcp_keepalive(conn.as_raw_fd(), PROXMOX_BACKUP_TCP_KEEPALIVE_TIME); if is_https { - let conn = tokio_openssl::connect(config?, &host, conn).await?; + let conn: tokio_openssl::SslStream = tokio_openssl::SslStream::new(config?.into_ssl(&dst_str)?, conn)?; + let mut conn = Box::pin(conn); + conn.as_mut().connect().await?; Ok(MaybeTlsStream::Right(conn)) } else { Ok(MaybeTlsStream::Left(conn)) -- 2.20.1