fix ALPN for rama services (fp/echo)

plabayo · Sep 21, 2024 · dd4bcac · dd4bcac
1 parent f37cfd3
commit dd4bcac
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 15 deletions.
diff --git a/examples/mtls_tunnel_and_service.rs b/examples/mtls_tunnel_and_service.rs
@@ -44,7 +44,7 @@ use rama::{
     net::tls::client::ClientConfig,
     net::tls::client::{ClientAuth, ServerVerifyMode},
     net::tls::server::{ClientVerifyMode, SelfSignedData, ServerAuth, ServerConfig},
-    net::tls::DataEncoding,
+    net::tls::{ApplicationProtocol, DataEncoding},
     rt::Executor,
     service::service_fn,
     tcp::server::TcpListener,
@@ -101,6 +101,10 @@ async fn main() {
         ServerConfig::new(ServerAuth::SelfSigned(SelfSignedData::default()));
     tls_server_config.client_verify_mode =
         ClientVerifyMode::ClientAuth(DataEncoding::DerStack(tls_client_cert_chain));
+    tls_server_config.application_layer_protocol_negotiation = Some(vec![
+        ApplicationProtocol::HTTP_2,
+        ApplicationProtocol::HTTP_11,
+    ]);
     let tls_server_data =
         TlsAcceptorData::try_from(tls_server_config).expect("create tls acceptor data for server");
 

diff --git a/examples/tls_termination.rs b/examples/tls_termination.rs
@@ -61,7 +61,10 @@ use rama::{
     },
     Context, Layer,
 };
-use rama_net::tls::server::{SelfSignedData, ServerAuth, ServerConfig};
+use rama_net::tls::{
+    server::{SelfSignedData, ServerAuth, ServerConfig},
+    ApplicationProtocol,
+};
 
 // everything else is provided by the standard library, community crates or tokio
 use std::{convert::Infallible, time::Duration};
@@ -80,7 +83,13 @@ async fn main() {
         )
         .init();
 
-    let tls_server_config = ServerConfig::new(ServerAuth::SelfSigned(SelfSignedData::default()));
+    let tls_server_config = ServerConfig {
+        application_layer_protocol_negotiation: Some(vec![
+            ApplicationProtocol::HTTP_2,
+            ApplicationProtocol::HTTP_11,
+        ]),
+        ..ServerConfig::new(ServerAuth::SelfSigned(SelfSignedData::default()))
+    };
 
     let acceptor_data = TlsAcceptorData::try_from(tls_server_config).expect("create acceptor data");
 

diff --git a/rama-cli/src/cmd/echo/mod.rs b/rama-cli/src/cmd/echo/mod.rs
@@ -8,7 +8,7 @@ use rama::{
     layer::HijackLayer,
     net::tls::{
         server::{ServerAuth, ServerAuthData, ServerConfig},
-        DataEncoding,
+        ApplicationProtocol, DataEncoding,
     },
     rt::Executor,
     tcp::server::TcpListener,
@@ -94,11 +94,17 @@ pub async fn run(cfg: CliCommandEcho) -> Result<(), BoxError> {
         .expect("base64-decoded RAMA_TLS_CRT valid utf-8")
         .try_into()
         .expect("tls_crt_pem_raw => NonEmptyStr (RAMA_TLS_CRT)");
-        ServerConfig::new(ServerAuth::Single(ServerAuthData {
-            private_key: DataEncoding::Pem(tls_key_pem_raw),
-            cert_chain: DataEncoding::Pem(tls_crt_pem_raw),
-            ocsp: None,
-        }))
+        ServerConfig {
+            application_layer_protocol_negotiation: Some(vec![
+                ApplicationProtocol::HTTP_2,
+                ApplicationProtocol::HTTP_11,
+            ]),
+            ..ServerConfig::new(ServerAuth::Single(ServerAuthData {
+                private_key: DataEncoding::Pem(tls_key_pem_raw),
+                cert_chain: DataEncoding::Pem(tls_crt_pem_raw),
+                ocsp: None,
+            }))
+        }
     });
 
     let maybe_acme_service = std::env::var("RAMA_ACME_DATA")

diff --git a/rama-cli/src/cmd/fp/mod.rs b/rama-cli/src/cmd/fp/mod.rs
@@ -28,7 +28,7 @@ use rama::{
         stream::layer::http::BodyLimitLayer,
         tls::{
             server::{ServerAuth, ServerAuthData, ServerConfig},
-            DataEncoding,
+            ApplicationProtocol, DataEncoding,
         },
     },
     proxy::haproxy::server::HaProxyLayer,
@@ -177,11 +177,17 @@ pub async fn run(cfg: CliCommandFingerprint) -> Result<(), BoxError> {
         .expect("base64-decoded RAMA_TLS_CRT valid utf-8")
         .try_into()
         .expect("tls_crt_pem_raw => NonEmptyStr (RAMA_TLS_CRT)");
-        ServerConfig::new(ServerAuth::Single(ServerAuthData {
-            private_key: DataEncoding::Pem(tls_key_pem_raw),
-            cert_chain: DataEncoding::Pem(tls_crt_pem_raw),
-            ocsp: None,
-        }))
+        ServerConfig {
+            application_layer_protocol_negotiation: Some(vec![
+                ApplicationProtocol::HTTP_2,
+                ApplicationProtocol::HTTP_11,
+            ]),
+            ..ServerConfig::new(ServerAuth::Single(ServerAuthData {
+                private_key: DataEncoding::Pem(tls_key_pem_raw),
+                cert_chain: DataEncoding::Pem(tls_crt_pem_raw),
+                ocsp: None,
+            }))
+        }
     });
 
     let tls_acceptor_data = match maybe_tls_server_config {