sentry - TLS support with axum

- add graceful shutdown
- Cargo - remove  crate for hyper tls support
- remove old Application::run

Author: elpiel

Cargo.lock

@@ -47,7 +47,6 @@ tower = "0.4"
 tower-http = { version = "0.3", features = ["cors"] }
 tokio = { version = "1", features = ["macros", "time", "rt-multi-thread", "signal"] }
 hyper = { version = "0.14", features = ["stream", "runtime", "http1", "http2", "server"] }
-simple-hyper-server-tls = { version = "0.3", features = ["tls-rustls"] }
 regex = "1"
 # Database
 redis = { version = "0.21", features = ["aio", "tokio-comp"] }

sentry/Cargo.toml

@@ -4,27 +4,25 @@ use std::{
     sync::Arc,
 };
 
-use adapter::client::Locked;
 use axum::{
     extract::{FromRequest, RequestParts},
     http::StatusCode,
     middleware,
     routing::get,
     Extension, Router,
 };
-use hyper::{
-    service::{make_service_fn, service_fn},
-    Error, Server,
-};
+use axum_server::{tls_rustls::RustlsConfig, Handle};
+use hyper::{Body, Method, Request, Response};
 use once_cell::sync::Lazy;
-use primitives::{config::Environment, ValidatorId};
-use redis::ConnectionInfo;
+use redis::{aio::MultiplexedConnection, ConnectionInfo};
 use serde::{Deserialize, Deserializer};
-use simple_hyper_server_tls::{listener_from_pem_files, Protocols, TlsListener};
-use slog::{error, info};
+use slog::{error, info, Logger};
 use tower::ServiceBuilder;
 use tower_http::cors::CorsLayer;
 
+use adapter::{client::Locked, Adapter};
+use primitives::{config::Environment, ValidatorId};
+
 use crate::{
     db::{CampaignRemaining, DbPool},
     middleware::{
@@ -42,10 +40,6 @@ use crate::{
         },
     },
 };
-use adapter::Adapter;
-use hyper::{Body, Method, Request, Response};
-use redis::aio::MultiplexedConnection;
-use slog::Logger;
 
 /// an error used when deserializing a [`EnvConfig`] instance from environment variables
 /// see [`EnvConfig::from_env()`]
@@ -206,81 +200,50 @@ where
 }
 
 impl<C: Locked + 'static> Application<C> {
-    /// Starts the `hyper` `Server`.
-    pub async fn run2(self, enable_tls: EnableTls) {
+    pub async fn run(self, enable_tls: EnableTls) {
         let logger = self.logger.clone();
         let socket_addr = match &enable_tls {
             EnableTls::NoTls(socket_addr) => socket_addr,
             EnableTls::Tls { socket_addr, .. } => socket_addr,
         };
 
         info!(&logger, "Listening on socket address: {}!", socket_addr);
+        let router = self.axum_routing().await;
+
+        let handle = Handle::new();
+
+        // Spawn a task to shutdown server.
+        tokio::spawn(shutdown_signal(logger.clone(), handle.clone()));
 
         match enable_tls {
             EnableTls::NoTls(socket_addr) => {
-                let make_service = make_service_fn(|_| {
-                    let server = self.clone();
-                    async move {
-                        Ok::<_, Error>(service_fn(move |req| {
-                            let server = server.clone();
-                            async move { Ok::<_, Error>(server.handle_routing(req).await) }
-                        }))
-                    }
-                });
-
-                let server = Server::bind(&socket_addr)
-                    .serve(make_service)
-                    .with_graceful_shutdown(shutdown_signal(logger.clone()));
-
-                if let Err(e) = server.await {
-                    error!(&logger, "server error: {}", e; "main" => "run");
-                }
-            }
-            EnableTls::Tls { listener, .. } => {
-                let make_service = make_service_fn(|_| {
-                    let server = self.clone();
-                    async move {
-                        Ok::<_, Error>(service_fn(move |req| {
-                            let server = server.clone();
-                            async move { Ok::<_, Error>(server.handle_routing(req).await) }
-                        }))
-                    }
-                });
-
-                // TODO: Find a way to redirect to HTTPS
-                let server = Server::builder(listener)
-                    .serve(make_service)
-                    .with_graceful_shutdown(shutdown_signal(logger.clone()));
+                let server = axum_server::bind(socket_addr)
+                    .handle(handle)
+                    .serve(router.into_make_service());
+
                 tokio::pin!(server);
 
                 while let Err(e) = (&mut server).await {
                     // This is usually caused by trying to connect on HTTP instead of HTTPS
                     error!(&logger, "server error: {}", e; "main" => "run");
                 }
             }
-        }
-    }
 
-    pub async fn run(self, enable_tls: EnableTls) {
-        let logger = self.logger.clone();
-        let socket_addr = match &enable_tls {
-            EnableTls::NoTls(socket_addr) => socket_addr,
-            EnableTls::Tls { socket_addr, .. } => socket_addr,
-        };
-
-        info!(&logger, "Listening on socket address: {}!", socket_addr);
-
-        let app = self.axum_routing().await;
-
-        let server = axum::Server::bind(socket_addr)
-            .serve(app.into_make_service())
-            .with_graceful_shutdown(shutdown_signal(logger.clone()));
+            EnableTls::Tls {
+                config,
+                socket_addr,
+            } => {
+                let server = axum_server::bind_rustls(socket_addr, config)
+                    .handle(handle)
+                    .serve(router.into_make_service());
 
-        tokio::pin!(server);
+                tokio::pin!(server);
 
-        while let Err(e) = (&mut server).await {
-            // This is usually caused by trying to connect on HTTP instead of HTTPS
-            error!(&logger, "server error: {}", e; "main" => "run");
+                while let Err(e) = (&mut server).await {
+                    // This is usually caused by trying to connect on HTTP instead of HTTPS
+                    error!(&logger, "server error: {}", e; "main" => "run");
+                }
+            }
         }
     }
 }
@@ -304,21 +267,20 @@ pub enum EnableTls {
     NoTls(SocketAddr),
     Tls {
         socket_addr: SocketAddr,
-        listener: TlsListener,
+        config: RustlsConfig,
     },
 }
 
 impl EnableTls {
-    pub fn new_tls<C: AsRef<Path>, K: AsRef<Path>>(
+    pub async fn new_tls<C: AsRef<Path>, K: AsRef<Path>>(
         certificates: C,
         private_keys: K,
         socket_addr: SocketAddr,
     ) -> Result<Self, Box<dyn std::error::Error>> {
-        let listener =
-            listener_from_pem_files(certificates, private_keys, Protocols::ALL, &socket_addr)?;
+        let config = RustlsConfig::from_pem_file(certificates, private_keys).await?;
 
         Ok(Self::Tls {
-            listener,
+            config,
             socket_addr,
         })
     }
@@ -368,12 +330,15 @@ where
 }
 
 /// A Ctrl+C signal to gracefully shutdown the server
-async fn shutdown_signal(logger: Logger) {
+async fn shutdown_signal(logger: Logger, handle: Handle) {
     // Wait for the Ctrl+C signal
     tokio::signal::ctrl_c()
         .await
         .expect("failed to install CTRL+C signal handler");
 
+    // Signal the server to shutdown using Handle.
+    handle.shutdown();
+
     info!(&logger, "Received Ctrl+C signal. Shutting down..")
 }
 

sentry/src/application.rs

@@ -115,6 +115,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
     ) {
         (Some(certs_path), Some(private_keys)) => {
             EnableTls::new_tls(certs_path, private_keys, socket_addr)
+                .await
                 .expect("Failed to load certificates & private key files")
         }
         (None, None) => EnableTls::no_tls(socket_addr),