add support for proxy encryption

tayloraswift · tayloraswift · commit b2fc08ff700b · 2024-12-07T16:25:59.000-06:00
diff --git a/Sources/HTTPServer/HTTP.Server.swift b/Sources/HTTPServer/HTTP.Server.swift
@@ -113,7 +113,7 @@ extension HTTP.Server
     func serve(origin server:HTTP.ServerOrigin,
         host:String,
         port:Int,
-        with context:NIOSSLContext? = nil,
+        with encryption:HTTP.ServerEncryptionLayer? = nil,
         policy:(any HTTP.ServerPolicy)? = nil) async throws
     {
         let bootstrap:ServerBootstrap = .init(group: MultiThreadedEventLoopGroup.singleton)
@@ -129,13 +129,25 @@ extension HTTP.Server
                     HTTPPart<HTTPResponseHead, ByteBuffer>>,
                 (any Channel, NIOHTTP2Handler.AsyncStreamMultiplexer<HTTP.Stream>)>>, Never>
 
-        if  let context:NIOSSLContext
+
+        if  let encryption:HTTP.ServerEncryptionLayer
         {
             listener = try await bootstrap.bind(host: host, port: port)
             {
                 (channel:any Channel) in
 
-                channel.pipeline.addHandler(NIOSSLServerHandler.init(context: context))
+                let encryptionHandlers:[any ChannelHandler]
+
+                switch encryption
+                {
+                case .local(let context):
+                    encryptionHandlers = [NIOSSLServerHandler.init(context: context)]
+
+                case .proxy:
+                    encryptionHandlers = []
+                }
+
+                return channel.pipeline.addHandlers(encryptionHandlers)
                     .flatMap
                 {
                     channel.configureAsyncHTTPServerPipeline
diff --git a/Sources/HTTPServer/HTTP.ServerEncryptionLayer.swift b/Sources/HTTPServer/HTTP.ServerEncryptionLayer.swift
@@ -0,0 +1,13 @@
+import NIOSSL
+
+extension HTTP
+{
+    @frozen public
+    enum ServerEncryptionLayer
+    {
+        /// Encryption happens on this server.
+        case local(NIOSSLContext)
+        /// Encryption happens on an upstream proxy.
+        case proxy
+    }
+}
diff --git a/Sources/UnidocServer/HTTP.Server (ext).swift b/Sources/UnidocServer/HTTP.Server (ext).swift
@@ -6,7 +6,7 @@ import NIOSSL
 extension HTTP.Server where Self:Unidoc.Server
 {
     public
-    func run(on port:Int, with niossl:NIOSSLContext? = nil) async throws
+    func run(on port:Int, with encryption:HTTP.ServerEncryptionLayer? = nil) async throws
     {
         try await self._setup()
         try await withThrowingTaskGroup(of: Void.self)
@@ -26,7 +26,7 @@ extension HTTP.Server where Self:Unidoc.Server
                 try await self.serve(origin: self.options.origin,
                     host: "::",
                     port: port,
-                    with: niossl,
+                    with: encryption,
                     policy: self.policy)
             }
             tasks.addTask
diff --git a/Sources/unidoc-linkerd/Main.swift b/Sources/unidoc-linkerd/Main.swift
@@ -27,6 +27,11 @@ struct Main
     var db:Unidoc.DatabaseOptions
     @OptionGroup
     var s3:Unidoc.BucketOptions
+
+    @Flag(
+        name: [.customLong("assume-encrypted")],
+        help: "Assume that the connection is encrypted")
+    var assumeEncrypted:Bool = false
 }
 
 @main
@@ -73,7 +78,7 @@ extension Main:AsyncParsableCommand
                     logger: $0,
                     db: .init(settings: settings, sessions: pool, unidoc: "unidoc"))
 
-                try await server.run(on: self.port)
+                try await server.run(on: self.port, with: self.assumeEncrypted ? .proxy : nil)
             }
         }
     }
diff --git a/Sources/unidoc-tools/Main.Preview.swift b/Sources/unidoc-tools/Main.Preview.swift
@@ -110,7 +110,8 @@ extension Main.Preview:AsyncParsableCommand
                     logger: $0,
                     db: .init(settings: settings, sessions: pool, unidoc: "unidoc"))
 
-                try await server.run(on: port, with: serverIdentity)
+                try await server.run(on: port,
+                    with: serverIdentity.map(HTTP.ServerEncryptionLayer.local(_:)))
             }
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ import NIOSSL`
`6`	`6`	`extension HTTP.Server where Self:Unidoc.Server`
`7`	`7`	`{`
`8`	`8`	`public`
`9`		`- func run(on port:Int, with niossl:NIOSSLContext? = nil) async throws`
	`9`	`+ func run(on port:Int, with encryption:HTTP.ServerEncryptionLayer? = nil) async throws`
`10`	`10`	`{`
`11`	`11`	`try await self._setup()`
`12`	`12`	`try await withThrowingTaskGroup(of: Void.self)`
`@@ -26,7 +26,7 @@ extension HTTP.Server where Self:Unidoc.Server`
`26`	`26`	`try await self.serve(origin: self.options.origin,`
`27`	`27`	`host: "::",`
`28`	`28`	`port: port,`
`29`		`- with: niossl,`
	`29`	`+ with: encryption,`
`30`	`30`	`policy: self.policy)`
`31`	`31`	`}`
`32`	`32`	`tasks.addTask`
Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,11 @@ struct Main`
`27`	`27`	`var db:Unidoc.DatabaseOptions`
`28`	`28`	`@OptionGroup`
`29`	`29`	`var s3:Unidoc.BucketOptions`
	`30`	`+`
	`31`	`+ @Flag(`
	`32`	`+ name: [.customLong("assume-encrypted")],`
	`33`	`+ help: "Assume that the connection is encrypted")`
	`34`	`+ var assumeEncrypted:Bool = false`
`30`	`35`	`}`
`31`	`36`
`32`	`37`	`@main`
`@@ -73,7 +78,7 @@ extension Main:AsyncParsableCommand`
`73`	`78`	`logger: $0,`
`74`	`79`	`db: .init(settings: settings, sessions: pool, unidoc: "unidoc"))`
`75`	`80`
`76`		`- try await server.run(on: self.port)`
	`81`	`+ try await server.run(on: self.port, with: self.assumeEncrypted ? .proxy : nil)`
`77`	`82`	`}`
`78`	`83`	`}`
`79`	`84`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,8 @@ extension Main.Preview:AsyncParsableCommand`
`110`	`110`	`logger: $0,`
`111`	`111`	`db: .init(settings: settings, sessions: pool, unidoc: "unidoc"))`
`112`	`112`
`113`		`- try await server.run(on: port, with: serverIdentity)`
	`113`	`+ try await server.run(on: port,`
	`114`	`+ with: serverIdentity.map(HTTP.ServerEncryptionLayer.local(_:)))`
`114`	`115`	`}`
`115`	`116`	`}`
`116`	`117`	`}`