refactor: allow using either openssl/nativetls or rustls

Author: ctron

.github/workflows/ci.yaml

@@ -69,6 +69,19 @@ jobs:
       - name: Build | Check
         run: cargo check --all
 
+      - name: Setup | binstall
+        run: |
+          curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
+
+      - name: Setup | check-all-features
+        run: |
+          cargo binstall -y cargo-all-features
+
+      - name: Build | Check all features
+        run: |
+          cargo check-all-features
+
+
   test:
     needs: check # Ensure check is run first.
     strategy:

Cargo.lock

@@ -24,12 +24,12 @@ ansi_term = "0.12"
 anyhow = "1"
 async-recursion = "1.0.5"
 axum = { version = "0.6", features = ["ws"] }
-axum-server = { version = "0.5.1", features = ["tls-rustls"] }
+axum-server = "0.5.1"
 base64 = "0.21"
 bytes = "1"
 cargo-lock = "9"
 cargo_metadata = "0.18.1"
-crates_io_api = { version = "0.9", default-features = false, features = ["rustls"] }
+crates_io_api = { version = "0.9", default-features = false }
 clap = { version = "4", features = ["derive", "env"] }
 console = "0.15"
 directories = "5"
@@ -54,11 +54,7 @@ open = "5"
 oxipng = "9"
 parking_lot = "0.12"
 remove_dir_all = "0.8"
-reqwest = { version = "0.11", default-features = false, features = [
-    "rustls-tls-native-roots",
-    "stream",
-    "trust-dns",
-] }
+reqwest = { version = "0.11", default-features = false, features = ["stream", "trust-dns"] }
 sha2 = "0.10"
 seahash = { version = "4", features = ["use_std"] }
 semver = "1"
@@ -70,7 +66,7 @@ time = { version = "0.3", features = ["serde-well-known"] }
 thiserror = "1"
 tokio = { version = "1", default-features = false, features = ["full"] }
 tokio-stream = { version = "0.1", default-features = false, features = ["fs", "sync"] }
-tokio-tungstenite = { version = "0.20", features = ["rustls", "rustls-tls-native-roots"] }
+tokio-tungstenite = "0.20"
 toml = "0.8"
 tower-http = { version = "0.4", features = ["fs", "trace", "set-header"] }
 tracing = "0.1"
@@ -85,7 +81,20 @@ lightningcss = "=1.0.0-alpha.54"
 tempfile = "3"
 
 [features]
-default = ["update_check"]
+default = ["update_check", "rustls"]
+rustls = [
+    "axum-server/tls-rustls",
+    "crates_io_api/rustls",
+    "reqwest/rustls",
+    "reqwest/rustls-tls-native-roots",
+    "tokio-tungstenite/rustls",
+    "tokio-tungstenite/rustls-tls-native-roots",
+]
+native-tls = [
+    "axum-server/tls-openssl",
+    "reqwest/native-tls",
+    "tokio-tungstenite/native-tls",
+]
 
 # enable the update check on startup
 update_check = []

Cargo.toml

@@ -20,6 +20,7 @@ pub static SERVER: Emoji = Emoji("📡 ", "");
 pub static LOCAL: Emoji = Emoji("🏠 ", "");
 pub static NETWORK: Emoji = Emoji("💻 ", "");
 pub static STARTING: Emoji = Emoji("🚀 ", "");
+#[cfg(feature = "update_check")]
 pub static UPDATE: Emoji = Emoji("⏫ ", "");
 
 static CWD: Lazy<PathBuf> =

src/common.rs

@@ -2,9 +2,8 @@ use crate::config::{
     models::AddressFamily, BaseUrl, ConfigOptsBuild, ConfigOptsCore, ConfigOptsHook,
     ConfigOptsProxy, ConfigOptsServe, ConfigOptsTools, ConfigOptsWatch, WsProtocol,
 };
-use anyhow::{anyhow, ensure, Context, Result};
+use anyhow::{anyhow, bail, ensure, Context, Result};
 use axum::http::Uri;
-use axum_server::tls_rustls::RustlsConfig;
 use local_ip_address::list_afinet_netifas;
 use std::borrow::Cow;
 use std::collections::HashMap;
@@ -13,6 +12,8 @@ use std::path::PathBuf;
 use std::sync::Arc;
 use tracing::log;
 
+use crate::tls::TlsConfig;
+
 /// Runtime config for the serve system.
 #[derive(Clone, Debug)]
 pub struct RtcServe {
@@ -46,8 +47,8 @@ pub struct RtcServe {
     pub ws_protocol: Option<WsProtocol>,
     /// Path used for autoreload WebSockets connection.
     pub ws_base: Option<String>,
-    /// The tls config containing the certificate and private key. TLS is activated if both are set.
-    pub tls: Option<RustlsConfig>,
+    /// The TLS config containing the certificate and private key. TLS is activated if both are set.
+    pub tls: Option<TlsConfig>,
     /// A base path to serve the application from
     pub serve_base: Option<String>,
 }
@@ -191,18 +192,32 @@ fn build_address_list(preference: Option<AddressFamily>, addresses: Vec<IpAddr>)
     }
 }
 
+#[allow(unreachable_code)]
 async fn tls_config(
     tls_key_path: Option<PathBuf>,
     tls_cert_path: Option<PathBuf>,
-) -> anyhow::Result<Option<RustlsConfig>, anyhow::Error> {
+) -> Result<Option<TlsConfig>, anyhow::Error> {
     match (tls_key_path, tls_cert_path) {
         (Some(tls_key_path), Some(tls_cert_path)) => {
             tracing::info!("🔐 Private key {}", tls_key_path.display(),);
             tracing::info!("🔒 Public key {}", tls_cert_path.display());
-            let tls_config = RustlsConfig::from_pem_file(tls_cert_path, tls_key_path)
-                .await
-                .with_context(|| "loading TLS cert/key failed")?;
-            Ok(Some(tls_config))
+
+            #[cfg(feature = "rustls")]
+            return Ok(Some(
+                axum_server::tls_rustls::RustlsConfig::from_pem_file(tls_cert_path, tls_key_path)
+                    .await
+                    .with_context(|| "loading TLS cert/key failed")?
+                    .into(),
+            ));
+
+            #[cfg(feature = "native-tls")]
+            return Ok(Some(
+                axum_server::tls_openssl::OpenSSLConfig::from_pem_file(tls_cert_path, tls_key_path)
+                    .with_context(|| "loading TLS cert/key failed")?
+                    .into(),
+            ));
+
+            bail!("TLS configuration was requested, but no TLS provider was enabled during compilation")
         }
         (None, Some(_)) => Err(anyhow!("TLS cert path provided without key path")),
         (Some(_), None) => Err(anyhow!("TLS key path provided without cert path")),

src/config/rt/serve.rs

@@ -9,6 +9,7 @@ mod pipelines;
 mod processing;
 mod proxy;
 mod serve;
+mod tls;
 mod tools;
 mod version;
 mod watch;