-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
server example error handling is incorrect + documentation is insufficient #113
Comments
This is a possible solution so that the server doesn't error out on a failed tls connection. I'll try to add some for of this to the example to help others trying to do the same thing. let tls_acceptor = &TlsAcceptor::from(tls_cfg);
// Prepare a long-running future stream to accept and serve cients.
let incoming_tls_stream = tcp
.incoming()
.filter_map(move |s| async move {
let client = match s {
Ok(x) => x,
Err(e) => {
println!("Failed to accept a client, should probably back off");
return Some(Err(e));
}
};
match tls_acceptor.accept(client).await {
Ok(x) => Some(Ok(x)),
Err(e) => {
println!("[!] Voluntary server halt due to client-connection error...: {}", e);
None
}
}
})
.boxed(); |
Not just error handling, the server example can only accept one connection at a time, if you have a resolver that requires some time to complete and you have two connections, the second one will get stuck, essentially this means we cannot do tls verification with acme, I have solve this by using the |
FYI: While the |
@ctz would you be the right person to nudge regarding this? |
@mikedilger in what situation would I want that info? I read a bit and it seems to be for instances where multiple dns entries point to the same application. So I could, within my application serve a different certificate based on what the client is trying to do. And I would only be interested in client certificates if I was trying to do mTLS. Is my understanding correct? If I'm not trying to do either of those things, am I free to use warp for in-process tls processing? |
@Parth Using a warp filter, you can get the host Authority, which it gets either from the Host header or the target URI. It doesn't look at the SNI hostname (afaik). The SNI hostname is for SSL establishment, certificate selection, and not really needed outside of SSL generally. But it would be interesting if the SNI hostname didn't match the HTTP Authority, in which case I would like to detect that and refuse service. I was also more interested in low-level SSL details for curiosity sake and testing of clients to see what they negotiated. For that I ended up using hyper directly and coded the asynchronous handling manually rather than using Service and MakeService traits. Under that paradigm I get everything I want and I understand it a lot better. |
@mikedilger is there a way I could study your implementation? |
@Parth Sure. Here is a self-contained compiling example. Maybe this could be massaged into the example this issue is asking for. It's just that I'm not using https://gist.github.com/mikedilger/589f616a2ca607ad1daed278042c1bb8 |
FYI, I think #147 fixes this issue. |
+1 from me. I tried to create a server both by trying to port the example server from the repo to an actual bin project and by trying to reproduce the example server from the docs. |
Please be more concrete about the issues you ran into (ideally with specific errors). |
I managed to make the docs example server run. The problems were crate versions related. I managed to make it run with the following crate versions:
Maybe the crate versions that the current example needs should be added as a comment at the top of the code example? PS: The example server from the GitHub repo gives errors like:
I believe they are crate versions related too. For example, the docs example needs rustls-pemfile 1.0.4, whereas the GitHub example needs rustls-pemfile 2. Overall, I think that the dependencies that each example needs should be stated somehow clearly, to avoid errors and confusion. |
steps to reproduce:
first, verify the server example works:
so far so good! lets try curling with http to see if the server gracefully drops the packet
that part seems right, but wait! my server has crashed!
ok - lets look at the example code. it seems to say that i can uncomment the error and just return
Ok(None)
and that should take care of things: uncomment this line and comment this line so it looks like this:unfortunately when i run the server it fails to compile with a rather verbose error message:
I tried looking into the documentation and I found
into_failable
which seems like maybe something that could be useful to me? But really I'm not sure where to go from here. Any help with this is greatly appreciated and I'd be happy to update the server example with something that works once I understand what's going on.The text was updated successfully, but these errors were encountered: