Merge pull request #202 from Dstack-TEE/config-tls-ver

gw: Configurable TLS version and crypto provider

Author: kvinwang

gateway/gateway.toml

@@ -49,6 +49,8 @@ endpoint = "10.0.2.2:51820"
 [core.proxy]
 cert_chain = "/etc/rproxy/certs/cert.pem"
 cert_key = "/etc/rproxy/certs/key.pem"
+tls_crypto_provider = "aws-lc-rs"
+tls_versions = ["1.2"]
 base_domain = "app.localhost"
 listen_addr = "0.0.0.0"
 listen_port = 8443

gateway/src/config.rs

@@ -47,10 +47,28 @@ fn validate(ip: Ipv4Net, reserved_net: &[Ipv4Net], client_ip_range: Ipv4Net) ->
     Ok(())
 }
 
+#[derive(Debug, Clone, Deserialize)]
+pub enum CryptoProvider {
+    #[serde(rename = "aws-lc-rs")]
+    AwsLcRs,
+    #[serde(rename = "ring")]
+    Ring,
+}
+
+#[derive(Debug, Clone, Deserialize)]
+pub enum TlsVersion {
+    #[serde(rename = "1.2")]
+    Tls12,
+    #[serde(rename = "1.3")]
+    Tls13,
+}
+
 #[derive(Debug, Clone, Deserialize)]
 pub struct ProxyConfig {
     pub cert_chain: String,
     pub cert_key: String,
+    pub tls_crypto_provider: CryptoProvider,
+    pub tls_versions: Vec<TlsVersion>,
     pub base_domain: String,
     pub listen_addr: Ipv4Addr,
     pub listen_port: u16,

gateway/src/proxy.rs

@@ -155,8 +155,7 @@ pub async fn run(config: &ProxyConfig, app_state: Proxy) -> Result<()> {
         Arc::new(format!(".{base_domain}"))
     };
     let tls_terminate_proxy =
-        TlsTerminateProxy::new(&app_state, &config.cert_chain, &config.cert_key)
-            .context("failed to create tls terminate proxy")?;
+        TlsTerminateProxy::new(&app_state).context("failed to create tls terminate proxy")?;
     let tls_terminate_proxy = Arc::new(tls_terminate_proxy);
 
     let listener = TcpListener::bind((config.listen_addr, config.listen_port))

gateway/src/proxy/tls_terminate.rs

@@ -1,5 +1,4 @@
 use std::io;
-use std::path::Path;
 use std::pin::Pin;
 use std::sync::Arc;
 use std::task::{Context, Poll};
@@ -8,12 +7,14 @@ use anyhow::{Context as _, Result};
 use fs_err as fs;
 use rustls::pki_types::pem::PemObject;
 use rustls::pki_types::{CertificateDer, PrivateKeyDer};
+use rustls::version::{TLS12, TLS13};
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 use tokio::net::TcpStream;
 use tokio::time::timeout;
 use tokio_rustls::{rustls, TlsAcceptor};
 use tracing::debug;
 
+use crate::config::{CryptoProvider, ProxyConfig, TlsVersion};
 use crate::main_service::Proxy;
 
 use super::io_bridge::bridge;
@@ -91,25 +92,43 @@ pub struct TlsTerminateProxy {
     acceptor: TlsAcceptor,
 }
 
-impl TlsTerminateProxy {
-    pub fn new(app_state: &Proxy, cert: impl AsRef<Path>, key: impl AsRef<Path>) -> Result<Self> {
-        let cert_pem = fs::read(cert.as_ref()).context("failed to read certificate")?;
-        let key_pem = fs::read(key.as_ref()).context("failed to read private key")?;
-        let certs = CertificateDer::pem_slice_iter(cert_pem.as_slice())
-            .collect::<Result<Vec<_>, _>>()
-            .context("failed to parse certificate")?;
-        let key = PrivateKeyDer::from_pem_slice(key_pem.as_slice())
-            .context("failed to parse private key")?;
+fn create_acceptor(config: &ProxyConfig) -> Result<TlsAcceptor> {
+    let cert_pem = fs::read(&config.cert_chain).context("failed to read certificate")?;
+    let key_pem = fs::read(&config.cert_key).context("failed to read private key")?;
+    let certs = CertificateDer::pem_slice_iter(cert_pem.as_slice())
+        .collect::<Result<Vec<_>, _>>()
+        .context("failed to parse certificate")?;
+    let key =
+        PrivateKeyDer::from_pem_slice(key_pem.as_slice()).context("failed to parse private key")?;
+
+    let provider = match config.tls_crypto_provider {
+        CryptoProvider::AwsLcRs => rustls::crypto::aws_lc_rs::default_provider(),
+        CryptoProvider::Ring => rustls::crypto::ring::default_provider(),
+    };
+    let supported_versions = config
+        .tls_versions
+        .iter()
+        .map(|v| match v {
+            TlsVersion::Tls12 => &TLS12,
+            TlsVersion::Tls13 => &TLS13,
+        })
+        .collect::<Vec<_>>();
+    let config = rustls::ServerConfig::builder_with_provider(Arc::new(provider))
+        .with_protocol_versions(&supported_versions)
+        .context("Failed to build TLS config")?
+        .with_no_client_auth()
+        .with_single_cert(certs, key)?;
 
-        let config = rustls::ServerConfig::builder()
-            .with_no_client_auth()
-            .with_single_cert(certs, key)?;
+    let acceptor = TlsAcceptor::from(Arc::new(config));
 
-        let acceptor = TlsAcceptor::from(Arc::new(config));
+    Ok(acceptor)
+}
 
+impl TlsTerminateProxy {
+    pub fn new(app_state: &Proxy) -> Result<Self> {
         Ok(Self {
             app_state: app_state.clone(),
-            acceptor,
+            acceptor: create_acceptor(&app_state.config.proxy)?,
         })
     }