Implemented AutoTLS via RustTLS

2026-03-10 16:20:19 +00:00
parent 588b610e08
commit bf16ff40f9
7 changed files with 411 additions and 35 deletions
--- a/furumi-server/src/main.rs
+++ b/furumi-server/src/main.rs
@@ -8,17 +8,17 @@ use std::path::PathBuf;
 use std::sync::Arc;
 use axum::{Router, routing::get};
 use clap::Parser;
-use tonic::transport::Server;
+use tonic::transport::{Identity, Server, ServerTlsConfig};
 use vfs::local::LocalVfs;
 use furumi_common::proto::remote_file_system_server::RemoteFileSystemServer;
 use server::RemoteFileSystemImpl;
 use security::AuthInterceptor;

 #[derive(Parser, Debug)]
-#[command(version, about, long_about = None)]
+#[command(version, about = "Furumi-ng: remote filesystem server over encrypted gRPC")]
 struct Args {
    /// IP address and port to bind the gRPC server to
-    #[arg(short, long, env = "FURUMI_BIND", default_value = "[::1]:50051")]
+    #[arg(short, long, env = "FURUMI_BIND", default_value = "0.0.0.0:50051")]
    bind: String,

    /// Document root directory to expose via VFS
@@ -32,6 +32,14 @@ struct Args {
    /// IP address and port for the Prometheus metrics HTTP endpoint
    #[arg(long, env = "FURUMI_METRICS_BIND", default_value = "0.0.0.0:9090")]
    metrics_bind: String,
+
+    /// Disable TLS encryption (not recommended, use only for debugging)
+    #[arg(long, default_value_t = false)]
+    no_tls: bool,
+
+    /// Save the auto-generated TLS certificate to this file (for client --tls-ca)
+    #[arg(long, env = "FURUMI_TLS_CERT_OUT")]
+    tls_cert_out: Option<PathBuf>,
 }

 async fn metrics_handler() -> String {
@@ -40,12 +48,17 @@ async fn metrics_handler() -> String {

 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
+    // Install ring as the default crypto provider for rustls (must be before any TLS usage)
+    rustls::crypto::ring::default_provider()
+        .install_default()
+        .expect("Failed to install rustls crypto provider");
+    
    tracing_subscriber::fmt::init();

    let args = Args::parse();
    let addr: SocketAddr = args.bind.parse().unwrap_or_else(|e| {
        eprintln!("Error: Invalid bind address '{}': {}", args.bind, e);
-        eprintln!("  Expected format: IP:PORT (e.g. 0.0.0.0:50051 or [::1]:50051)");
+        eprintln!("  Expected format: IP:PORT (e.g. 0.0.0.0:50051)");
        std::process::exit(1);
    });

@@ -69,14 +82,20 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let auth = AuthInterceptor::new(args.token.clone());
    let svc = RemoteFileSystemServer::with_interceptor(remote_fs, auth.clone());

+    // Print startup info
    println!("Furumi-ng Server listening on {}", addr);
+    if args.no_tls {
+        println!("WARNING: TLS is DISABLED — traffic is unencrypted");
+    } else {
+        println!("TLS: enabled (auto-generated self-signed certificate)");
+    }
    if args.token.is_empty() {
        println!("WARNING: Authentication is DISABLED");
    } else {
-        println!("Authentication is enabled (Bearer token required)");
+        println!("Authentication: enabled (Bearer token)");
    }
    println!("Document Root: {:?}", root_path);
-    println!("Metrics endpoint: http://{}/metrics", metrics_addr);
+    println!("Metrics: http://{}/metrics", metrics_addr);

    // Spawn the Prometheus metrics HTTP server on a separate port
    let metrics_app = Router::new().route("/metrics", get(metrics_handler));
@@ -85,14 +104,39 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
        axum::serve(metrics_listener, metrics_app).await.unwrap();
    });

-    Server::builder()
-        // Enable TCP Keep-Alive and HTTP2 Ping to keep connections alive for long media streams
+    let mut builder = Server::builder()
        .tcp_keepalive(Some(std::time::Duration::from_secs(60)))
-        .http2_keepalive_interval(Some(std::time::Duration::from_secs(60)))
+        .http2_keepalive_interval(Some(std::time::Duration::from_secs(60)));
+
+    if !args.no_tls {
+        let cert_pair = rcgen::generate_simple_self_signed(vec![
+            "localhost".to_string(),
+            "furumi-ng".to_string(),
+        ])
+        .expect("Failed to generate self-signed certificate");
+
+        let cert_pem = cert_pair.cert.pem();
+        let key_pem = cert_pair.signing_key.serialize_pem();
+
+        // Optionally save the certificate PEM for the client
+        if let Some(ref cert_path) = args.tls_cert_out {
+            std::fs::write(cert_path, &cert_pem)
+                .unwrap_or_else(|e| {
+                    eprintln!("Error: Failed to write TLS cert to {:?}: {}", cert_path, e);
+                    std::process::exit(1);
+                });
+            println!("TLS certificate saved to {:?} (use with client --tls-ca)", cert_path);
+        }
+
+        let identity = Identity::from_pem(cert_pem, key_pem);
+        let tls_config = ServerTlsConfig::new().identity(identity);
+        builder = builder.tls_config(tls_config)?;
+    }
+
+    builder
        .add_service(svc)
        .serve(addr)
        .await?;

    Ok(())
 }
-