Conversation
Add ingress-side `ohttp.tls` (bool) + `ohttp.tls_ca_certs` (list of PEM file
paths) config so the ingress wraps its OHTTP-encrypted POST in HTTPS
(`https://host:port/path`) when `tls: true`, terminating at a TLS-terminating
gateway in front of the egress. Default (`null`/omitted, or `false`) keeps
plain `http://`, preserving pre-existing behavior (additive, backward
compatible).
The scheme lives on the OHTTP forwarding layer, so it applies to every
ingress mode (Mapping / HttpProxy / Socks5 / Netfilter / Hook).
- tng/config: `OHttpArgs.tls` + `tls_ca_certs`. `tls_ca_certs` is
`#[cfg(not(wasm))]` — a browser has no filesystem, so the field does not
exist on wasm; providing it in a wasm config is a parse error
(`deny_unknown_fields`).
- tng/ohttp: `scheme_from_tls` + `build_ohttp_http_client` (native loads
CAs via `reqwest::Certificate::from_pem_bundle`, fail-fast at ingress
startup with `with_context` labels; wasm builds a plain client — browser
controls TLS). `construct_base_url` emits `{scheme}://`.
- tng-testsuite: `AppType::TlsTcpProxy` TLS-terminating raw-TCP proxy
fixture (tokio-rustls acceptor + bidirectional copy) and embedded
webpki-compliant CA/server/key PEMs. End-to-end test
`ohttp_tls::test_ohttp_forwarded_over_tls` exercises the full path
(client -> ingress-https -> gateway TLS-term -> egress OHTTP-decap ->
backend), `no_ra` on both sides.
- docs: `configuration.md` + `configuration_zh.md` document both fields.
- CLAUDE.md: ban hard-wrapping prose in human-readable Markdown.
Collaborator
|
@imlk0 ,您好,您的请求已接收,请耐心等待结果。 |
Collaborator
|
@imlk0 ,您好,未检测到有镜像需要构建,如需重新检测请评论 /start 。 |
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds ingress-side
ohttp.tls(bool) +ohttp.tls_ca_certs(list of PEM file paths) config so the ingress wraps its OHTTP-encrypted POST in HTTPS (https://host:port/path) whentls: true, terminating at a TLS-terminating gateway in front of the egress. Default (null/omitted/false) keeps plainhttp://— additive and backward compatible.Motivation: a TLS-terminating gateway (e.g. an HTTPS load balancer) may sit in front of the egress. The ingress must post the OHTTP ciphertext to the gateway over HTTPS so the gateway can terminate TLS before forwarding the raw OHTTP-over-HTTP bytes to the egress.
The scheme lives on the OHTTP forwarding layer (not the endpoint), so it covers every ingress mode (Mapping / HttpProxy / Socks5 / Netfilter / Hook).
Changes
tng/src/config/ingress.rs—OHttpArgs.tls: Option<bool>+tls_ca_certs: Vec<String>.tls_ca_certsis#[cfg(not(wasm))]: a browser has no filesystem, so the field does not exist on wasm; providing it in a wasm config is a parse error (deny_unknown_fields). New serde unit tests for defaults + round-trip.tng/src/tunnel/ingress/protocol/ohttp/security/mod.rs—scheme_from_tls(Option<bool>) -> &'static str(Some(true)⇒"https", else"http");build_ohttp_http_clientbuilds the reqwest client and (native) loads CAs viareqwest::Certificate::from_pem_bundlewith fail-fastwith_contextlabels at ingress startup; wasm builds a plain client (browser controls TLS).construct_base_urlemits{scheme}://{authority}{path}. Errors preserve the chain (no string-formatting); logging uses?errorstructured form. Unit tests for CA-loading success / missing-path / malformed-PEM / no-CA.tng-testsuite—AppType::TlsTcpProxyTLS-terminating raw-TCP proxy fixture (tokio-rustls acceptor + bidirectionaltokio::io::copy) mirroringload_balancer.rs; embedded webpki-compliant CA/server/key PEMs intests/ohttp/tls_fixtures.rs(criticalCA:TRUE+certSign+SKI/AKI on the CA;CA:FALSE+digitalSignature/keyEncipherment+serverAuth+SANs on the server). Dev-deps:tokio-rustls,rustls-pemfile,tempfile.tests/ohttp/ohttp_tls.rs::test_ohttp_forwarded_over_tls—no_raon both sides, inserts theTlsTcpProxybetween ingress and egress, and proves the full path: client → ingress (TLS-wrapped OHTTP POST tohttps://192.168.1.1:20002) → gateway (TLS termination) → plain TCP127.0.0.1:20001(egress mapping-in) → egress OHTTP decap → backend. Passes.docs/configuration.md+docs/configuration_zh.md— document both fields (bilingual).CLAUDE.md— ban hard-wrapping prose in human-readable Markdown.Verification
cargo fmt --checkclean.cargo clippy -p tng -p tng-testsuite --all-targetsFinished (no new warnings from this change; pre-existingtokio::spawndisallowed-method lints are consistent across all existingapp/*.rsfixtures).cargo build -p tng -p tng-testsuite --testsEXIT 0.cargo test -p tng --lib security::→ 65 passed.cargo test -p tng-testsuite --test ohttp_tls→ 1 passed (e2e).Compatibility
Additive only — new optional fields with backward-compatible defaults. No existing config/endpoint/protocol breaks. Not logged in
version_compatibility.md(no breaking change).