search

programatik29 / axum-server

High level server designed to be used with axum framework.
MIT License
174 stars 60 forks source link

Reloading private key and certificates #5

Closed programatik29 closed 3 years ago

programatik29 commented 3 years ago

Currently there is no way to reload private key and certificates while server is running. I plan to add it.

How does that API sound:

use axum::{
    handler::get,
    Router,
};
use axum_server::TlsLoader;
use tokio::time::{sleep, Duration};

#[tokio::main]
async fn main() {
    let app = Router::new().route("/", get(|| async { "Hello, World!" }));

    let loader = TlsLoader::builder()
        .private_key_file("certs/key.pem")
        .certificate_file("certs/cert.pem")
        .build()
        .await
        .unwrap();

    tokio::spawn(reload_every_day(loader.clone()));

    axum_server::bind_rustls("127.0.0.1:3000")
        .tls_loader(loader)
        .serve(app)
        .await
        .unwrap();
}

async fn reload_every_day(mut loader: TlsLoader) {
    loop {
        // Sleep first since certificates are loaded after loader is built.
        sleep(Duration::from_secs(3600 * 24)).await;

        // Can be loaded with recent settings.
        // For example: Read previously provided file contents again.
        loader.load().await.unwrap();

        // Can overwrite settings and load.
        loader
            .private_key_file("certs/private_key.pem")
            .certificate_file("certs/fullchain.pem")
            .load()
            .await
            .unwrap();
    }
}
ZhiHanZ commented 3 years ago

would axum server provide full TLS support with reloading, such as SNI, rootCAStore?

programatik29 commented 3 years ago

would axum server provide full TLS support with reloading, such as SNI, rootCAStore?

That would probably require users creating ServerConfig themselves. There is no reason not to allow passing ServerConfig directly. So I will add a server_config function to allow that.