Support SSL about rocket HOT 23 CLOSED

I'm convinced.

Rocket will support TLS, including client-to-server authentication. Support will be provided via rustls. This will ship as part of the next major release, 0.3, and will land in master soon.

from rocket.

Now, please don't take any of this as criticizing you or your processes if any of this is what you do. But you must realize that it's not considered the correct method in respect to industry best practices and tools shouldn't cater to that.

That's because you focus on one use case: running in a "big server" setup. If I want to expose an IoT device as a https endpoint, I certainly don't want to put anything in front of the https server itself.

Different use cases have different constraints, so one size does not fit all. By offering an optional, feature gated support, Rocket could cater to all.

from rocket.

TLS support has landed in 1516ca4! If you're on master and would like to use it immediately, please see the hello_tls example. Client authentication via TLS is not yet supported. Its progress will be tracked in #254.

from rocket.

@SergioBenitez I'm not sure if this is enough to justify the extra work, but native support certainly has benefits. HTTPS is increasingly a requirement even in development, for features like Service Worker.

Nginx and HA proxy are great for complicated use cases, but for simple apps, they introduce complexity and friction to building and set up for both development and production. Proxy servers require more set up (especially cross-platform like Windows), can't be version managed in Cargo.toml dependencies, and could add unnecessary bloat. They also add more non-Rust code to the app. By now we've already drank the Rust-safety Kool-aid, so we don't want that.

My use-case is that I've been playing around with rust a little bit, and I've been asked to give a short workshop intro, but it requires HTTPS-only web features. I'd love to be able to use Rocket, and have rustup installation and cargo run the only required steps to get people started, but adding in nginx greatly complicates the start of a project. I know native HTTPS support in rocket wouldn't arrive in time for this workshop, but it's one example!

from rocket.

Maybe not everyone wants to use NGINX or HAProxy and having native inbuilt support would be nice. Maybe behind a feature flag like native-ssl so that those who want it can use it and those who don't can use something else. Flexibility and covering more use cases will benefit everyone, at the cost of maintainability.

from rocket.

👍 Hopefully Mutual SSL will be supported as well where we can verify client's SSL CN.

from rocket.

@ghazkarim You can place Rocket behind a reverse proxy, like NGINX, to get SSL support. This is what paste.rs does, for example.

from rocket.

This is blocked by hyperium/hyper#975. That being said, Rocket tries very hard not expose Hyper types directly, and I don't particularly like the idea of having two launch methods. I imagine the best avenue for this would be via some configuration parameters.

from rocket.

You can disable Hyper's ssl feature and use https://crates.io/crates/hyper-openssl to get an SslSever implementation that uses a modern version of rust-openssl.

There's a fairly large set of things you'd need to be able to configure to do TLS setup programmatically but it should be doable.

from rocket.

I don't particularly like the idea of having two launch methods. I imagine the best avenue for this would be via some configuration parameters.

👍 I shouldn't have to change code to change the protocol binding of the app.

On that note.. I'm not really in favor of this in a general case. Outside of development or demoing there is no use-case I can think for the app using SSL itself.

I would be in favor of actually automatically listening on both HTTP and HTTPS via an automatically generated self-signed certificate. This behavior could be expanded to allow configuration to run HTTPS with a real certificate.

More on use cases.. I can't see any point of listening on SSL in production.

I can try and envision a use case:

You are trying to be as cheap as possible. You have a single server running your application and would want this so you don't have to configure nginx on the same server and deal with port binding.

• First off.. even if you are being cheap.. please get 2 servers and use a basic load balancer for an app that is in production which in that case the SSL gateway is at the load balancer and the individual app servers are behind a firewall. But perhaps this is just a throw-away site that it doesn't really matter if it goes down.

• Using some reverse proxy like nginx can give you zero-downtime upgrades for free. Without this your site will go offline for a brief moment when you push the new version.

Any production reason I can think of just goes to the site being throw-away which is contradictory to wanting SSL in the first place.

Now, please don't take any of this as criticizing you or your processes if any of this is what you do. But you must realize that it's not considered the correct method in respect to industry best practices and tools shouldn't cater to that.

from rocket.

That's because you focus on one use case: running in a "big server" setup. If I want to expose an IoT device as a https endpoint, I certainly don't want to put anything in front of the https server itself.

I stand corrected. I've never done anything with IoT but now that I consider that, it makes a lot of sense. I still think easily running HTTPS with a generated self-signed cert would be neat for demoing in cases where your demo must be in SSL.

from rocket.

I'm not sure what exactly the plan for Rocket's HTTP backend is but I support this feature request. I like Rocket a lot but without TLS I can't really use it in a serious project. HTTP2 and HTTP2 Server Push support are also things I'd like to see in a release.

from rocket.

@SergioBenitez didn't know that. Thank you! I wonder however if native SSL support might provide better performance than Rocket + Nginx.

from rocket.

Is there a case where putting Rocket behind a reverse proxy like NGINX or HAProxy to get SSL support doesn't suffice? I'd like to hear about them, if so.

from rocket.

It depends on security constraints also. Real use case that communication between services (microservices) must be done over the secured protocol.

We may utilize Nginx etc. for SSL termination, but if over services (not exposed to internet directly) can communicate with each over on isolated networks and that is not always possible.

So, e.g. for my use cases I need at least SSL support (HTTP2 requirement is on horizont already) to work with it ...

Nevertheless, Rocket looks very attractive ... I'm just starting to evaluate Rust (in parallel with Go) and can't do any useful PRs yet, but I appreciate authors efforts 💯 I understand there are external dependencies ...

Now, please don't take any of this as criticizing you or your processes if any of this is what you do.

No worries, it is a discussion ... different projects - different use cases :)

from rocket.

I'd like SSL support too because it seems that SSL support is a requirement for enabling Brotli compression of web content. I've improved my page caching technique in Rocket to also support Brotli, but no web browser supports ("Content-Encoding", "br") without HTTPS.

from rocket.

I would like to use rocket, but without SSL support it's not possible. I have two use-cases:

1. Provide a Home Control website to turn lights on/off etc.
2. Communicate to the IoT devices over a secured connection

I really hope, SSL support is coming soon....

from rocket.

@SergioBenitez I've a question. I'm trying to use keys I got from Let's Encrypt, and I've added the following into my Rocket.toml file:

[global.tls]
certs = "/etc/letsencrypt/live/mmstick.tk/fullchain.pem"
key = "/etc/letsencrypt/live/mmstick.tk/privkey.pem"

But I seem to be getting this error:

Error: 'development.tls' key could not be parsed
    => in "/mnt/archive/Sources/personal-website/Rocket.toml"
    => expected value to be a readable certificates file, but found nonexistent or invalid file

from rocket.

@mmstick I just tried with a Let's Encrypt chain and private key, and everything worked as expected. I would check the permissions on the files and ensure that the Rocket process can read them. I'm pushing an update now that will clarify error messages. It's currently not clear if there's an I/O issue with reading the files or if the files failed to parse.

from rocket.

@SergioBenitez Seems to report it as a malformed PEM file. Now I'm wondering why Let's Encrypt would create a malformed file.

from rocket.

@mmstick It's possible that rustls is expecting one format when Let's Encrypt is giving you another. If you hop on #rocket, I'd love to help you debug this!

from rocket.

If I'm using nginx as a proxy between a rust rocket application and internet, will I need to setup anything in my application to support tls? Or will I have to do that in nginx config file?

from rocket.

@GildedHonour You'd use NGINX for TLS in that case. See their documentation for more information.

from rocket.