itsi 0.2.26 → 0.2.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (60) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +7 -0
  3. data/Cargo.lock +7 -3
  4. data/README.md +4 -1
  5. data/Rakefile +24 -3
  6. data/crates/itsi_acme/Cargo.toml +2 -1
  7. data/crates/itsi_acme/src/acceptor.rs +1 -1
  8. data/crates/itsi_acme/src/acme.rs +31 -3
  9. data/crates/itsi_acme/src/http_challenge.rs +81 -0
  10. data/crates/itsi_acme/src/https_helper.rs +3 -1
  11. data/crates/itsi_acme/src/jose.rs +6 -2
  12. data/crates/itsi_acme/src/lib.rs +2 -0
  13. data/crates/itsi_acme/src/resolver.rs +27 -4
  14. data/crates/itsi_acme/src/state.rs +183 -22
  15. data/crates/itsi_scheduler/Cargo.toml +1 -1
  16. data/crates/itsi_scheduler/src/itsi_scheduler.rs +115 -64
  17. data/crates/itsi_scheduler/src/lib.rs +2 -1
  18. data/crates/itsi_server/Cargo.toml +2 -1
  19. data/crates/itsi_server/src/lib.rs +15 -0
  20. data/crates/itsi_server/src/ruby_types/itsi_grpc_call.rs +0 -1
  21. data/crates/itsi_server/src/ruby_types/itsi_http_request.rs +9 -0
  22. data/crates/itsi_server/src/ruby_types/itsi_http_response.rs +114 -4
  23. data/crates/itsi_server/src/ruby_types/itsi_server/itsi_server_config.rs +22 -1
  24. data/crates/itsi_server/src/ruby_types/itsi_server.rs +100 -0
  25. data/crates/itsi_server/src/server/binds/listener.rs +9 -24
  26. data/crates/itsi_server/src/server/binds/tls.rs +372 -67
  27. data/crates/itsi_server/src/server/signal.rs +14 -9
  28. data/crates/itsi_server/src/services/itsi_http_service.rs +46 -2
  29. data/docs/content/features/_index.md +3 -0
  30. data/docs/content/getting_started/_index.md +6 -2
  31. data/docs/content/getting_started/local_development.md +13 -0
  32. data/docs/content/itsi_scheduler/_index.md +3 -0
  33. data/gems/scheduler/Cargo.lock +4011 -527
  34. data/gems/scheduler/Gemfile +8 -2
  35. data/gems/scheduler/Gemfile.lock +107 -0
  36. data/gems/scheduler/Rakefile +33 -9
  37. data/gems/scheduler/lib/itsi/scheduler/version.rb +1 -1
  38. data/gems/scheduler/lib/itsi/scheduler.rb +121 -6
  39. data/gems/scheduler/test/helpers/test_helper.rb +2 -0
  40. data/gems/scheduler/test/test_address_resolve.rb +8 -2
  41. data/gems/scheduler/test/test_itsi_scheduler.rb +80 -0
  42. data/gems/scheduler/test/test_timeout_after.rb +102 -0
  43. data/gems/server/Cargo.lock +30 -1
  44. data/gems/server/Gemfile +3 -0
  45. data/gems/server/Gemfile.lock +195 -0
  46. data/gems/server/Rakefile +18 -5
  47. data/gems/server/lib/itsi/http_request.rb +10 -0
  48. data/gems/server/lib/itsi/server/config/options/certificates.md +37 -9
  49. data/gems/server/lib/itsi/server/config/options/fiber_scheduler.md +2 -0
  50. data/gems/server/lib/itsi/server/default_config/Itsi.rb +4 -0
  51. data/gems/server/lib/itsi/server/rack_interface.rb +47 -3
  52. data/gems/server/lib/itsi/server/version.rb +1 -1
  53. data/gems/server/lib/itsi/server.rb +24 -0
  54. data/gems/server/test/acme/local_acme_challenges.rb +190 -0
  55. data/gems/server/test/helpers/local_acme.rb +218 -0
  56. data/gems/server/test/helpers/test_helper.rb +7 -9
  57. data/gems/server/test/middleware/endpoint.rb +9 -6
  58. data/gems/server/test/rack/test_rack_server.rb +144 -0
  59. data/lib/itsi/version.rb +1 -1
  60. metadata +12 -6
@@ -1,8 +1,9 @@
1
1
  use base64::{engine::general_purpose, Engine as _};
2
- use itsi_acme::{AcmeAcceptor, AcmeConfig, AcmeState};
2
+ use itsi_acme::{AcmeAcceptor, AcmeConfig, AcmeState, Http01Handler, ResolvesServerCertAcme};
3
3
  use itsi_error::Result;
4
- use itsi_tracing::info;
4
+ use itsi_tracing::{error, info};
5
5
  use locked_dir_cache::LockedDirCache;
6
+ use parking_lot::{Mutex as ParkingMutex, RwLock as ParkingRwLock};
6
7
  use rcgen::ExtendedKeyUsagePurpose;
7
8
  use rcgen::{
8
9
  BasicConstraints, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair, KeyUsagePurpose,
@@ -17,9 +18,14 @@ use std::{
17
18
  collections::HashMap,
18
19
  fs,
19
20
  io::{BufReader, Error},
20
- sync::Arc,
21
+ sync::{
22
+ atomic::{AtomicBool, Ordering},
23
+ Arc,
24
+ },
25
+ thread::JoinHandle,
21
26
  };
22
- use tokio::sync::Mutex;
27
+ use tokio::runtime::Builder as RuntimeBuilder;
28
+ use tokio::sync::{mpsc, watch};
23
29
  use tokio_rustls::{rustls::ServerConfig, TlsAcceptor};
24
30
 
25
31
  use crate::env::{
@@ -29,14 +35,300 @@ use crate::env::{
29
35
 
30
36
  mod locked_dir_cache;
31
37
 
38
+ #[derive(Debug, Clone)]
39
+ pub struct ManagedTlsDomainStatus {
40
+ pub domain: String,
41
+ pub status: String,
42
+ pub last_error: Option<String>,
43
+ }
44
+
45
+ #[derive(Clone)]
46
+ struct DynamicAcmeConfigTemplate {
47
+ client_config: Arc<ClientConfig>,
48
+ directory_url: String,
49
+ contact: Vec<String>,
50
+ cache_dir: String,
51
+ }
52
+
53
+ impl DynamicAcmeConfigTemplate {
54
+ fn state_for_domain(
55
+ &self,
56
+ domain: &str,
57
+ resolver: Arc<ResolvesServerCertAcme>,
58
+ http01_handler: Arc<Http01Handler>,
59
+ http01_enabled: bool,
60
+ ) -> AcmeState<Error> {
61
+ let state = AcmeConfig::new([domain])
62
+ .contact(self.contact.clone())
63
+ .cache(LockedDirCache::new(self.cache_dir.clone()))
64
+ .directory(&self.directory_url)
65
+ .client_tls_config(self.client_config.clone());
66
+ let mut state = AcmeState::new_with_resolver(
67
+ state,
68
+ resolver,
69
+ http01_handler,
70
+ Some(domain.to_string()),
71
+ );
72
+ state.set_http01_enabled(http01_enabled);
73
+ state
74
+ }
75
+ }
76
+
77
+ enum DynamicAcmeCommand {
78
+ Register(String),
79
+ Unregister(String),
80
+ Shutdown,
81
+ }
82
+
83
+ #[derive(Clone)]
84
+ pub struct DynamicAcmeManager {
85
+ inner: Arc<DynamicAcmeManagerInner>,
86
+ }
87
+
88
+ struct DynamicAcmeManagerInner {
89
+ resolver: Arc<ResolvesServerCertAcme>,
90
+ http01_registry: Arc<ParkingRwLock<HashMap<String, Arc<Http01Handler>>>>,
91
+ statuses: Arc<ParkingRwLock<HashMap<String, ManagedTlsDomainStatus>>>,
92
+ http01_enabled: Arc<AtomicBool>,
93
+ initialized: AtomicBool,
94
+ initial_domains: Vec<String>,
95
+ command_tx: mpsc::UnboundedSender<DynamicAcmeCommand>,
96
+ thread_handle: ParkingMutex<Option<JoinHandle<()>>>,
97
+ }
98
+
99
+ impl DynamicAcmeManager {
100
+ fn new(template: DynamicAcmeConfigTemplate, initial_domains: Vec<String>) -> Self {
101
+ let resolver = ResolvesServerCertAcme::new();
102
+ let http01_handler = Arc::new(Http01Handler::new());
103
+ let http01_registry = Arc::new(ParkingRwLock::new(HashMap::new()));
104
+ let statuses = Arc::new(ParkingRwLock::new(HashMap::new()));
105
+ let http01_enabled = Arc::new(AtomicBool::new(false));
106
+ let (command_tx, mut command_rx) = mpsc::unbounded_channel();
107
+
108
+ let resolver_clone = resolver.clone();
109
+ let http01_handler_clone = http01_handler.clone();
110
+ let http01_registry_clone = http01_registry.clone();
111
+ let statuses_clone = statuses.clone();
112
+ let http01_enabled_clone = http01_enabled.clone();
113
+
114
+ let thread_handle = std::thread::spawn(move || {
115
+ let runtime = RuntimeBuilder::new_current_thread()
116
+ .enable_all()
117
+ .build()
118
+ .expect("Failed to build dynamic ACME runtime");
119
+ runtime.block_on(async move {
120
+ let mut cancellations: HashMap<String, watch::Sender<bool>> = HashMap::new();
121
+
122
+ while let Some(command) = command_rx.recv().await {
123
+ match command {
124
+ DynamicAcmeCommand::Register(domain) => {
125
+ let domain = domain.to_ascii_lowercase();
126
+ if cancellations.contains_key(&domain) {
127
+ continue;
128
+ }
129
+
130
+ statuses_clone.write().insert(
131
+ domain.clone(),
132
+ ManagedTlsDomainStatus {
133
+ domain: domain.clone(),
134
+ status: "pending".to_string(),
135
+ last_error: None,
136
+ },
137
+ );
138
+ http01_registry_clone
139
+ .write()
140
+ .insert(domain.clone(), http01_handler_clone.clone());
141
+
142
+ let (cancel_tx, mut cancel_rx) = watch::channel(false);
143
+ cancellations.insert(domain.clone(), cancel_tx);
144
+
145
+ let resolver = resolver_clone.clone();
146
+ let http01_handler = http01_handler_clone.clone();
147
+ let registry = http01_registry_clone.clone();
148
+ let statuses = statuses_clone.clone();
149
+ let template = template.clone();
150
+ let enabled = http01_enabled_clone.clone();
151
+ let task_domain = domain.clone();
152
+
153
+ tokio::spawn(async move {
154
+ statuses.write().insert(
155
+ task_domain.clone(),
156
+ ManagedTlsDomainStatus {
157
+ domain: task_domain.clone(),
158
+ status: "issuing".to_string(),
159
+ last_error: None,
160
+ },
161
+ );
162
+ let mut state = template.state_for_domain(
163
+ &task_domain,
164
+ resolver.clone(),
165
+ http01_handler,
166
+ enabled.load(Ordering::SeqCst),
167
+ );
168
+
169
+ loop {
170
+ tokio::select! {
171
+ changed = cancel_rx.changed() => {
172
+ if changed.is_ok() && *cancel_rx.borrow() {
173
+ resolver.remove_auth_key(&task_domain);
174
+ resolver.remove_cert_for_domain(&task_domain);
175
+ registry.write().remove(&task_domain);
176
+ statuses.write().remove(&task_domain);
177
+ break;
178
+ }
179
+ }
180
+ event = futures::StreamExt::next(&mut state) => {
181
+ match event {
182
+ Some(Ok(_)) => {
183
+ let mut statuses = statuses.write();
184
+ if let Some(status) = statuses.get_mut(&task_domain) {
185
+ status.status = "active".to_string();
186
+ status.last_error = None;
187
+ }
188
+ }
189
+ Some(Err(err)) => {
190
+ let mut statuses = statuses.write();
191
+ if let Some(status) = statuses.get_mut(&task_domain) {
192
+ status.status = "failed".to_string();
193
+ status.last_error = Some(err.to_string());
194
+ }
195
+ }
196
+ None => break,
197
+ }
198
+ }
199
+ }
200
+ }
201
+ });
202
+ }
203
+ DynamicAcmeCommand::Unregister(domain) => {
204
+ let domain = domain.to_ascii_lowercase();
205
+ if let Some(cancel_tx) = cancellations.remove(&domain) {
206
+ let _ = cancel_tx.send(true);
207
+ } else {
208
+ http01_registry_clone.write().remove(&domain);
209
+ resolver_clone.remove_auth_key(&domain);
210
+ resolver_clone.remove_cert_for_domain(&domain);
211
+ statuses_clone.write().remove(&domain);
212
+ }
213
+ }
214
+ DynamicAcmeCommand::Shutdown => {
215
+ for (_, cancel_tx) in cancellations.drain() {
216
+ let _ = cancel_tx.send(true);
217
+ }
218
+ break;
219
+ }
220
+ }
221
+ }
222
+ });
223
+ });
224
+
225
+ Self {
226
+ inner: Arc::new(DynamicAcmeManagerInner {
227
+ resolver,
228
+ http01_registry,
229
+ statuses,
230
+ http01_enabled,
231
+ initialized: AtomicBool::new(false),
232
+ initial_domains,
233
+ command_tx,
234
+ thread_handle: ParkingMutex::new(Some(thread_handle)),
235
+ }),
236
+ }
237
+ }
238
+
239
+ pub fn resolver(&self) -> Arc<ResolvesServerCertAcme> {
240
+ self.inner.resolver.clone()
241
+ }
242
+
243
+ pub fn set_http01_enabled(&self, enabled: bool) {
244
+ self.inner.http01_enabled.store(enabled, Ordering::SeqCst);
245
+ }
246
+
247
+ pub fn initialize_domains(&self) {
248
+ if self.inner.initialized.swap(true, Ordering::SeqCst) {
249
+ return;
250
+ }
251
+
252
+ for domain in &self.inner.initial_domains {
253
+ self.register_domain(domain.clone());
254
+ }
255
+ }
256
+
257
+ pub fn register_domain(&self, domain: String) {
258
+ let _ = self
259
+ .inner
260
+ .command_tx
261
+ .send(DynamicAcmeCommand::Register(domain));
262
+ }
263
+
264
+ pub fn unregister_domain(&self, domain: &str) {
265
+ let _ = self
266
+ .inner
267
+ .command_tx
268
+ .send(DynamicAcmeCommand::Unregister(domain.to_string()));
269
+ }
270
+
271
+ pub fn http01_response(&self, host: &str, path: &str) -> Option<String> {
272
+ self.inner
273
+ .http01_registry
274
+ .read()
275
+ .get(host)
276
+ .and_then(|handler| handler.handle_challenge_request(path))
277
+ }
278
+
279
+ pub fn statuses(&self) -> Vec<ManagedTlsDomainStatus> {
280
+ let mut statuses = self
281
+ .inner
282
+ .statuses
283
+ .read()
284
+ .values()
285
+ .cloned()
286
+ .collect::<Vec<_>>();
287
+ statuses.sort_by(|a, b| a.domain.cmp(&b.domain));
288
+ statuses
289
+ }
290
+ }
291
+
292
+ impl Drop for DynamicAcmeManagerInner {
293
+ fn drop(&mut self) {
294
+ let _ = self.command_tx.send(DynamicAcmeCommand::Shutdown);
295
+ if let Some(handle) = self.thread_handle.lock().take() {
296
+ if let Err(err) = handle.join() {
297
+ error!("Dynamic ACME manager thread join failed: {:?}", err);
298
+ }
299
+ }
300
+ }
301
+ }
302
+
32
303
  #[derive(Clone)]
33
304
  pub enum ItsiTlsAcceptor {
34
305
  Manual(TlsAcceptor),
35
- Automatic(
36
- AcmeAcceptor,
37
- Arc<Mutex<AcmeState<Error>>>,
38
- Arc<ServerConfig>,
39
- ),
306
+ Automatic {
307
+ acme_acceptor: AcmeAcceptor,
308
+ manager: DynamicAcmeManager,
309
+ server_config: Arc<ServerConfig>,
310
+ },
311
+ }
312
+
313
+ impl ItsiTlsAcceptor {
314
+ pub fn manager(&self) -> Option<DynamicAcmeManager> {
315
+ match self {
316
+ ItsiTlsAcceptor::Automatic { manager, .. } => Some(manager.clone()),
317
+ ItsiTlsAcceptor::Manual(_) => None,
318
+ }
319
+ }
320
+
321
+ pub fn set_http01_enabled(&self, enabled: bool) {
322
+ if let ItsiTlsAcceptor::Automatic { manager, .. } = self {
323
+ manager.set_http01_enabled(enabled);
324
+ }
325
+ }
326
+
327
+ pub fn initialize_domains(&self) {
328
+ if let ItsiTlsAcceptor::Automatic { manager, .. } = self {
329
+ manager.initialize_domains();
330
+ }
331
+ }
40
332
  }
41
333
 
42
334
  /// Generates a TLS configuration based on either :
@@ -52,66 +344,79 @@ pub fn configure_tls(
52
344
  let domains = query_params
53
345
  .get("domains")
54
346
  .map(|v| v.split(',').map(String::from).collect::<Vec<_>>())
55
- .or_else(|| query_params.get("domain").map(|v| vec![v.to_string()]));
347
+ .or_else(|| query_params.get("domain").map(|v| vec![v.to_string()]))
348
+ .unwrap_or_default();
56
349
 
57
350
  if query_params.get("cert").is_some_and(|c| c == "acme") {
58
- if let Some(domains) = domains {
59
- let directory_url = &*ITSI_ACME_DIRECTORY_URL;
60
- info!(
61
- domains = format!("{:?}", domains),
62
- directory_url, "Requesting acme cert"
63
- );
64
- let acme_contact_email = query_params
65
- .get("acme_email")
66
- .map(|s| s.to_string())
67
- .or_else(|| (*ITSI_ACME_CONTACT_EMAIL).as_ref().ok().map(|s| s.to_string()))
68
- .ok_or_else(|| itsi_error::ItsiError::ArgumentError(
69
- "acme_email query param or ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate let's encrypt certificates".to_string(),
70
- ))?;
71
-
72
- let acme_config = AcmeConfig::new(domains)
73
- .contact([format!("mailto:{}", acme_contact_email)])
74
- .cache(LockedDirCache::new(&*ITSI_ACME_CACHE_DIR))
75
- .directory(directory_url);
76
-
77
- let acme_state = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
78
- let mut root_cert_store = RootCertStore::empty();
79
-
80
- let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
81
- let mut ca_reader = BufReader::new(&ca_pem[..]);
82
- let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
83
- .collect::<std::result::Result<Vec<CertificateDer>, _>>()
84
- .map_err(|e| {
85
- itsi_error::ItsiError::ArgumentError(format!(
86
- "Invalid ACME CA Pem path {:?}",
87
- e
88
- ))
89
- })?;
90
- root_cert_store.add_parsable_certificates(der_certs);
91
-
92
- let client_config = ClientConfig::builder()
351
+ let directory_url = &*ITSI_ACME_DIRECTORY_URL;
352
+ info!(
353
+ domains = format!("{:?}", domains),
354
+ directory_url, "Requesting acme cert"
355
+ );
356
+ let acme_contact_email = query_params
357
+ .get("acme_email")
358
+ .map(|s| s.to_string())
359
+ .or_else(|| (*ITSI_ACME_CONTACT_EMAIL).as_ref().ok().map(|s| s.to_string()))
360
+ .ok_or_else(|| itsi_error::ItsiError::ArgumentError(
361
+ "acme_email query param or ITSI_ACME_CONTACT_EMAIL must be set before you can auto-generate let's encrypt certificates".to_string(),
362
+ ))?;
363
+
364
+ let client_config = if let Ok(ca_pem_path) = &*ITSI_ACME_CA_PEM_PATH {
365
+ let mut root_cert_store = RootCertStore::empty();
366
+
367
+ let ca_pem = fs::read(ca_pem_path).expect("failed to read CA pem file");
368
+ let mut ca_reader = BufReader::new(&ca_pem[..]);
369
+ let der_certs: Vec<CertificateDer> = certs(&mut ca_reader)
370
+ .collect::<std::result::Result<Vec<CertificateDer>, _>>()
371
+ .map_err(|e| {
372
+ itsi_error::ItsiError::ArgumentError(format!("Invalid ACME CA Pem path {:?}", e))
373
+ })?;
374
+ root_cert_store.add_parsable_certificates(der_certs);
375
+
376
+ Arc::new(
377
+ ClientConfig::builder()
93
378
  .with_root_certificates(root_cert_store)
94
- .with_no_client_auth();
95
- acme_config
96
- .client_tls_config(Arc::new(client_config))
97
- .state()
98
- } else {
99
- acme_config.state()
100
- };
101
-
102
- let mut rustls_config = ServerConfig::builder()
103
- .with_no_client_auth()
104
- .with_cert_resolver(acme_state.resolver());
105
-
106
- rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
107
-
108
- let acceptor = acme_state.acceptor();
109
- return Ok(ItsiTlsAcceptor::Automatic(
110
- acceptor,
111
- Arc::new(Mutex::new(acme_state)),
112
- Arc::new(rustls_config),
113
- ));
114
- }
379
+ .with_no_client_auth(),
380
+ )
381
+ } else {
382
+ let mut root_store = RootCertStore::empty();
383
+ root_store.extend(
384
+ webpki_roots::TLS_SERVER_ROOTS
385
+ .iter()
386
+ .map(|ta| rustls::pki_types::TrustAnchor {
387
+ subject: ta.subject.clone(),
388
+ subject_public_key_info: ta.subject_public_key_info.clone(),
389
+ name_constraints: ta.name_constraints.clone(),
390
+ }),
391
+ );
392
+ Arc::new(
393
+ ClientConfig::builder()
394
+ .with_root_certificates(root_store)
395
+ .with_no_client_auth(),
396
+ )
397
+ };
398
+
399
+ let manager = DynamicAcmeManager::new(
400
+ DynamicAcmeConfigTemplate {
401
+ client_config,
402
+ directory_url: directory_url.to_string(),
403
+ contact: vec![format!("mailto:{}", acme_contact_email)],
404
+ cache_dir: ITSI_ACME_CACHE_DIR.to_string(),
405
+ },
406
+ domains.clone(),
407
+ );
408
+
409
+ let mut rustls_config = ServerConfig::builder()
410
+ .with_no_client_auth()
411
+ .with_cert_resolver(manager.resolver());
412
+
413
+ rustls_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
414
+
415
+ return Ok(ItsiTlsAcceptor::Automatic {
416
+ acme_acceptor: AcmeAcceptor::new(manager.resolver()),
417
+ manager,
418
+ server_config: Arc::new(rustls_config),
419
+ });
115
420
  }
116
421
  let (certs, key) = if let (Some(cert_path), Some(key_path)) =
117
422
  (query_params.get("cert"), query_params.get("key"))
@@ -121,7 +426,7 @@ pub fn configure_tls(
121
426
  let key = load_private_key(key_path);
122
427
  (certs, key)
123
428
  } else {
124
- generate_ca_signed_cert(domains.unwrap_or(vec![host.to_owned()]))?
429
+ generate_ca_signed_cert(if domains.is_empty() { vec![host.to_owned()] } else { domains })?
125
430
  };
126
431
 
127
432
  let mut config = ServerConfig::builder()
@@ -63,7 +63,7 @@ pub fn send_lifecycle_event(event: LifecycleEvent) {
63
63
  }
64
64
  }
65
65
 
66
- fn receive_signal(signum: i32, _: sighandler_t) {
66
+ extern "C" fn receive_signal(signum: i32) {
67
67
  debug!("Received signal: {}", signum);
68
68
  SIGINT_COUNT.fetch_add(-1, Ordering::SeqCst);
69
69
  let event = match signum {
@@ -96,20 +96,25 @@ fn receive_signal(signum: i32, _: sighandler_t) {
96
96
  }
97
97
  }
98
98
 
99
+ fn signal_handler() -> sighandler_t {
100
+ receive_signal as *const () as sighandler_t
101
+ }
102
+
99
103
  pub fn reset_signal_handlers() -> bool {
100
104
  debug!("Resetting signal handlers");
101
105
  SIGINT_COUNT.store(0, Ordering::SeqCst);
102
106
  SHUTDOWN_REQUESTED.store(false, Ordering::SeqCst);
103
107
 
104
108
  unsafe {
105
- libc::signal(libc::SIGTERM, receive_signal as usize);
106
- libc::signal(libc::SIGINT, receive_signal as usize);
107
- libc::signal(libc::SIGUSR2, receive_signal as usize);
108
- libc::signal(libc::SIGUSR1, receive_signal as usize);
109
- libc::signal(libc::SIGHUP, receive_signal as usize);
110
- libc::signal(libc::SIGTTIN, receive_signal as usize);
111
- libc::signal(libc::SIGTTOU, receive_signal as usize);
112
- libc::signal(libc::SIGCHLD, receive_signal as usize);
109
+ let handler = signal_handler();
110
+ libc::signal(libc::SIGTERM, handler);
111
+ libc::signal(libc::SIGINT, handler);
112
+ libc::signal(libc::SIGUSR2, handler);
113
+ libc::signal(libc::SIGUSR1, handler);
114
+ libc::signal(libc::SIGHUP, handler);
115
+ libc::signal(libc::SIGTTIN, handler);
116
+ libc::signal(libc::SIGTTOU, handler);
117
+ libc::signal(libc::SIGCHLD, handler);
113
118
  }
114
119
  true
115
120
  }
@@ -1,16 +1,17 @@
1
1
  use crate::default_responses::{NOT_FOUND_RESPONSE, TIMEOUT_RESPONSE};
2
2
  use crate::ruby_types::itsi_server::itsi_server_config::ItsiServerTokenPreference;
3
3
  use crate::server::http_message_types::{
4
- ConversionExt, HttpRequest, HttpResponse, RequestExt, ResponseFormat,
4
+ ConversionExt, HttpBody, HttpRequest, HttpResponse, RequestExt, ResponseFormat,
5
5
  };
6
6
  use crate::server::lifecycle_event::LifecycleEvent;
7
7
  use crate::server::middleware_stack::MiddlewareLayer;
8
8
  use crate::server::serve_strategy::acceptor::AcceptorArgs;
9
9
  use crate::server::signal::{send_lifecycle_event, SHUTDOWN_REQUESTED};
10
+ use bytes::Bytes;
10
11
  use chrono::{self, DateTime, Local};
11
12
  use either::Either;
12
13
  use http::header::ACCEPT_ENCODING;
13
- use http::{HeaderValue, Request};
14
+ use http::{HeaderValue, Request, StatusCode};
14
15
  use hyper::body::Incoming;
15
16
  use regex::Regex;
16
17
  use smallvec::SmallVec;
@@ -174,6 +175,7 @@ impl HttpRequestContext {
174
175
  const SERVER_TOKEN_VERSION: HeaderValue =
175
176
  HeaderValue::from_static(concat!("Itsi/", env!("CARGO_PKG_VERSION")));
176
177
  const SERVER_TOKEN_NAME: HeaderValue = HeaderValue::from_static("Itsi");
178
+ const TEXT_PLAIN_UTF8: HeaderValue = HeaderValue::from_static("text/plain; charset=utf-8");
177
179
 
178
180
  impl ItsiHttpService {
179
181
  pub async fn handle_request(&self, req: Request<Incoming>) -> itsi_error::Result<HttpResponse> {
@@ -188,6 +190,10 @@ impl ItsiHttpService {
188
190
  let token_preference = self.server_params.itsi_server_token_preference;
189
191
 
190
192
  let service_future = async move {
193
+ if let Some(acme_response) = self.acme_http01_response(&req) {
194
+ return Ok(acme_response);
195
+ }
196
+
191
197
  let Some((stack, matching_pattern)) =
192
198
  self.server_params.middleware.get().unwrap().stack_for(&req)
193
199
  else {
@@ -264,4 +270,42 @@ impl ItsiHttpService {
264
270
  service_future.await
265
271
  }
266
272
  }
273
+
274
+ fn acme_http01_response(&self, req: &HttpRequest) -> Option<HttpResponse> {
275
+ let host = normalize_host_header(req.header("host")?)?;
276
+ let managers = self.server_params.acme_managers.read();
277
+ let key_authorization = managers
278
+ .iter()
279
+ .find_map(|(_, manager)| manager.http01_response(host, req.uri().path()))?;
280
+
281
+ let mut builder = http::Response::builder()
282
+ .status(StatusCode::OK)
283
+ .header(http::header::CONTENT_TYPE, TEXT_PLAIN_UTF8);
284
+
285
+ if req.method() == http::Method::HEAD {
286
+ builder = builder.header(http::header::CONTENT_LENGTH, "0");
287
+ return builder.body(HttpBody::empty()).ok();
288
+ }
289
+
290
+ builder
291
+ .header(
292
+ http::header::CONTENT_LENGTH,
293
+ key_authorization.len().to_string(),
294
+ )
295
+ .body(HttpBody::full(Bytes::from(key_authorization)))
296
+ .ok()
297
+ }
298
+ }
299
+
300
+ fn normalize_host_header(host: &str) -> Option<&str> {
301
+ let host = host.trim();
302
+ if host.is_empty() {
303
+ return None;
304
+ }
305
+
306
+ if let Some(stripped) = host.strip_prefix('[') {
307
+ return stripped.split(']').next();
308
+ }
309
+
310
+ Some(host.split(':').next().unwrap_or(host))
267
311
  }
@@ -145,6 +145,8 @@ Itsi also comes bundled with a passfile generator, to help you manage your passw
145
145
  * Automated provisioning of Let's Encrypt certificates.
146
146
  * File system caching of certificate data to avoid excessive API calls.
147
147
  * Supports usage of subject alternative names (SANs) for certificates that span multiple domains/sub-domains.
148
+ * Supports direct `TLS-ALPN-01` validation and `HTTP-01` validation when a reachable HTTP listener is available.
149
+ * Supports runtime domain registration for live certificate issuance without restarting the server.
148
150
  * See <a target="_blank" href="/options/certificates#production-certificates-lets-encrypt">certificates</a>.
149
151
  {{% /details %}}
150
152
 
@@ -225,6 +227,7 @@ Note: This is not the same as <a target="_blank" href="https://grpc.io/blog/grpc
225
227
  {{% details title="Non-blocking(Fiber Scheduler) Mode" closed="true" %}}
226
228
  * Support for Ruby’s fiber scheduler for non-blocking concurrency, boosting performance during I/O operations.
227
229
  * Use Itsi's own high-performance built-in <a target="_blank" href="/itsi_scheduler">Fiber Scheduler</a> or if your prefer you can bring your own!
230
+ * Current native gems are built and tested across common Linux and macOS x86_64 and ARM64 targets.
228
231
  * See <a target="_blank" href="/options/fiber_scheduler">fiber_scheduler</a>.
229
232
  {{% /details %}}
230
233
 
@@ -20,7 +20,8 @@ Install Ruby
20
20
  **Prerequisites**
21
21
 
22
22
 
23
- You'll need at least a C/C++ build environment and `clang` and `curl` (for running `rustup`) installed.
23
+ Most Linux installs on common x86_64 and ARM64 targets can use the precompiled native gems directly.
24
+ If RubyGems falls back to the source gems, you'll need a C/C++ build environment plus `clang` and `curl` (for running `rustup`).
24
25
 
25
26
  #### For Ubuntu / Debian:
26
27
  ```bash
@@ -63,6 +64,9 @@ Then use `gem` to install Itsi, or its components based on your Ruby version.
63
64
  {{< /tab >}}
64
65
  {{< tab >}}
65
66
  **Mac**:
67
+ Most macOS installs on Apple Silicon and Intel Macs can use the precompiled native gems directly.
68
+ If RubyGems falls back to the source gems, install Xcode Command Line Tools first.
69
+
66
70
  **For Ruby >= 3.0**:
67
71
  ```bash
68
72
  gem install itsi
@@ -88,7 +92,7 @@ Then use `gem` to install Itsi, or its components based on your Ruby version.
88
92
  {{< tab >}}
89
93
  **FreeBSD**
90
94
 
91
- On FreeBSD you'll need to install a few build tools manually:
95
+ FreeBSD currently relies on source builds, so you'll need to install a few build tools manually:
92
96
  ```bash
93
97
  pkg install gmake cmake curl llvm
94
98
  ```
@@ -75,6 +75,19 @@ Itsi will print informative error message if config validation fails. E.g.
75
75
  | ^^^
76
76
  ```
77
77
 
78
+ ## Local ACME Testing
79
+ Itsi includes end-to-end ACME tests that exercise both `TLS-ALPN-01` and `HTTP-01` flows against a local [Pebble](https://github.com/letsencrypt/pebble) certificate authority.
80
+
81
+ The test helper installs Pebble on demand using the Go toolchain, so the only prerequisite is a working `go` binary on your `PATH`.
82
+
83
+ Once Go is available, the local ACME tests can be run as part of the normal server suite:
84
+
85
+ ```bash
86
+ rake server:test
87
+ ```
88
+
89
+ If Go is not installed, those specific ACME integration tests will be skipped rather than failing the whole suite.
90
+
78
91
  ## Shell Completions
79
92
  Itsi can also help you install shell completions, which are useful if you find yourself using the `itsi` executable a lot and forgetting the commands.
80
93
  Add the following line to the bottom of your ~/.bashrc or ~/.zshrc file: