@assetsart/nylon-mesh 1.0.1

package/src/proxy/handlers.rs

@@ -0,0 +1,76 @@
+use bytes::Bytes;
+use http::StatusCode;
+use pingora::Result;
+use pingora::http::ResponseHeader;
+use pingora_proxy::Session;
+
+use super::MeshProxy;
+
+impl MeshProxy {
+    pub async fn serve_probe_response(
+        session: &mut Session,
+        status: StatusCode,
+        msg: &'static str,
+    ) -> Result<()> {
+        let mut header = ResponseHeader::build(status, None).unwrap();
+        let _ = header.insert_header("Content-Length", msg.len().to_string());
+        session
+            .write_response_header(Box::new(header), true)
+            .await?;
+        session
+            .write_response_body(Some(Bytes::from(msg)), true)
+            .await?;
+        Ok(())
+    }
+
+    pub async fn handle_probes(&self, session: &mut Session, uri: &str) -> Result<Option<bool>> {
+        if let Some(liveness_path) = &self.config.liveness_path {
+            if uri == liveness_path {
+                Self::serve_probe_response(session, StatusCode::OK, "OK").await?;
+                return Ok(Some(true));
+            }
+        }
+
+        if let Some(readiness_path) = &self.config.readiness_path {
+            if uri == readiness_path {
+                if crate::is_shutting_down() {
+                    Self::serve_probe_response(
+                        session,
+                        StatusCode::SERVICE_UNAVAILABLE,
+                        "Service is shutting down",
+                    )
+                    .await?;
+                } else {
+                    Self::serve_probe_response(session, StatusCode::OK, "OK").await?;
+                }
+                return Ok(Some(true));
+            }
+        }
+
+        Ok(None)
+    }
+
+    pub fn should_bypass_cache(&self, method: &str, uri: &str) -> bool {
+        if method != "GET" {
+            return true;
+        }
+
+        if let Some(bypass) = &self.config.bypass {
+            if let Some(paths) = &bypass.paths {
+                for p in paths {
+                    if uri.starts_with(p) {
+                        return true;
+                    }
+                }
+            }
+            if let Some(exts) = &bypass.extensions {
+                for ext in exts {
+                    if uri.ends_with(ext) {
+                        return true;
+                    }
+                }
+            }
+        }
+        false
+    }
+}

package/src/proxy/load_balancer.rs

@@ -0,0 +1,23 @@
+use pingora_load_balancing::{
+    LoadBalancer,
+    selection::{Random, RoundRobin},
+};
+use std::sync::Arc;
+
+pub enum MeshLoadBalancer {
+    RoundRobin(Arc<LoadBalancer<RoundRobin>>),
+    Random(Arc<LoadBalancer<Random>>),
+}
+
+impl MeshLoadBalancer {
+    pub fn select(
+        &self,
+        key: &[u8],
+        max_iterations: usize,
+    ) -> Option<pingora_load_balancing::Backend> {
+        match self {
+            Self::RoundRobin(lb) => lb.select(key, max_iterations),
+            Self::Random(lb) => lb.select(key, max_iterations),
+        }
+    }
+}

package/src/proxy/mod.rs

@@ -0,0 +1,232 @@
+pub mod cache;
+pub mod handlers;
+pub mod load_balancer;
+
+pub use load_balancer::MeshLoadBalancer;
+
+use async_trait::async_trait;
+use bytes::Bytes;
+use moka::future::Cache;
+use pingora::Result;
+use pingora::http::ResponseHeader;
+use pingora::upstreams::peer::HttpPeer;
+use pingora_proxy::{ProxyHttp, Session};
+use std::sync::Arc;
+use std::time::Duration;
+
+use crate::config::Config;
+
+pub struct MeshProxy {
+    pub config: Arc<Config>,
+    pub load_balancer: Arc<MeshLoadBalancer>,
+    pub tier1_cache: Cache<String, (ResponseHeader, Bytes)>,
+    pub encoding_hits: Arc<std::collections::HashMap<&'static str, std::sync::atomic::AtomicU64>>,
+}
+
+pub struct ProxyCtx {
+    pub should_cache: bool,
+    pub cache_key: String,
+    pub host: String,
+    pub response_body: Vec<u8>,
+    pub response_header: Option<ResponseHeader>,
+}
+
+#[async_trait]
+impl ProxyHttp for MeshProxy {
+    type CTX = ProxyCtx;
+
+    fn new_ctx(&self) -> Self::CTX {
+        ProxyCtx {
+            should_cache: false,
+            cache_key: String::new(),
+            host: String::new(),
+            response_body: Vec::new(),
+            response_header: None,
+        }
+    }
+
+    async fn upstream_peer(
+        &self,
+        _session: &mut Session,
+        _ctx: &mut Self::CTX,
+    ) -> Result<Box<HttpPeer>> {
+        let upstream = self
+            .load_balancer
+            .select(b"", 256) // Use empty hash for round robin
+            .ok_or_else(|| {
+                pingora::Error::explain(
+                    pingora::ErrorType::HTTPStatus(502),
+                    "No upstream available",
+                )
+            })?;
+
+        let peer = HttpPeer::new(upstream.clone(), false, String::new());
+        Ok(Box::new(peer))
+    }
+
+    async fn request_filter(&self, session: &mut Session, ctx: &mut Self::CTX) -> Result<bool> {
+        let uri = session.req_header().uri.path().to_string();
+
+        if let Some(handled) = self.handle_probes(session, &uri).await? {
+            return Ok(handled);
+        }
+
+        let method = session.req_header().method.as_str().to_string();
+
+        if self.should_bypass_cache(&method, &uri) {
+            return Ok(false);
+        }
+
+        let host = session
+            .req_header()
+            .headers
+            .get("Host")
+            .map(|v| v.to_str().unwrap_or("localhost"))
+            .unwrap_or("localhost")
+            .to_string();
+
+        ctx.host = host.clone();
+
+        let accept_encoding = session
+            .req_header()
+            .headers
+            .get("accept-encoding")
+            .map(|hv| hv.to_str().unwrap_or(""))
+            .unwrap_or("")
+            .to_string();
+
+        let encodings_to_check = self.determine_encodings_to_check(&accept_encoding);
+        let query = session
+            .req_header()
+            .uri
+            .query()
+            .map_or(String::new(), |q| format!("?{}", q));
+        let now_secs = std::time::SystemTime::now()
+            .duration_since(std::time::UNIX_EPOCH)
+            .unwrap_or(std::time::Duration::from_secs(0))
+            .as_secs();
+
+        self.fetch_from_cache(
+            session,
+            ctx,
+            &host,
+            &uri,
+            &query,
+            &encodings_to_check,
+            now_secs,
+        )
+        .await
+    }
+
+    async fn response_filter(
+        &self,
+        session: &mut Session,
+        resp: &mut ResponseHeader,
+        ctx: &mut Self::CTX,
+    ) -> Result<()> {
+        let req_uri = session.req_header().uri.path();
+
+        if let Some(rules) = &self.config.cache_control {
+            for rule in rules {
+                let mut matches = false;
+                if let Some(paths) = &rule.paths {
+                    for p in paths {
+                        if req_uri.starts_with(p) {
+                            matches = true;
+                            break;
+                        }
+                    }
+                }
+                if !matches {
+                    if let Some(exts) = &rule.extensions {
+                        for ext in exts {
+                            if req_uri.ends_with(ext) {
+                                matches = true;
+                                break;
+                            }
+                        }
+                    }
+                }
+                if matches {
+                    let _ = resp.remove_header("Cache-Control");
+                    let _ = resp.insert_header("Cache-Control", &rule.value);
+                    break;
+                }
+            }
+        }
+
+        let content_type = resp
+            .headers
+            .get("Content-Type")
+            .map(|hv| hv.to_str().unwrap_or(""))
+            .unwrap_or("");
+
+        let default_statuses = vec![200];
+        let default_content_types = vec!["text/html".to_string()];
+
+        let valid_statuses = self
+            .config
+            .cache
+            .as_ref()
+            .and_then(|c| c.status.as_ref())
+            .unwrap_or(&default_statuses);
+
+        let valid_content_types = self
+            .config
+            .cache
+            .as_ref()
+            .and_then(|c| c.content_types.as_ref())
+            .unwrap_or(&default_content_types);
+
+        let has_valid_status = valid_statuses.contains(&resp.status.as_u16());
+        let has_valid_content_type = valid_content_types
+            .iter()
+            .any(|ct| content_type.contains(ct));
+
+        if has_valid_status && has_valid_content_type && !ctx.cache_key.is_empty() {
+            ctx.should_cache = true;
+            ctx.response_header = Some(resp.clone());
+        }
+
+        Ok(())
+    }
+
+    fn response_body_filter(
+        &self,
+        _session: &mut Session,
+        body: &mut Option<Bytes>,
+        end_of_stream: bool,
+        ctx: &mut Self::CTX,
+    ) -> Result<Option<Duration>> {
+        if ctx.should_cache {
+            if let Some(b) = body {
+                ctx.response_body.extend_from_slice(b);
+            }
+
+            if end_of_stream {
+                let cache_key = ctx.cache_key.clone();
+                let html_bytes = Bytes::from(ctx.response_body.clone());
+                let redis_url_opt = self.config.redis_url.clone();
+                let t2_ttl = self
+                    .config
+                    .cache
+                    .as_ref()
+                    .and_then(|c| c.tier2_ttl_seconds)
+                    .unwrap_or(60);
+
+                if let Some(header) = ctx.response_header.clone() {
+                    let host = ctx.host.clone();
+                    self.spawn_cache_save(
+                        host,
+                        cache_key,
+                        header,
+                        html_bytes,
+                        redis_url_opt,
+                        t2_ttl,
+                    );
+                }
+            }
+        }
+        Ok(None)
+    }
+}

package/src/tls_accept.rs

@@ -0,0 +1,119 @@
+use async_trait::async_trait;
+use openssl::{pkey::PKey, ssl::NameType, x509::X509};
+use pingora::{
+    listeners::{TlsAccept, tls::TlsSettings},
+    tls::ext,
+};
+use std::collections::HashMap;
+use tracing::error;
+
+pub struct TlsCertificate {
+    cert: X509,
+    key: PKey<openssl::pkey::Private>,
+    chain: Vec<X509>,
+}
+
+pub struct DynamicCertificate {
+    // Maps SNI hostname to certificate
+    certs: HashMap<String, TlsCertificate>,
+    default_cert: Option<TlsCertificate>,
+}
+
+impl DynamicCertificate {
+    pub fn new() -> Self {
+        Self {
+            certs: HashMap::new(),
+            default_cert: None,
+        }
+    }
+}
+
+pub fn new_tls_settings(
+    certs_config: Vec<crate::config::CertificateConfig>,
+) -> Result<TlsSettings, Box<pingora_core::BError>> {
+    let mut dynamic_cert = DynamicCertificate::new();
+
+    for cfg in certs_config {
+        let cert_pem = std::fs::read(&cfg.cert_path).map_err(|e| {
+            pingora_core::Error::because(
+                pingora_core::ErrorType::Custom("TLSConfError"),
+                format!("Failed to read cert file {}: {}", cfg.cert_path, e),
+                e,
+            )
+        })?;
+        let key_pem = std::fs::read(&cfg.key_path).map_err(|e| {
+            pingora_core::Error::because(
+                pingora_core::ErrorType::Custom("TLSConfError"),
+                format!("Failed to read key file {}: {}", cfg.key_path, e),
+                e,
+            )
+        })?;
+
+        let cert = X509::from_pem(&cert_pem).map_err(|e| {
+            pingora_core::Error::because(
+                pingora_core::ErrorType::Custom("TLSConfError"),
+                "Failed to parse cert",
+                e,
+            )
+        })?;
+        let key = PKey::private_key_from_pem(&key_pem).map_err(|e| {
+            pingora_core::Error::because(
+                pingora_core::ErrorType::Custom("TLSConfError"),
+                "Failed to parse private key",
+                e,
+            )
+        })?;
+
+        let tls_cert = TlsCertificate {
+            cert,
+            key,
+            chain: vec![], // Extend logic later to handle fullchains if necessary
+        };
+
+        if cfg.host == "default" {
+            dynamic_cert.default_cert = Some(tls_cert);
+        } else {
+            dynamic_cert.certs.insert(cfg.host, tls_cert);
+        }
+    }
+
+    let tls =
+        TlsSettings::with_callbacks(Box::new(dynamic_cert)).map_err(|e: Box<pingora::Error>| {
+            pingora_core::Error::because(
+                pingora_core::ErrorType::Custom("TLSConfError"),
+                "TlsSettings wrapper error",
+                e,
+            )
+        })?;
+    Ok(tls)
+}
+
+#[async_trait]
+impl TlsAccept for DynamicCertificate {
+    async fn certificate_callback(&self, ssl: &mut pingora::protocols::tls::TlsRef) {
+        let server_name = ssl.servername(NameType::HOST_NAME).unwrap_or("localhost");
+
+        let cert_info = if let Some(cert) = self.certs.get(server_name) {
+            cert
+        } else if let Some(cert) = &self.default_cert {
+            cert
+        } else {
+            error!("No certificate found for SNI: {}", server_name);
+            return;
+        };
+
+        if let Err(e) = ext::ssl_use_certificate(ssl, &cert_info.cert) {
+            error!("Failed to use certificate: {}", e);
+        }
+
+        if let Err(e) = ext::ssl_use_private_key(ssl, &cert_info.key) {
+            error!("Failed to use private key: {}", e);
+        }
+
+        for chain_cert in &cert_info.chain {
+            if let Err(e) = ext::ssl_add_chain_cert(ssl, chain_cert) {
+                error!("Failed to add chain certificate: {}", e);
+            }
+        }
+    }
+}