From d017409f5bd98f2a34a52fa09f17239f30510ed2 Mon Sep 17 00:00:00 2001
From: houseme <housemecn@gmail.com>
Date: Wed, 2 Apr 2025 00:48:08 +0800
Subject: [PATCH] add rustfs tls

---
 Cargo.lock         | 30 -------------------------
 Cargo.toml         |  2 +-
 rustfs/Cargo.toml  |  2 +-
 rustfs/src/main.rs | 56 +++++++++++++++++++++++++++++++++++-----------
 4 files changed, 45 insertions(+), 45 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index b453c2bf..26424790 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3957,9 +3957,7 @@ dependencies = [
  "http",
  "hyper",
  "hyper-util",
- "log",
  "rustls 0.23.23",
- "rustls-native-certs",
  "rustls-pki-types",
  "tokio",
  "tokio-rustls 0.26.2",
@@ -5402,12 +5400,6 @@ version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
-[[package]]
-name = "openssl-probe"
-version = "0.1.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
-
 [[package]]
 name = "option-ext"
 version = "0.2.0"
@@ -6673,7 +6665,6 @@ dependencies = [
  "http",
  "http-body",
  "hyper",
- "hyper-rustls",
  "hyper-util",
  "iam",
  "jsonwebtoken",
@@ -6783,18 +6774,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "rustls-native-certs"
-version = "0.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fcff2dd52b58a8d98a70243663a0d234c4e2b79235637849d15913394a247d3"
-dependencies = [
- "openssl-probe",
- "rustls-pki-types",
- "schannel",
- "security-framework 3.2.0",
-]
-
 [[package]]
 name = "rustls-pemfile"
 version = "2.2.0"
@@ -6914,15 +6893,6 @@ dependencies = [
  "winapi-util",
 ]
 
-[[package]]
-name = "schannel"
-version = "0.1.27"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1f29ebaa345f945cec9fbbc532eb307f0fdad8161f281b6369539c8d84876b3d"
-dependencies = [
- "windows-sys 0.59.0",
-]
-
 [[package]]
 name = "scoped-tls"
 version = "1.0.1"
diff --git a/Cargo.toml b/Cargo.toml
index 8e71d2a4..2e97d0eb 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -50,7 +50,7 @@ common = { path = "./common/common" }
 policy = { path = "./policy" }
 hex = "0.4.3"
 hyper = "1.6.0"
-hyper-rustls = { version = "0.27.5", features = ["http2"] }
+#hyper-rustls = { version = "0.27.5", features = ["http2"] }
 hyper-util = { version = "0.1.10", features = [
     "tokio",
     "server-auto",
diff --git a/rustfs/Cargo.toml b/rustfs/Cargo.toml
index 9ae6b580..c1a5d071 100644
--- a/rustfs/Cargo.toml
+++ b/rustfs/Cargo.toml
@@ -30,7 +30,7 @@ futures.workspace = true
 futures-util.workspace = true
 h2 = "0.4.7"
 hyper.workspace = true
-hyper-rustls.workspace = true
+#hyper-rustls.workspace = true
 hyper-util.workspace = true
 http.workspace = true
 http-body.workspace = true
diff --git a/rustfs/src/main.rs b/rustfs/src/main.rs
index a34b182d..8edc9e72 100644
--- a/rustfs/src/main.rs
+++ b/rustfs/src/main.rs
@@ -27,7 +27,6 @@ use ecstore::{
     update_erasure_type,
 };
 use ecstore::{global::set_global_rustfs_port, notification_sys::new_global_notification_sys};
-use futures_util::TryFutureExt;
 use grpc::make_server;
 use hyper_util::{
     rt::{TokioExecutor, TokioIo},
@@ -216,13 +215,14 @@ async fn run(opt: config::Opt) -> Result<()> {
     };
 
     let rpc_service = NodeServiceServer::with_interceptor(make_server(), check_auth);
+
     let tls_path = opt.tls_path.clone().unwrap_or_default();
     let key_path = format!("{}/{}", tls_path, RUSTFS_TLS_KEY);
     let cert_path = format!("{}/{}", tls_path, RUSTFS_TLS_CERT);
-
     let has_tls_certs = tokio::try_join!(tokio::fs::metadata(key_path.clone()), tokio::fs::metadata(cert_path.clone())).is_ok();
-
-    if has_tls_certs {
+    let tls_acceptor = if has_tls_certs {
+        debug!("Found TLS certificates, starting with HTTPS");
+        let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();
         let certs = utils::load_certs(cert_path.as_str()).map_err(|e| error(e.to_string()))?;
         let key = utils::load_private_key(key_path.as_str()).map_err(|e| error(e.to_string()))?;
         let mut server_config = ServerConfig::builder()
@@ -230,12 +230,14 @@ async fn run(opt: config::Opt) -> Result<()> {
             .with_single_cert(certs, key)
             .map_err(|e| error(e.to_string()))?;
         server_config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec(), b"http/1.0".to_vec()];
-        let tls_acceptor = TlsAcceptor::from(Arc::new(server_config));
+        Some(TlsAcceptor::from(Arc::new(server_config)))
+    } else {
+        debug!("TLS certificates not found, starting with HTTP");
+        None
     };
 
     tokio::spawn(async move {
         let hyper_service = service.into_shared();
-
         let hybrid_service = TowerToHyperService::new(
             tower::ServiceBuilder::new()
                 .layer(CorsLayer::permissive())
@@ -245,8 +247,10 @@ async fn run(opt: config::Opt) -> Result<()> {
         let http_server = ConnBuilder::new(TokioExecutor::new());
         let mut ctrl_c = std::pin::pin!(tokio::signal::ctrl_c());
         let graceful = hyper_util::server::graceful::GracefulShutdown::new();
-
+        debug!("graceful initiated");
         loop {
+            debug!("waiting for SIGINT or SIGTERM has_tls_certs: {}", has_tls_certs);
+            // Wait for a connection
             let (socket, _) = tokio::select! {
                 res = listener.accept() => {
                     match res {
@@ -261,12 +265,38 @@ async fn run(opt: config::Opt) -> Result<()> {
                     break;
                 }
             };
-
-            let conn = http_server.serve_connection(TokioIo::new(socket), hybrid_service.clone());
-            let conn = graceful.watch(conn.into_owned());
-            tokio::spawn(async move {
-                let _ = conn.await;
-            });
+            if has_tls_certs {
+                debug!("TLS certificates found, starting with SIGINT");
+                let tls_socket = match tls_acceptor.as_ref().ok_or_else(|| error("TLS not configured".to_string())).unwrap().accept(socket).await {
+                    Ok(tls_socket) => tls_socket,
+                    Err(err) => {
+                        error!("TLS handshake failed {}", err);
+                        continue;
+                    }
+                };
+                let conn = http_server.serve_connection(TokioIo::new(tls_socket), hybrid_service.clone());
+                let conn = graceful.watch(conn.into_owned());
+                tokio::task::spawn_blocking(move || {
+                    tokio::runtime::Runtime::new()
+                        .expect("Failed to create runtime")
+                        .block_on(async move {
+                            if let Err(err) = conn.await {
+                                error!("Https Connection error: {}", err);
+                            }
+                        });
+                });
+                debug!("TLS handshake success");
+            } else {
+                debug!("Http handshake start");
+                let conn = http_server.serve_connection(TokioIo::new(socket), hybrid_service.clone());
+                let conn = graceful.watch(conn.into_owned());
+                tokio::spawn(async move {
+                    if let Err(err) = conn.await {
+                        error!("Http Connection error: {}", err);
+                    }
+                });
+                debug!("Http handshake success");
+            }
         }
 
         tokio::select! {