diff --git a/pingora-cache/src/cache_control.rs b/pingora-cache/src/cache_control.rs index f8612080..584d8b29 100644 --- a/pingora-cache/src/cache_control.rs +++ b/pingora-cache/src/cache_control.rs @@ -1,4 +1,4 @@ -// Copyright 2026 Cloudflare, Inc. +//! Copyright 2026 Cloudflare, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -12,8 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -//! Functions and utilities to help parse Cache-Control headers - +/// Functions and utilities to help parse Cache-Control headers use super::*; use http::header::HeaderName; diff --git a/pingora-core/src/listeners/mod.rs b/pingora-core/src/listeners/mod.rs index db799765..ebcc9471 100644 --- a/pingora-core/src/listeners/mod.rs +++ b/pingora-core/src/listeners/mod.rs @@ -188,9 +188,14 @@ impl TransportStackBuilder { #[cfg(windows)] let l4 = builder.listen().await?; + let tls_val = match self.tls.take() { + Some(tls) => Some(Arc::new(tls.build()?)), + None => None, + }; + Ok(TransportStack { l4, - tls: self.tls.take().map(|tls| Arc::new(tls.build())), + tls: tls_val, l4_buffer: self.l4_buffer, pre_tls_callback: self.pre_tls_callback.clone(), }) diff --git a/pingora-core/src/listeners/tls/boringssl_openssl/mod.rs b/pingora-core/src/listeners/tls/boringssl_openssl/mod.rs index d957cac4..17ed8b94 100644 --- a/pingora-core/src/listeners/tls/boringssl_openssl/mod.rs +++ b/pingora-core/src/listeners/tls/boringssl_openssl/mod.rs @@ -129,11 +129,11 @@ impl TlsSettings { } } - pub(crate) fn build(self) -> Acceptor { - Acceptor { + pub(crate) fn build(self) -> Result { + Ok(Acceptor { ssl_acceptor: self.accept_builder.build(), callbacks: self.callbacks, - } + }) } } diff --git a/pingora-core/src/listeners/tls/rustls/mod.rs b/pingora-core/src/listeners/tls/rustls/mod.rs index e7376fc0..e1fa52c8 100644 --- a/pingora-core/src/listeners/tls/rustls/mod.rs +++ b/pingora-core/src/listeners/tls/rustls/mod.rs @@ -18,7 +18,7 @@ use crate::listeners::TlsAcceptCallbacks; use crate::protocols::tls::{server::handshake, server::handshake_with_callback, TlsStream}; use log::debug; use pingora_error::ErrorType::InternalError; -use pingora_error::{Error, OrErr, Result}; +use pingora_error::{Error, ErrorSource, ErrorType, ImmutStr, OrErr, Result, RetryType}; use pingora_rustls::load_certs_and_key_files; use pingora_rustls::ClientCertVerifier; use pingora_rustls::ServerConfig; @@ -46,17 +46,24 @@ impl TlsSettings { /// _NOTE_ This function will panic if there is an error in loading /// certificate files or constructing the builder /// - /// Todo: Return a result instead of panicking XD - pub fn build(self) -> Acceptor { + pub fn build(self) -> Result { // rustls 0.23+ requires an explicit CryptoProvider. pingora_rustls::install_default_crypto_provider(); let Ok(Some((certs, key))) = load_certs_and_key_files(&self.cert_path, &self.key_path) else { - panic!( + let error_message = format!( "Failed to load provided certificates \"{}\" or key \"{}\".", self.cert_path, self.key_path - ) + ); + + return Err(Box::new(Error { + etype: ErrorType::InternalError, + esource: ErrorSource::Internal, + retry: RetryType::Decided(false), + cause: None, + context: Some(ImmutStr::Owned(error_message.into_boxed_str())), + })); }; let builder = @@ -77,10 +84,10 @@ impl TlsSettings { config.alpn_protocols = alpn_protocols; } - Acceptor { + Ok(Acceptor { acceptor: RusTlsAcceptor::from(Arc::new(config)), callbacks: None, - } + }) } /// Enable HTTP/2 support for this endpoint, which is default off. diff --git a/pingora-core/src/listeners/tls/s2n/mod.rs b/pingora-core/src/listeners/tls/s2n/mod.rs index af547bbe..e9cfc091 100644 --- a/pingora-core/src/listeners/tls/s2n/mod.rs +++ b/pingora-core/src/listeners/tls/s2n/mod.rs @@ -15,7 +15,7 @@ use std::sync::Arc; use log::debug; -use pingora_error::Result; +use pingora_error::{Error, ErrorSource, ErrorType, ImmutStr, Result, RetryType}; use pingora_s2n::{ load_certs_and_key_files, ClientAuthType, Config, IgnoreVerifyHostnameCallback, S2NPolicy, TlsAcceptor, DEFAULT_TLS13, @@ -43,7 +43,7 @@ pub struct Acceptor { } impl TlsSettings { - pub fn build(self) -> Acceptor { + pub fn build(self) -> Result { let mut builder = Config::builder(); // Default security policy with TLS 1.3 support @@ -82,9 +82,15 @@ impl TlsSettings { } if !self.verify_client_hostname { - builder - .set_verify_host_callback(IgnoreVerifyHostnameCallback::new()) - .unwrap(); + if let Err(_) = builder.set_verify_host_callback(IgnoreVerifyHostnameCallback::new()) { + return Err(Box::new(Error { + etype: ErrorType::InternalError, + esource: ErrorSource::Internal, + retry: RetryType::Decided(false), + cause: None, + context: Some(ImmutStr::from("Failed to verify client hostname")), + })); + } } let config = builder.build().unwrap(); @@ -94,9 +100,9 @@ impl TlsSettings { security_policy: Some(policy.clone()), }; - Acceptor { + Ok(Acceptor { acceptor: TlsAcceptor::new(connection_builder), - } + }) } /// Enable HTTP/2 support for this endpoint, which is default off. diff --git a/pingora-core/src/protocols/tls/noop_tls/mod.rs b/pingora-core/src/protocols/tls/noop_tls/mod.rs index d7632e13..b24a5b35 100644 --- a/pingora-core/src/protocols/tls/noop_tls/mod.rs +++ b/pingora-core/src/protocols/tls/noop_tls/mod.rs @@ -80,8 +80,8 @@ pub mod listeners { pub struct TlsSettings; impl TlsSettings { - pub fn build(&self) -> Acceptor { - Acceptor + pub fn build(&self) -> Result { + Ok(Acceptor) } pub fn intermediate(_: &str, _: &str) -> Result {