Index | Thread | Search

From:
Matthieu Herrb <matthieu@openbsd.org>
Subject:
Re: [wip] rust-rpxy 0.10.1
To:
Theo Buehler <tb@theobuehler.org>
Cc:
ports@openbsd.org
Date:
Mon, 14 Jul 2025 18:21:01 +0200

Download raw body.

Thread 
On Mon, Jul 14, 2025 at 03:29:27PM +0200, Theo Buehler wrote:
> matthieu mentioned that this might be useful, so I whipped up a port.
> Fortunately volker and I already prepared patches for an xonly issue
> in aws-l2c so it should be fine in that regard.
> 
> This port builds and passes tests on amd64. I can test this way on
> aarch64, but I can't really run test this from where I am right now.
> 
> This probably needs a dedicated user and rc setup. I hope someone can
> save me some time by telling me what to do here (or where to copy from).
>

Thanks.

The binary works with a simple rc.d file to run it as root. 

Unfortunatly after this initial sucessful testing, I figured out there
are some features that are either missing or adverse to making a good
ports candidate :

- it cannot run with reduced privileges unless it only listens to
  ports > 1024, needing pf level redirects to get 443 ou 80.
- for the same reason it cannot read a private key unless a shared
  group is setup to own the key
- since it watches on its config file changes to reload itself
  automatically, implementing some forme of privilege dropping will
  probaby break this feature.
- also it cannot listen on both IPv4 and IPv6 sockets; it relies on
  Linux default behaviour of v6 sockets accepting v4 connexions too.

So it will need quite a few patches / merge requests to become a good
OpenBSD ports addition.

> ===
> 
> layer 7 reverse-proxy with TLS termination
> 
> Description:
> rpxy [ahr-pik-see] is a simple and lightweight reverse-proxy
> implementation
> with additional features. The implementation is based on hyper, rustls
> and
> tokio. rpxy routes multiple hostnames to appropriate backend application
> servers while serving TLS connections. Features include:
> 
> * HTTP(S) protocols: HTTP/1.1, HTTP/2, and the brand-new HTTP/3
> * gRPC
> * Serving multiple domain names with TLS termination
> * Mutual TLS authentication with client certificates
> * Automated certificate issuance and renewal via TLS-ALPN-01 ACME
> * protocol
> * Post-quantum key exchange for TLS/QUIC
> * TLS connection sanitization to avoid domain fronting
> * Load balancing with round-robin, random, and sticky sessions
> 
> Maintainer: The OpenBSD ports mailing-list <ports@openbsd.org>
> 
> WWW: https://github.com/junkurihara/rust-rpxy



-- 
Matthieu Herrb