From: Matthieu Herrb Subject: Re: [wip] rust-rpxy 0.10.1 To: Theo Buehler Cc: ports@openbsd.org Date: Mon, 14 Jul 2025 18:21:01 +0200 On Mon, Jul 14, 2025 at 03:29:27PM +0200, Theo Buehler wrote: > matthieu mentioned that this might be useful, so I whipped up a port. > Fortunately volker and I already prepared patches for an xonly issue > in aws-l2c so it should be fine in that regard. > > This port builds and passes tests on amd64. I can test this way on > aarch64, but I can't really run test this from where I am right now. > > This probably needs a dedicated user and rc setup. I hope someone can > save me some time by telling me what to do here (or where to copy from). > Thanks. The binary works with a simple rc.d file to run it as root. Unfortunatly after this initial sucessful testing, I figured out there are some features that are either missing or adverse to making a good ports candidate : - it cannot run with reduced privileges unless it only listens to ports > 1024, needing pf level redirects to get 443 ou 80. - for the same reason it cannot read a private key unless a shared group is setup to own the key - since it watches on its config file changes to reload itself automatically, implementing some forme of privilege dropping will probaby break this feature. - also it cannot listen on both IPv4 and IPv6 sockets; it relies on Linux default behaviour of v6 sockets accepting v4 connexions too. So it will need quite a few patches / merge requests to become a good OpenBSD ports addition. > === > > layer 7 reverse-proxy with TLS termination > > Description: > rpxy [ahr-pik-see] is a simple and lightweight reverse-proxy > implementation > with additional features. The implementation is based on hyper, rustls > and > tokio. rpxy routes multiple hostnames to appropriate backend application > servers while serving TLS connections. Features include: > > * HTTP(S) protocols: HTTP/1.1, HTTP/2, and the brand-new HTTP/3 > * gRPC > * Serving multiple domain names with TLS termination > * Mutual TLS authentication with client certificates > * Automated certificate issuance and renewal via TLS-ALPN-01 ACME > * protocol > * Post-quantum key exchange for TLS/QUIC > * TLS connection sanitization to avoid domain fronting > * Load balancing with round-robin, random, and sticky sessions > > Maintainer: The OpenBSD ports mailing-list > > WWW: https://github.com/junkurihara/rust-rpxy -- Matthieu Herrb