Merge branch 'main' into master

.github/workflows/release.yml

@@ -80,7 +80,7 @@ jobs:
         if: matrix.os == 'ubuntu-latest' && !contains(matrix.target, 'mips')
         uses: crazy-max/ghaction-upx@v1
         with:
-          version: v4.0.0
+          version: v4.0.2
           files: target/${{ matrix.target }}/release/${{ matrix.exe }}
           args: -q --best --lzma
       - uses: actions/upload-artifact@v2

README.md

@@ -4,7 +4,7 @@
 
 [![GitHub stars](https://img.shields.io/github/stars/rapiz1/rathole)](https://github.com/rapiz1/rathole/stargazers)
 [![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/rapiz1/rathole)](https://github.com/rapiz1/rathole/releases)
-![GitHub Workflow Status (branch)](https://img.shields.io/github/workflow/status/rapiz1/rathole/Rust/main)
+![GitHub Workflow Status (branch)](https://img.shields.io/github/actions/workflow/status/rapiz1/rathole/rust.yml?branch=main)
 [![GitHub all releases](https://img.shields.io/github/downloads/rapiz1/rathole/total)](https://github.com/rapiz1/rathole/releases)
 [![Docker Pulls](https://img.shields.io/docker/pulls/rapiz1/rathole)](https://hub.docker.com/r/rapiz1/rathole)
 [![Join the chat at https://gitter.im/rapiz1/rathole](https://badges.gitter.im/rapiz1/rathole.svg)](https://gitter.im/rapiz1/rathole?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
@@ -24,7 +24,7 @@ rathole, like [frp](https://github.com/fatedier/frp) and [ngrok](https://github.
         - [Logging](#logging)
         - [Tuning](#tuning)
     - [Benchmark](#benchmark)
-    - [Development Status](#development-status)
+  - [Planning](#planning)
 
 <!-- /TOC -->
 
@@ -201,13 +201,8 @@ For more details, see the separate page [Benchmark](./docs/benchmark.md).
 ![udp_bitrate](./docs/img/udp_bitrate.svg)
 ![mem](./docs/img/mem-graph.png)
 
-## Development Status
+## Planning
 
-`rathole` is under active development. A load of features is on the way:
-
-- [x] TLS support
-- [x] UDP support
-- [x] Hot reloading
 - [ ] HTTP APIs for configuration
 
 [Out of Scope](./docs/out-of-scope.md) lists features that are not planned to be implemented and why.

docs/transport.md

@@ -6,21 +6,29 @@ By default, `rathole` forwards traffic as it is. Different options can be enable
 Checkout the [example](../examples/tls)
 ### Client
 Normally, a self-signed certificate is used. In this case, the client needs to trust the CA. `trusted_root` is the path to the root CA's certificate PEM file.
-`hostname` is the hostname that the client used to validate aginst the certificate that the server presents.
+`hostname` is the hostname that the client used to validate aginst the certificate that the server presents. Note that it does not have to be the same with the `remote_addr` in `[client]`.
 ```
 [client.transport.tls]
-trusted_root = "example/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "example/tls/rootCA.crt"
+hostname = "localhost"
 ```
 
 ### Server
 PKCS#12 archives are needed to run the server.
 
 It can be created using openssl like:
 ```
-openssl pkcs12 -export -out identity.pfx -inkey server-key.pem -in server-cert.pem -certfile ca_chain_certs.pem
+openssl pkcs12 -export -out identity.pfx -inkey server.key -in server.crt -certfile ca_chain_certs.crt
 ```
 
+Aruguments are:
+
+- `-inkey`: Server Private Key
+- `-in`: Server Certificate
+- `-certfile`: CA Certificate
+
+Creating self-signed certificate with one's own CA is a non-trival task. However, a script is provided under tls example folder for reference.
+
 ## Noise Protocol
 ### Quickstart for the Noise Protocl
 In one word, the [Noise Protocol](http://noiseprotocol.org/noise.html) is a lightweigt, easy to configure and drop-in replacement of TLS. No need to create a self-sign certificate to secure the connection.

examples/tls/client.toml

@@ -1,12 +1,12 @@
 [client]
-remote_addr = "localhost:2333"
+remote_addr = "127.0.0.1:2333"
 default_token = "123"
 
 [client.transport]
 type = "tls"
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "examples/tls/rootCA.crt"
+hostname = "localhost"
 
 [client.services.foo1]
 local_addr = "127.0.0.1:80"

examples/tls/create_self_signed_cert.sh

@@ -0,0 +1,62 @@
+#!/bin/sh
+
+# create CA 
+openssl req -x509 \
+            -sha256 -days 356 \
+            -nodes \
+            -newkey rsa:2048 \
+            -subj "/CN=MyOwnCA/C=US/L=San Fransisco" \
+            -keyout rootCA.key -out rootCA.crt 
+
+# create server private key
+openssl genrsa -out server.key 2048
+
+# create certificate signing request (CSR)
+cat > csr.conf <<EOF
+[ req ]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[ dn ]
+C = US
+ST = California
+L = San Fransisco
+O = Someone
+OU = Someone
+CN = localhost
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+EOF
+
+openssl req -new -key server.key -out server.csr -config csr.conf
+
+# create server cert
+cat > cert.conf <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+EOF
+
+openssl x509 -req \
+    -in server.csr \
+    -CA rootCA.crt -CAkey rootCA.key \
+    -out server.crt \
+    -days 365 \
+    -sha256 -extfile cert.conf
+
+# create pkcs12
+openssl pkcs12 -export -out identity.pfx -inkey server.key -in server.crt -certfile rootCA.crt -passout pass:1234
+
+# clean up
+rm server.csr csr.conf cert.conf

examples/tls/rootCA.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDTzCCAjegAwIBAgIUT2Hjb+eORMuX0zIwClSygNTJiSQwDQYJKoZIhvcNAQEL
+BQAwNzEQMA4GA1UEAwwHTXlPd25DQTELMAkGA1UEBhMCVVMxFjAUBgNVBAcMDVNh
+biBGcmFuc2lzY28wHhcNMjMwMzA3MTIzOTM5WhcNMjQwMjI2MTIzOTM5WjA3MRAw
+DgYDVQQDDAdNeU93bkNBMQswCQYDVQQGEwJVUzEWMBQGA1UEBwwNU2FuIEZyYW5z
+aXNjbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4hFcu/+GeSQRR0
+XniadepJtCp3juIaHaYLMIsKg4fUSOiVlOCJU27wYa6xaYOcjSKpv7tmZ7YwFBwO
+dGdlcqAFD1nj+JCsHQAJKRIYWY6UklrQb0rd+67HXF03cN4sPGiAKXy52jaPYJIS
+oz5w8mfcz66b3q6fYmefyjwvqBl5nJApiWzBEtLPDKhmT6ST3VuQLdmYNEmL3lL9
+wVJu3R1L7gnzoUFdHyeOpAoALFAI8zfezI8IJsDLLdVfKZNZYm0PDB98ldlBQ2wf
+uXFTzuVHeifBFcUxhV5/U9c3Fp7UnuMD7/RAcABBE8aW6wFl246WjTk4v6r0QYgZ
+49BrnGMCAwEAAaNTMFEwHQYDVR0OBBYEFIwCXoKvHjF6mWhgNLwSEktXT9S/MB8G
+A1UdIwQYMBaAFIwCXoKvHjF6mWhgNLwSEktXT9S/MA8GA1UdEwEB/wQFMAMBAf8w
+DQYJKoZIhvcNAQELBQADggEBAIlSJqo9QJUZTE1SzafqihkSXBuLAKMNq+Box02o
+2tticlBV3BVpNZ4SbOs8oYN/Hmr2cDSmgbf4ZB1BqExarsrLnFuIrM4XWVzuFHSt
+oMSlE/OE6cO0wzqUlihmUfx2azuXKPLotAObD6fwNbUb03YxTpNrEqFxIjYn6g56
+Mp1Eo/Na2ptr41Nin2gHsynPOWdPhpBqBxnWMFz1pfZ7TB1h92DVqFN92fMzgvAT
+oJdTGl9hFTcS4XrYwOhhITNGn7oM9uTFpTd/IZbjAakcAnLcwRumthD32YJPpXqV
+JC2zJNBvEbQ4hdvZu3eNx5J8GU8wiMoJgYNy4zNMbM3qM+E=
+-----END CERTIFICATE-----

src/config.rs

@@ -40,8 +40,9 @@ impl From<&str> for MaskedString {
     }
 }
 
-#[derive(Debug, Serialize, Deserialize, Copy, Clone, PartialEq, Eq)]
+#[derive(Debug, Serialize, Deserialize, Copy, Clone, PartialEq, Eq, Default)]
 pub enum TransportType {
+    #[default]
     #[serde(rename = "tcp")]
     Tcp,
     #[serde(rename = "tls")]
@@ -50,12 +51,6 @@ pub enum TransportType {
     Noise,
 }
 
-impl Default for TransportType {
-    fn default() -> TransportType {
-        TransportType::Tcp
-    }
-}
-
 /// Per service config
 /// All Option are optional in configuration but must be Some value in runtime
 #[derive(Debug, Serialize, Deserialize, Clone, PartialEq, Eq, Default)]
@@ -81,18 +76,16 @@ impl ClientServiceConfig {
 }
 
 #[derive(Debug, Serialize, Deserialize, Clone, Copy, PartialEq, Eq)]
+#[derive(Default)]
 pub enum ServiceType {
     #[serde(rename = "tcp")]
+    #[default]
     Tcp,
     #[serde(rename = "udp")]
     Udp,
 }
 
-impl Default for ServiceType {
-    fn default() -> Self {
-        ServiceType::Tcp
-    }
-}
+
 
 fn default_service_type() -> ServiceType {
     Default::default()

tests/for_tcp/tls_transport.toml

@@ -5,8 +5,8 @@ default_token = "default_token_if_not_specify"
 [client.transport]
 type = "tls" 
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "examples/tls/rootCA.crt"
+hostname = "localhost"
 
 [client.services.echo] 
 local_addr = "127.0.0.1:8080" 

tests/for_udp/tls_transport.toml

@@ -5,8 +5,8 @@ default_token = "default_token_if_not_specify"
 [client.transport]
 type = "tls" 
 [client.transport.tls]
-trusted_root = "examples/tls/ca-cert.pem"
-hostname = "0.0.0.0"
+trusted_root = "examples/tls/rootCA.crt"
+hostname = "localhost"
 
 [client.services.echo] 
 type = "udp"