feat: add HTTPS/TLS server support via rustls

Add optional TLS support for the server using axum-server with the tls-rustls feature. When --server-cert and --server-key are provided (and tls feature is enabled), the server binds with TLS instead of plain HTTP. Changes: - Add axum-server dependency with optional tls-rustls feature - New 'tls' feature flag (independent of 'server') - --server-cert/--server-key CLI args gated behind tls feature - ServerConfig extended with cert_file/key_file fields - Conditional TLS/HTTP binding in server mod.rs - Fix PathBuf::to_str().unwrap() panic risk -> to_string_lossy() - Update README.md and DESIGN.md with TLS documentation
2026-03-12 22:18:42 -03:00
parent 237a581429
commit bee980605f
8 changed files with 569 additions and 124 deletions
--- a/src/args.rs
+++ b/src/args.rs
@@ -75,6 +75,16 @@ pub struct ModeArgs {
    #[arg(help_heading("Server Options"), long, env("KEEP_SERVER_PORT"))]
    #[arg(help("Server port to bind to"))]
    pub server_port: Option<u16>,
+
+    #[cfg(feature = "tls")]
+    #[arg(help_heading("Server Options"), long, env("KEEP_SERVER_CERT"))]
+    #[arg(help("Path to TLS certificate file (PEM) for HTTPS"))]
+    pub server_cert: Option<PathBuf>,
+
+    #[cfg(feature = "tls")]
+    #[arg(help_heading("Server Options"), long, env("KEEP_SERVER_KEY"))]
+    #[arg(help("Path to TLS private key file (PEM) for HTTPS"))]
+    pub server_key: Option<PathBuf>,
 }

 /// Struct for item-specific arguments, such as compression and plugins.
--- a/src/config.rs
+++ b/src/config.rs
@@ -146,6 +146,8 @@ pub struct ServerConfig {
    pub password_file: Option<PathBuf>,
    pub password: Option<String>,
    pub password_hash: Option<String>,
+    pub cert_file: Option<PathBuf>,
+    pub key_file: Option<PathBuf>,
 }

 #[derive(Debug, Clone, Deserialize, Serialize)]
@@ -287,6 +289,18 @@ impl Settings {
            config_builder = config_builder.set_override("server.port", server_port)?;
        }

+        #[cfg(feature = "tls")]
+        if let Some(server_cert) = &args.mode.server_cert {
+            config_builder = config_builder
+                .set_override("server.cert_file", server_cert.to_string_lossy().as_ref())?;
+        }
+
+        #[cfg(feature = "tls")]
+        if let Some(server_key) = &args.mode.server_key {
+            config_builder = config_builder
+                .set_override("server.key_file", server_key.to_string_lossy().as_ref())?;
+        }
+
        if let Some(compression) = &args.item.compression {
            config_builder =
                config_builder.set_override("compression_plugin.name", compression.as_str())?;
@@ -480,6 +494,14 @@ impl Settings {
        self.server.as_ref().and_then(|s| s.port)
    }

+    pub fn server_cert_file(&self) -> Option<PathBuf> {
+        self.server.as_ref().and_then(|s| s.cert_file.clone())
+    }
+
+    pub fn server_key_file(&self) -> Option<PathBuf> {
+        self.server.as_ref().and_then(|s| s.key_file.clone())
+    }
+
    pub fn compression(&self) -> Option<String> {
        self.compression_plugin.as_ref().map(|c| c.name.clone())
    }
--- a/src/modes/server/common.rs
+++ b/src/modes/server/common.rs
@@ -67,6 +67,14 @@ pub struct ServerConfig {
    /// Pre-hashed password (Unix crypt format) for secure authentication. Preferred
    /// over plain text password for production use.
    pub password_hash: Option<String>,
+    /// Optional path to TLS certificate file (PEM).
+    ///
+    /// When both cert_file and key_file are set, the server uses HTTPS.
+    pub cert_file: Option<PathBuf>,
+    /// Optional path to TLS private key file (PEM).
+    ///
+    /// When both cert_file and key_file are set, the server uses HTTPS.
+    pub key_file: Option<PathBuf>,
 }

 /// Application state shared across all routes.
--- a/src/modes/server/mod.rs
+++ b/src/modes/server/mod.rs
@@ -52,6 +52,8 @@ pub fn mode_server(
        port: Some(server_port),
        password: settings.server_password(),
        password_hash: settings.server_password_hash(),
+        cert_file: settings.server_cert_file(),
+        key_file: settings.server_key_file(),
    };

    // Create ItemService once
@@ -138,14 +140,31 @@ async fn run_server(

    let addr: SocketAddr = bind_address.parse()?;

+    // Build the app into a service
+    let service = app.into_make_service_with_connect_info::<SocketAddr>();
+
+    // Use TLS if both cert and key files are provided
+    #[cfg(feature = "tls")]
+    if let (Some(cert_file), Some(key_file)) = (&config.cert_file, &config.key_file) {
+        info!("SERVER: HTTPS server listening on {addr}");
+
+        use axum_server::tls_rustls::RustlsConfig;
+
+        let tls_config = RustlsConfig::from_pem_file(cert_file, key_file)
+            .await
+            .map_err(|e| anyhow::anyhow!("Failed to load TLS config: {e}"))?;
+
+        axum_server::bind_rustls(addr, tls_config)
+            .serve(service)
+            .await?;
+
+        return Ok(());
+    }
+
    info!("SERVER: HTTP server listening on {addr}");

    let listener = tokio::net::TcpListener::bind(addr).await?;
-    axum::serve(
-        listener,
-        app.into_make_service_with_connect_info::<SocketAddr>(),
-    )
-    .await?;
+    axum::serve(listener, service).await?;

    Ok(())
 }