From 0d176f368139215d0fd649d2cf0822bfc3eede8f Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 4 Feb 2019 14:56:07 +0100
Subject: [PATCH] proxy: use TLS via tokio-tls

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 Cargo.toml                      |  4 +++-
 src/bin/proxmox-backup-proxy.rs | 33 +++++++++++++++++++++++++++++----
 2 files changed, 32 insertions(+), 5 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index f86a9153..ef53db38 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -19,6 +19,8 @@ url = "1.7"
 futures = "0.1"
 tokio-threadpool = "0.1"
 tokio = "0.1"
+tokio-tls = "0.2.1"
+native-tls = "0.2.2"
 http = "0.1"
 hyper = "0.12"
 lazy_static = "1.1"
@@ -35,4 +37,4 @@ walkdir = "2"
 md5 = "0.6"
 base64 = "0.10"
 pam-sys = "0.5"
-pam-auth = "0.5"
\ No newline at end of file
+pam-auth = "0.5"
diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index 1605fece..b032634a 100644
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -5,10 +5,11 @@ use proxmox_backup::api::config::*;
 use proxmox_backup::server::rest::*;
 use proxmox_backup::auth_helpers::*;
 
-//use failure::*;
+use failure::*;
 use lazy_static::lazy_static;
 
 use futures::future::Future;
+use futures::stream::Stream;
 
 use hyper;
 
@@ -25,8 +26,6 @@ fn main() {
     let _ = public_auth_key(); // load with lazy_static
     let _ = csrf_secret(); // load with lazy_static
 
-    let addr = ([0,0,0,0,0,0,0,0], 8007).into();
-
     lazy_static!{
        static ref ROUTER: Router = proxmox_backup::api2::router();
     }
@@ -47,7 +46,33 @@ fn main() {
 
     let rest_server = RestServer::new(config);
 
-    let server = hyper::Server::bind(&addr)
+    let identity =
+        native_tls::Identity::from_pkcs12(
+            &std::fs::read("server.pfx").unwrap(),
+            "",
+        ).unwrap();
+
+    let addr = ([0,0,0,0,0,0,0,0], 8007).into();
+    let listener = tokio::net::TcpListener::bind(&addr).unwrap();
+    let acceptor = native_tls::TlsAcceptor::new(identity).unwrap();
+    let acceptor = std::sync::Arc::new(tokio_tls::TlsAcceptor::from(acceptor));
+    let connections = listener
+        .incoming()
+        .map_err(|e| Error::from(e))
+        .and_then(move |sock| acceptor.accept(sock).map_err(|e| e.into()))
+        .then(|r| match r {
+            // accept()s can fail here with an Err() when eg. the client rejects
+            // the cert and closes the connection, so we follow up with mapping
+            // it to an option and then filtering None with filter_map
+            Ok(c) => Ok::<_, Error>(Some(c)),
+            Err(_) => Ok(None),
+        })
+        .filter_map(|r| {
+            // Filter out the Nones
+            r
+        });
+
+    let server = hyper::Server::builder(connections)
         .serve(rest_server)
         .map_err(|e| eprintln!("server error: {}", e));