HTTPS support for the Agama web server (#1062)

## Problem - The communication between the user and the Agama web server needs to be encrypted ## Solution - Enable HTTPS support using the standard openSSL library - Automatically redirect all external HTTP requests to HTTPS - Allow using HTTP locally (`http://localhost`) - Use the SSL certificate specified from the command line or generate a self-signed one ## Testing - Tested manually ## TODO - [x] Update the documentation For later: - [ ] Use the [gethostname crate](https://crates.io/crates/gethostname) and include the current host name in the generated self-signed certificate - [ ] Read the SSL certificate from some default location (something like `/etc/agama.d/ssl/{certificate,key}.pem` ?) - [ ] Implement struct for handling key / certificate and associate it with relevant methods
agama-project · Mar 22, 2024 · 5416449 · 5416449
2 parents afa39b5 + 1e09613
commit 5416449
Show file tree

Hide file tree

Showing 8 changed files with 845 additions and 471 deletions.
diff --git a/rust/Cargo.lock b/rust/Cargo.lock
diff --git a/rust/WEB-SERVER.md b/rust/WEB-SERVER.md
@@ -51,12 +51,26 @@ $ sudo ./target/debug/agama-web-server serve
 
 If it fails to compile, please check whether `clang-devel` and `pam-devel` are installed.
 
-You can add a `--listen` flag if you want to use a different port:
+By default the server uses port 3000 and listens on all network interfaces. You
+can use the `--address` option if you want to use a different port or a specific
+network interface:
 
 ```
-$ sudo ./target/debug/agama-web-server serve --listen 0.0.0.0:5678
+$ sudo ./target/debug/agama-web-server serve --address :::5678
 ```
 
+Some more examples:
+
+- Both IPv6 and IPv4, all interfaces: `--address :::5678`
+- Both IPv6 and IPv4, only local loopback : `--address ::1:5678`
+- IPv4 only, all interfaces: `--address 0.0.0.0:5678`
+- IPv4 only, only local loopback : `--address 127.0.0.1:5678`
+- IPv4, only specific interface: `--address 192.168.1.2:5678` (use the IP
+  address of that interface)
+
+The server can optionally listen on a secondary address, use the `--address2`
+option for that.
+
 ## Trying the server
 
 You can check whether the server is up and running by just performing a ping:
@@ -105,3 +119,28 @@ Now, you can use the following command to connect:
 $ websocat ws://localhost:3000/ws
     -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE3MDg1MTA5MzB9.3HmKAC5u4H_FigMqEa9e74OFAq40UldjlaExrOGqE0U"
 ```
+
+## SSL/TLS (HTTPS) Support
+
+The web server supports encrypted communication using the HTTPS protocol.
+
+The SSL certificate used by the server can be specified by the `--cert` and
+`--key` command line options which should point to the PEM files:
+
+```
+$ sudo ./target/debug/agama-web-server serve --cert certificate.pem --key key.pem
+```
+The certificate is expected in the PEM format, if you have a certificate in
+another format you can convert it using the openSSL tools.
+
+If a SSL certificate is not specified via command line then the server generates
+a self-signed certificate. Currently it is only kept in memory and generated
+again at each start.
+
+The HTTPS protocol is required for external connections, the HTTP connections
+are automatically redirected to HTTPS. *But it still means that the original
+HTTP communication can be intercepted by an attacker, do not rely on this
+redirection!*
+
+For internal connections coming from the same machine (via the
+`http://localhost` URL) the unencrypted HTTP communication is allowed.
diff --git a/rust/agama-server/Cargo.toml b/rust/agama-server/Cargo.toml
@@ -48,6 +48,11 @@ chrono = { version = "0.4.34", default-features = false, features = [
 ] }
 pam = "0.8.0"
 serde_with = "3.6.1"
+openssl = "0.10.64"
+hyper = "1.2.0"
+hyper-util = "0.1.3"
+tokio-openssl = "0.6.4"
+futures-util = { version = "0.3.30", default-features = false, features = ["alloc"] }
 
 [[bin]]
 name = "agama-dbus-server"