Skip to content

generate ssl cert if expired, redirect if ssl #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
joshrmcdaniel wants to merge 2 commits into
base: main
Choose a base branch
from
Open

generate ssl cert if expired, redirect if ssl #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b5640d7
generate new cert if exp
joshrmcdaniel Aug 17, 2025
82ef7e5
redirect to https
joshrmcdaniel Aug 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 24 additions & 3 deletions privaxy/src/server/configuration/network.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@

use super::ConfigurationResult;
use openssl::{
asn1::Asn1Time,
asn1::{Asn1Time, Asn1TimeRef},

Check warning on line 11 in privaxy/src/server/configuration/network.rs

View workflow job for this annotation

GitHub Actions / Run clippy check 

unused import: `Asn1TimeRef`

Check warning on line 11 in privaxy/src/server/configuration/network.rs

View workflow job for this annotation

GitHub Actions / Build (linux, ubuntu-24.04-arm, stable, aarch64-unknown-linux-gnu) 

unused import: `Asn1TimeRef`

Check warning on line 11 in privaxy/src/server/configuration/network.rs

View workflow job for this annotation

GitHub Actions / Build (linux, ubuntu-24.04-arm, stable, aarch64-unknown-linux-gnu) 

unused import: `Asn1TimeRef`

Check warning on line 11 in privaxy/src/server/configuration/network.rs

View workflow job for this annotation

GitHub Actions / Build (linux, ubuntu-latest, stable, x86_64-unknown-linux-gnu) 

unused import: `Asn1TimeRef`

Check warning on line 11 in privaxy/src/server/configuration/network.rs

View workflow job for this annotation

GitHub Actions / Build (linux, ubuntu-latest, stable, x86_64-unknown-linux-gnu) 

unused import: `Asn1TimeRef`
bn::{BigNum, MsbOption},
hash::MessageDigest,
pkey::{PKey, PKeyRef, Private},
Expand Down Expand Up @@ -230,8 +230,29 @@
ca_cert: X509,
ca_key: PKey<Private>,
) -> ConfigurationResult<X509> {
if let Ok(cert) = self.get_tls_cert().await {
Ok(cert)
if let Ok(mut cert) = self.get_tls_cert().await {
let curtime = SystemTime::now()
.duration_since(UNIX_EPOCH)
.unwrap()
.as_secs() as i64;
let current_asn1_time = Asn1Time::from_unix(curtime)?;
let expiry = cert.not_after();
match current_asn1_time.compare(expiry).unwrap() {
std::cmp::Ordering::Greater | std::cmp::Ordering::Equal => {
let tls_key = self.get_tls_key().await.unwrap();
if ca_cert.verify(&tls_key).unwrap() {
log::info!("Current TLS certificate has expired, generating new one.");
cert = self
.gen_self_signed_tls_cert(ca_cert, ca_key)
.await
.unwrap();
} else {
log::warn!("TLS certificate is expired.");
};
Ok(cert)
}
std::cmp::Ordering::Less => Ok(cert),
}
} else {
self.gen_self_signed_tls_cert(ca_cert, ca_key).await
}
Expand Down
4 changes: 2 additions & 2 deletions privaxy/src/server/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ use std::time::Duration;
use tokio::signal::unix::{signal, SignalKind};
use tokio::sync::broadcast;
use tokio::sync::Notify;

pub mod blocker;
mod blocker_utils;
mod ca;
Expand Down Expand Up @@ -244,17 +243,18 @@ async fn privaxy_frontend(
configuration_save_lock: Arc<tokio::sync::Mutex<()>>,
notify_reload: Arc<tokio::sync::Notify>,
) {
let config = read_configuration(&configuration_save_lock).await;
let frontend = web_gui::get_frontend(
broadcast_tx.clone(),
statistics.clone(),
&block_disable_ref,
&configuration_updater_tx,
&configuration_save_lock,
&local_exclusion_store,
config.network.tls,
notify_reload.clone(),
);
let frontend_server = warp::serve(frontend);
let config = read_configuration(&configuration_save_lock).await;
let ip = env_or_config_ip(&config.network).await;
let web_api_server_addr = SocketAddr::from((ip, config.network.web_port));
if config.network.tls {
Expand Down
23 changes: 18 additions & 5 deletions privaxy/src/server/web_gui/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,10 @@ pub(crate) fn get_frontend(
configuration_updater_sender: &Sender<Configuration>,
configuration_save_lock: &Arc<tokio::sync::Mutex<()>>,
local_exclusions_store: &LocalExclusionStore,
tls: bool,
notify_reload: Arc<Notify>,
) -> BoxedFilter<(impl warp::Reply,)> {
) -> impl Filter<Extract = impl warp::Reply, Error = warp::Rejection> + Clone {
let static_files_routes = create_static_routes();

let cors = warp::cors()
.allow_any_origin()
.allow_methods(vec!["GET", "PUT", "POST", "DELETE"])
Expand All @@ -43,7 +43,6 @@ pub(crate) fn get_frontend(
http::header::CONTENT_LENGTH,
http::header::DATE,
]);

let http_client = reqwest::Client::new();

let api_routes = create_api_routes(
Expand All @@ -56,8 +55,22 @@ pub(crate) fn get_frontend(
http_client,
notify_reload,
);

api_routes.or(static_files_routes).with(cors).boxed()
let routes = api_routes.or(static_files_routes);
let mut headers = warp::http::HeaderMap::new();
if tls {
headers.insert(
"Strict-Transport-Security",
"max-age=31536000; includeSubDomains".parse().unwrap(),
);
headers.insert(
"Content-Security-Policy",
"upgrade-insecure-requests".parse().unwrap(),
);
};
routes
.with(cors)
.with(warp::reply::with::headers(headers))
.boxed()
}

fn create_static_routes() -> BoxedFilter<(impl warp::Reply,)> {
Expand Down
Loading