studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
be542da6e4f9e1af3441fb203a28523f0b4c36f0
tuwunel/src/service/client/mod.rs
Jason Volk be542da6e4 Re-export Either from tuwunel_core. 
Signed-off-by: Jason Volk <jason@zemos.net>
2026-01-24 08:19:41 +00:00

244 lines
7.1 KiB
Rust
Raw Blame History

use std::{
sync::{Arc, LazyLock},
time::Duration,
};
use ipaddress::IPAddress;
use reqwest::{dns::Resolve, redirect};
use tuwunel_core::{Config, Result, either::Either, err, implement, trace};
use crate::{service, services::OnceServices};
type ClientLazylock = LazyLock<reqwest::Client, Box<dyn FnOnce() -> reqwest::Client + Send>>;
pub struct Service {
pub default: ClientLazylock,
pub url_preview: ClientLazylock,
pub extern_media: ClientLazylock,
pub well_known: ClientLazylock,
pub federation: ClientLazylock,
pub synapse: ClientLazylock,
pub sender: ClientLazylock,
pub appservice: ClientLazylock,
pub pusher: ClientLazylock,
pub oauth: ClientLazylock,
pub cidr_range_denylist: Vec<IPAddress>,
}
impl crate::Service for Service {
fn build(args: &crate::Args<'_>) -> Result<Arc<Self>> {
let config = &args.server.config;
macro_rules! create_client {
($config:ident, $services:ident; $expr:expr) => {{
fn make($services: Arc<OnceServices>) -> Result<reqwest::Client> {
let $config = &$services.server.config;
Ok($expr.build()?)
}
let services = Arc::clone(args.services);
LazyLock::new(Box::new(|| make(services).unwrap()))
}};
}
Ok(Arc::new(Self {
default: create_client!(config, services; base(config)?
.dns_resolver2(Arc::clone(&services.resolver.resolver))),
url_preview: create_client!(config, services; {
let url_preview_bind_addr = config
.url_preview_bound_interface
.clone()
.and_then(Either::left);
let url_preview_bind_iface = config
.url_preview_bound_interface
.clone()
.and_then(Either::right);
base(config)
.and_then(|builder| {
builder_interface(builder, url_preview_bind_iface.as_deref())
})?
.local_address(url_preview_bind_addr)
.dns_resolver2(Arc::clone(&services.resolver.resolver))
.redirect(redirect::Policy::limited(3))
}),
extern_media: create_client!(config, services; base(config)?
.dns_resolver2(Arc::clone(&services.resolver.resolver))
.redirect(redirect::Policy::limited(3))),
well_known: create_client!(config, services; base(config)?
.dns_resolver2(Arc::clone(&services.resolver.resolver))
.connect_timeout(Duration::from_secs(config.well_known_conn_timeout))
.read_timeout(Duration::from_secs(config.well_known_timeout))
.timeout(Duration::from_secs(config.well_known_timeout))
.pool_max_idle_per_host(0)
.redirect(redirect::Policy::limited(4))),
federation: create_client!(config, services; base(config)?
.dns_resolver2(Arc::clone(&services.resolver.resolver.hooked))
.read_timeout(Duration::from_secs(config.federation_timeout))
.pool_max_idle_per_host(config.federation_idle_per_host.into())
.pool_idle_timeout(Duration::from_secs(config.federation_idle_timeout))
.redirect(redirect::Policy::limited(3))),
synapse: create_client!(config, services; base(config)?
.dns_resolver2(Arc::clone(&services.resolver.resolver.hooked))
.read_timeout(Duration::from_secs(305))
.pool_max_idle_per_host(0)
.redirect(redirect::Policy::limited(3))),
sender: create_client!(config, services; base(config)?
.dns_resolver2(Arc::clone(&services.resolver.resolver.hooked))
.read_timeout(Duration::from_secs(config.sender_timeout))
.timeout(Duration::from_secs(config.sender_timeout))
.pool_max_idle_per_host(1)
.pool_idle_timeout(Duration::from_secs(config.sender_idle_timeout))
.redirect(redirect::Policy::limited(2))),
appservice: create_client!(config, services; base(config)?
.dns_resolver2(appservice_resolver(&services))
.connect_timeout(Duration::from_secs(5))
.read_timeout(Duration::from_secs(config.appservice_timeout))
.timeout(Duration::from_secs(config.appservice_timeout))
.pool_max_idle_per_host(1)
.pool_idle_timeout(Duration::from_secs(config.appservice_idle_timeout))
.redirect(redirect::Policy::limited(2))),
pusher: create_client!(config, services; base(config)?
.dns_resolver2(Arc::clone(&services.resolver.resolver))
.pool_max_idle_per_host(1)
.pool_idle_timeout(Duration::from_secs(config.pusher_idle_timeout))
.redirect(redirect::Policy::limited(2))),
oauth: create_client!(config, services; base(config)?
.dns_resolver2(Arc::clone(&services.resolver.resolver))
.redirect(redirect::Policy::limited(0))
.pool_max_idle_per_host(1)),
cidr_range_denylist: config
.ip_range_denylist
.iter()
.map(IPAddress::parse)
.inspect(|cidr| trace!("Denied CIDR range: {cidr:?}"))
.collect::<Result<_, String>>()
.map_err(|e| err!(Config("ip_range_denylist", e)))?,
}))
}
fn name(&self) -> &str { service::make_name(std::module_path!()) }
}
fn base(config: &Config) -> Result<reqwest::ClientBuilder> {
let mut builder = reqwest::Client::builder()
.hickory_dns(true)
.connect_timeout(Duration::from_secs(config.request_conn_timeout))
.read_timeout(Duration::from_secs(config.request_timeout))
.timeout(Duration::from_secs(config.request_total_timeout))
.pool_idle_timeout(Duration::from_secs(config.request_idle_timeout))
.pool_max_idle_per_host(config.request_idle_per_host.into())
.user_agent(tuwunel_core::version::user_agent())
.redirect(redirect::Policy::limited(6))
.danger_accept_invalid_certs(config.allow_invalid_tls_certificates)
.connection_verbose(cfg!(debug_assertions));
#[cfg(feature = "gzip_compression")]
{
builder = if config.gzip_compression {
builder.gzip(true)
} else {
builder.gzip(false).no_gzip()
};
};
#[cfg(feature = "brotli_compression")]
{
builder = if config.brotli_compression {
builder.brotli(true)
} else {
builder.brotli(false).no_brotli()
};
};
#[cfg(feature = "zstd_compression")]
{
builder = if config.zstd_compression {
builder.zstd(true)
} else {
builder.zstd(false).no_zstd()
};
};
#[cfg(not(feature = "gzip_compression"))]
{
builder = builder.no_gzip();
};
#[cfg(not(feature = "brotli_compression"))]
{
builder = builder.no_brotli();
};
#[cfg(not(feature = "zstd_compression"))]
{
builder = builder.no_zstd();
};
match config.proxy.to_proxy()? {
| Some(proxy) => Ok(builder.proxy(proxy)),
| _ => Ok(builder),
}
}
#[cfg(any(
target_os = "android",
target_os = "fuchsia",
target_os = "linux"
))]
fn builder_interface(
builder: reqwest::ClientBuilder,
config: Option<&str>,
) -> Result<reqwest::ClientBuilder> {
if let Some(iface) = config {
Ok(builder.interface(iface))
} else {
Ok(builder)
}
}
#[cfg(not(any(
target_os = "android",
target_os = "fuchsia",
target_os = "linux"
)))]
fn builder_interface(
builder: reqwest::ClientBuilder,
config: Option<&str>,
) -> Result<reqwest::ClientBuilder> {
use tuwunel_core::Err;
if let Some(iface) = config {
Err!("Binding to network-interface {iface:?} by name is not supported on this platform.")
} else {
Ok(builder)
}
}
fn appservice_resolver(services: &Arc<OnceServices>) -> Arc<dyn Resolve> {
if services.server.config.dns_passthru_appservices {
services.resolver.resolver.passthru.clone()
} else {
services.resolver.resolver.clone()
}
}
#[inline]
#[must_use]
#[implement(Service)]
pub fn valid_cidr_range(&self, ip: &IPAddress) -> bool {
self.cidr_range_denylist
.iter()
.all(|cidr| !cidr.includes(ip))
}
Reference in New Issue View Git Blame Copy Permalink