Update axum-server to 0.8; switch to axum unix listener.

Author: dasha-uwu

Cargo.lock

@@ -82,11 +82,12 @@ features = [
 ]
 
 [workspace.dependencies.axum-server]
-version = "0.7"
+version = "0.8"
 default-features = false
 
 [workspace.dependencies.axum-server-dual-protocol]
-version = "0.7"
+git = "https://github.com/matrix-construct/axum-server-dual-protocol"
+rev = "76c782fa6f129f83ffdca59e903093e798d4a82f"
 default-features = false
 
 [workspace.dependencies.base64]
@@ -201,15 +202,6 @@ features = [
 	"http2",
 ]
 
-[workspace.dependencies.hyper-util]
-version = "0.1.20"
-default-features = false
-features = [
-	"server-auto",
-	"server-graceful",
-	"tokio",
-]
-
 [workspace.dependencies.image]
 version = "0.25"
 default-features = false

Cargo.toml

@@ -1,11 +1,10 @@
 use std::env::consts::OS;
 
 use either::Either;
-use figment::Figment;
 use itertools::Itertools;
 
 use super::{DEPRECATED_KEYS, IdentityProvider};
-use crate::{Config, Err, Result, Server, debug, debug_info, debug_warn, error, warn};
+use crate::{Config, Err, Result, Server, debug, debug_info, error, warn};
 
 /// Performs check() with additional checks specific to reloading old config
 /// with new config.
@@ -24,9 +23,8 @@ pub fn reload(old: &Config, new: &Config) -> Result {
 }
 
 pub fn check(config: &Config) -> Result {
-	if cfg!(debug_assertions) {
-		warn!("Note: tuwunel was built without optimisations (i.e. debug build)");
-	}
+	#[cfg(debug_assertions)]
+	warn!("Note: tuwunel was built without optimisations (i.e. debug build)");
 
 	warn_deprecated(config);
 	warn_unknown_key(config)?;
@@ -38,27 +36,39 @@ pub fn check(config: &Config) -> Result {
 		));
 	}
 
-	if cfg!(all(feature = "hardened_malloc", feature = "jemalloc", not(target_env = "msvc"))) {
-		debug_warn!(
-			"hardened_malloc and jemalloc compile-time features are both enabled, this causes \
-			 jemalloc to be used."
-		);
-	}
+	#[cfg(all(
+		feature = "hardened_malloc",
+		feature = "jemalloc",
+		not(target_env = "msvc")
+	))]
+	debug_warn!(
+		"hardened_malloc and jemalloc compile-time features are both enabled, this causes \
+		 jemalloc to be used."
+	);
 
-	if cfg!(not(unix)) && config.unix_socket_path.is_some() {
+	#[cfg(not(unix))]
+	if config.unix_socket_path.is_some() {
 		return Err!(Config(
 			"unix_socket_path",
 			"UNIX socket support is only available on *nix platforms. Please remove \
 			 'unix_socket_path' from your config."
 		));
 	}
 
-	if config.unix_socket_path.is_none() && config.get_bind_hosts().is_empty() {
-		return Err!(Config("address", "No TCP addresses were specified to listen on"));
+	if config.unix_socket_path.is_none() {
+		if config.get_bind_hosts().is_empty() {
+			return Err!(Config("address", "No TCP addresses were specified to listen on"));
+		}
+
+		if config.get_bind_ports().is_empty() {
+			return Err!(Config("port", "No ports were specified to listen on"));
+		}
 	}
 
-	if config.unix_socket_path.is_none() && config.get_bind_ports().is_empty() {
-		return Err!(Config("port", "No ports were specified to listen on"));
+	let certs_set = config.tls.certs.is_some();
+	let key_set = config.tls.key.is_some();
+	if certs_set ^ key_set {
+		return Err!(Config("tls", "tls.certs and tls.key must either both be set or unset"));
 	}
 
 	if !config.listening {
@@ -115,7 +125,8 @@ pub fn check(config: &Config) -> Result {
 	}
 
 	// yeah, unless the user built a debug build hopefully for local testing only
-	if cfg!(not(debug_assertions)) && config.server_name == "your.server.name" {
+	#[cfg(not(debug_assertions))]
+	if config.server_name == "your.server.name" {
 		return Err!(Config(
 			"server_name",
 			"You must specify a valid server name for production usage of tuwunel."
@@ -412,18 +423,3 @@ fn warn_unknown_key(config: &Config) -> Result {
 		Ok(())
 	}
 }
-
-/// Checks the presence of the `address` and `unix_socket_path` keys in the
-/// raw_config, exiting the process if both keys were detected.
-pub(super) fn is_dual_listening(raw_config: &Figment) -> Result {
-	let contains_address = raw_config.contains("address");
-	let contains_unix_socket = raw_config.contains("unix_socket_path");
-	if contains_address && contains_unix_socket {
-		return Err!(
-			"TOML keys \"address\" and \"unix_socket_path\" were both defined. Please specify \
-			 only one option."
-		);
-	}
-
-	Ok(())
-}

src/core/config/check.rs

@@ -106,8 +106,8 @@ pub struct Config {
 	/// "::1"]
 	///
 	/// default: ["127.0.0.1", "::1"]
-	#[serde(default = "default_address")]
-	address: ListeningAddr,
+	#[serde(default)]
+	address: Option<ListeningAddr>,
 
 	/// The port(s) tuwunel will listen on.
 	///
@@ -129,9 +129,6 @@ pub struct Config {
 
 	/// The UNIX socket tuwunel will listen on.
 	///
-	/// tuwunel cannot listen on both an IP address and a UNIX socket. If
-	/// listening on a UNIX socket, you MUST remove/comment the `address` key.
-	///
 	/// Remember to make sure that your reverse proxy has access to this socket
 	/// file, either by adding your reverse proxy to the 'tuwunel' group or
 	/// granting world R/W permissions with `unix_socket_perms` (666 minimum).
@@ -3009,18 +3006,24 @@ impl Config {
 			.extract::<Self>()
 			.map_err(|e| err!("There was a problem with your configuration file: {e}"))?;
 
-		// don't start if we're listening on both UNIX sockets and TCP at same time
-		check::is_dual_listening(raw_config)?;
-
 		Ok(config)
 	}
 
+	pub fn get_unix_socket_perms(&self) -> Result<u32> {
+		let octal_perms = self.unix_socket_perms.to_string();
+		let socket_perms = u32::from_str_radix(&octal_perms, 8).map_err(|_| {
+			err!(Config("unix_socket_perms", "failed to convert octal permissions"))
+		})?;
+
+		Ok(socket_perms)
+	}
+
 	#[must_use]
 	pub fn get_bind_addrs(&self) -> Vec<SocketAddr> {
 		let mut addrs = Vec::with_capacity(
 			self.get_bind_hosts()
 				.len()
-				.saturating_add(self.get_bind_ports().len()),
+				.saturating_mul(self.get_bind_ports().len()),
 		);
 		for host in &self.get_bind_hosts() {
 			for port in &self.get_bind_ports() {
@@ -3032,9 +3035,15 @@ impl Config {
 	}
 
 	fn get_bind_hosts(&self) -> Vec<IpAddr> {
-		match &self.address.addrs {
-			| Left(addr) => vec![*addr],
-			| Right(addrs) => addrs.clone(),
+		if let Some(address) = &self.address {
+			match &address.addrs {
+				| Left(addr) => vec![*addr],
+				| Right(addrs) => addrs.clone(),
+			}
+		} else if self.unix_socket_path.is_some() {
+			vec![]
+		} else {
+			vec![Ipv4Addr::LOCALHOST.into(), Ipv6Addr::LOCALHOST.into()]
 		}
 	}
 
@@ -3055,12 +3064,6 @@ fn default_server_name() -> OwnedServerName { ruma::owned_server_name!("localhos
 
 fn default_database_path() -> PathBuf { "/var/lib/tuwunel".to_owned().into() }
 
-fn default_address() -> ListeningAddr {
-	ListeningAddr {
-		addrs: Right(vec![Ipv4Addr::LOCALHOST.into(), Ipv6Addr::LOCALHOST.into()]),
-	}
-}
-
 fn default_port() -> ListeningPort { ListeningPort { ports: Left(8008) } }
 
 fn default_unix_socket_perms() -> u32 { 660 }

src/core/config/mod.rs

@@ -115,7 +115,6 @@ futures.workspace = true
 http.workspace = true
 http-body-util.workspace = true
 hyper.workspace = true
-hyper-util.workspace = true
 log.workspace = true
 ruma.workspace = true
 rustls.workspace = true

src/router/Cargo.toml

@@ -0,0 +1,27 @@
+use std::time::Duration;
+
+use axum_server::Handle;
+
+#[derive(Clone)]
+pub(crate) struct ServerHandle {
+	pub(crate) handle_ip: Handle<std::net::SocketAddr>,
+	#[cfg(unix)]
+	pub(crate) handle_unix: Handle<std::os::unix::net::SocketAddr>,
+}
+
+impl ServerHandle {
+	pub(crate) fn new() -> Self {
+		Self {
+			handle_ip: Handle::<std::net::SocketAddr>::new(),
+			#[cfg(unix)]
+			handle_unix: Handle::<std::os::unix::net::SocketAddr>::new(),
+		}
+	}
+
+	pub(crate) fn graceful_shutdown(&self, duration: Option<Duration>) {
+		self.handle_ip.graceful_shutdown(duration);
+
+		#[cfg(unix)]
+		self.handle_unix.graceful_shutdown(duration);
+	}
+}

src/router/handle.rs

@@ -1,6 +1,7 @@
 #![type_length_limit = "32768"] //TODO: reduce me
 #![expect(clippy::duration_suboptimal_units)] // remove after MSRV 1.91
 
+mod handle;
 mod layers;
 mod request;
 mod router;