cichlid/cichlid
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(cichlid-api): enable HTTPS with CA, cert, and key

Browse Source 
Update API server to use HTTPS by:
- Loading CA certificate for HTTP client trust
- Creating SSL acceptor with certificate and private key
- Serving requests over TLS instead of plain HTTP

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
rob thijssen
2026-03-12 16:28:55 +02:00
parent 8b00e6eb0a
commit a74ad747fa
1 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
bin/cichlid-api/src/main.rs
View File

@@ -11,6 +11,7 @@ use std::{
};
use tracing::{error, info};
use openssl::x509::X509;
use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};
/// Type of PEM file to get the default path for
#[derive(Debug, Clone, Copy)]
@@ -176,12 +177,36 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
return Err(e.into());
}
// Load CA certificate for HTTP client
let ca_cert = std::fs::read_to_string(&args.ca_cert_path)
.map_err(|e| format!("Failed to read CA certificate: {}", e))?;
let http_client = reqwest::Client::builder()
.timeout(std::time::Duration::from_secs(30))
.add_root_certificate(
reqwest::Certificate::from_pem(ca_cert.as_bytes())
.map_err(|e| format!("Failed to load CA certificate: {}", e))?
)
.build()?;
let state = AppState { http_client };
// Create SSL acceptor
let mut builder = SslAcceptor::mozilla_intermediate(SslMethod::tls())
.map_err(|e| format!("Failed to create SSL builder: {}", e))?;
builder
.set_ca_file(&args.ca_cert_path)
.map_err(|e| format!("Failed to set CA file: {}", e))?;
builder
.set_certificate_file(&args.host_cert_path, SslFiletype::PEM)
.map_err(|e| format!("Failed to set certificate file: {}", e))?;
builder
.set_private_key_file(&args.host_key_path, SslFiletype::PEM)
.map_err(|e| format!("Failed to set private key file: {}", e))?;
let app = Router::new()
.route("/health", get(handlers::health::health))
.route("/peers", get(handlers::peers::peers))
@@ -189,7 +214,8 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
info!("cichlid api listening on {}", args.listen);
let listener = tokio::net::TcpListener::bind(&args.listen).await?;
axum::serve(listener, app).await?;
let ssl_listener = builder.build(listener);
axum::serve(ssl_listener, app).await?;
Ok(())
}