Private upstream

[weishiuchang]

We have a private upstream server hosting index/crates that I'd like to use crates-io-proxy to cache locally.

Unfortunately it is tls protected using a private CA, which ureq fails at with "tls connection init failed: invalid peer certificate: UnknownIssuer".

A cursory examination shows crates-io-proxy is using ureq with webpki-root default which bakes in the CA certs into the binary. Is it possible to use rustls-native-certs instead as descibed at https://github.com/algesten/ureq#trusted-roots ? Not sure if there's a install feature flag I missed with crates-io-proxy.

[ravenexp]

I can add a feature flag like "native-certs", which will be off by default. Are you ok with building your own executable binary since the pre-built container image will still use the default flags?

BTW, the server end of crates-io-proxy does not support TLS at all, only plaintext HTTP. You should take this into account as well when designing your setup.

[weishiuchang]

Sure, a feature flag would be fine. I'm not familiar enough with rust binaries to know if cargo install supports feature flags, but I know cargo build does, which works well enough for my needs.

And thanks for the heads up on crates-io-proxy not supporting TLS. I'm running it behind a reverse proxy (traefik) that takes care of the tls termination, and I'm assuming(?) the --proxy-url lets me set the exposed public url of crates-io-proxy to the ingress so that should just work. Appreciate the crate!

[ravenexp]

Can you please test that #3 indeed solves your issue?

Build it with

cargo build -F native-certs

[weishiuchang]

Thanks @ravenexp ! I should be able to test it soon and let you know.

[weishiuchang]

Sorry the validation took longer than I expected. #3 did indeed solve my issue - It is now reading the system CAs as expected. Many thanks!

[ravenexp]

Thanks, I'll then merge this PR and prepare a new minor version release soon.

BTW, out of curiosity, does you private registry support the sparse index protocol or does it use the git index?
I'm planning to only support sparse registries starting from the next major release, but I'm interested in getting user feedback before fully commiting to it.

[weishiuchang]

We're actually right in the middle of a transition from git index to cargo's sparse protocol. The git index is just too heavy/slow.