Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private upstream #2

Closed
weishiuchang opened this issue Apr 29, 2024 · 7 comments · Fixed by #3
Closed

Private upstream #2

weishiuchang opened this issue Apr 29, 2024 · 7 comments · Fixed by #3
Assignees
@ravenexp

Comments

@weishiuchang
Copy link

weishiuchang commented Apr 29, 2024
edited
Loading

We have a private upstream server hosting index/crates that I'd like to use crates-io-proxy to cache locally.

Unfortunately it is tls protected using a private CA, which ureq fails at with "tls connection init failed: invalid peer certificate: UnknownIssuer".

A cursory examination shows crates-io-proxy is using ureq with webpki-root default which bakes in the CA certs into the binary. Is it possible to use rustls-native-certs instead as descibed at https://github.com/algesten/ureq#trusted-roots ? Not sure if there's a install feature flag I missed with crates-io-proxy.
@ravenexp ravenexp self-assigned this Apr 29, 2024
@ravenexp
Copy link
Owner

I can add a feature flag like "native-certs", which will be off by default. Are you ok with building your own executable binary since the pre-built container image will still use the default flags?

BTW, the server end of crates-io-proxy does not support TLS at all, only plaintext HTTP. You should take this into account as well when designing your setup.

@weishiuchang
Copy link
Author

Sure, a feature flag would be fine. I'm not familiar enough with rust binaries to know if cargo install supports feature flags, but I know cargo build does, which works well enough for my needs.

And thanks for the heads up on crates-io-proxy not supporting TLS. I'm running it behind a reverse proxy (traefik) that takes care of the tls termination, and I'm assuming(?) the --proxy-url lets me set the exposed public url of crates-io-proxy to the ingress so that should just work. Appreciate the crate!

@ravenexp ravenexp mentioned this issue Apr 30, 2024
Merged
@ravenexp
Copy link
Owner

Can you please test that #3 indeed solves your issue?

Build it with

cargo build -F native-certs

@weishiuchang
Copy link
Author

Thanks @ravenexp ! I should be able to test it soon and let you know.

@weishiuchang
Copy link
Author

Sorry the validation took longer than I expected. #3 did indeed solve my issue - It is now reading the system CAs as expected. Many thanks!

@ravenexp
Copy link
Owner

Thanks, I'll then merge this PR and prepare a new minor version release soon.

BTW, out of curiosity, does you private registry support the sparse index protocol or does it use the git index?
I'm planning to only support sparse registries starting from the next major release, but I'm interested in getting user feedback before fully commiting to it.

@weishiuchang
Copy link
Author

We're actually right in the middle of a transition from git index to cargo's sparse protocol. The git index is just too heavy/slow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ravenexp ravenexp

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add native-certs feature flag ravenexp/crates-io-proxy
2 participants
@ravenexp @weishiuchang