Skip to content

Commit 4cc20bc

Browse files
cilkicilki
committed
wip: enable ec2 proxy to terminate tls
1 parent 5af81d7 commit 4cc20bc

6 files changed

Lines changed: 135 additions & 84 deletions

File tree

Cargo.lock

Lines changed: 36 additions & 73 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/aws/cloudformation.rs

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ pub struct CloudFormationTemplate {
2020
pub use_cloudfront: bool,
2121
pub wg_proxy_ip: String,
2222
pub wg_origin_ip: String,
23+
pub enable_tls: bool,
24+
pub acme_domain: Option<String>,
25+
pub acme_email: Option<String>,
2326
}
2427

2528
impl CloudFormationTemplate {
@@ -337,6 +340,17 @@ impl CloudFormationTemplate {
337340
}),
338341
];
339342

343+
// Add HTTP rule for ACME HTTP-01 challenge if TLS is enabled
344+
if self.enable_tls {
345+
rules.push(json!({
346+
"IpProtocol": "tcp",
347+
"FromPort": 80,
348+
"ToPort": 80,
349+
"CidrIp": "0.0.0.0/0",
350+
"Description": "HTTP for ACME challenge"
351+
}));
352+
}
353+
340354
// Add rules for each port mapping
341355
for (port, protocol) in &self.port_mappings {
342356
rules.push(json!({
@@ -413,6 +427,10 @@ impl CloudFormationTemplate {
413427
"debug = false",
414428
&format!("debug = {}", if self.debug { "true" } else { "false" }),
415429
)
430+
.replace(
431+
"enableTls = {ENABLE_TLS}",
432+
&format!("enableTls = {}", if self.enable_tls { "true" } else { "false" }),
433+
)
416434
.replace("{PROXY_WG_PRIVATE_KEY}", &self.proxy_wg_private_key)
417435
.replace("{PORT_MAPPINGS}", &port_mappings_nix)
418436
.replace("{ORIGIN_WG_PUBLIC_KEY}", &self.origin_wg_public_key)
@@ -421,7 +439,9 @@ impl CloudFormationTemplate {
421439
.replace("{PROXY_IP}", &self.wg_proxy_ip)
422440
.replace("{SUBNET}", &subnet)
423441
.replace("{STACK_NAME}", &self.stack_name)
424-
.replace("{REGION}", &self.region);
442+
.replace("{REGION}", &self.region)
443+
.replace("{ACME_DOMAIN}", &self.acme_domain.clone().unwrap_or_default())
444+
.replace("{ACME_EMAIL}", &self.acme_email.clone().unwrap_or_default());
425445

426446
json!(nix_config)
427447
}
@@ -452,6 +472,9 @@ mod tests {
452472
use_cloudfront: false,
453473
wg_proxy_ip: "172.17.0.1".to_string(),
454474
wg_origin_ip: "172.17.0.2".to_string(),
475+
enable_tls: false,
476+
acme_domain: None,
477+
acme_email: None,
455478
};
456479

457480
let userdata = template.generate_userdata();

0 commit comments

Comments
 (0)