Skip to content
5 changes: 2 additions & 3 deletions pingora-cache/src/cache_control.rs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2026 Cloudflare, Inc.
//! Copyright 2026 Cloudflare, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
Expand All @@ -12,8 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.

//! Functions and utilities to help parse Cache-Control headers

/// Functions and utilities to help parse Cache-Control headers
use super::*;

use http::header::HeaderName;
Expand Down
7 changes: 6 additions & 1 deletion pingora-core/src/listeners/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -188,9 +188,14 @@ impl TransportStackBuilder {
#[cfg(windows)]
let l4 = builder.listen().await?;

let tls_val = match self.tls.take() {
Some(tls) => Some(Arc::new(tls.build()?)),
None => None,
};

Ok(TransportStack {
l4,
tls: self.tls.take().map(|tls| Arc::new(tls.build())),
tls: tls_val,
l4_buffer: self.l4_buffer,
pre_tls_callback: self.pre_tls_callback.clone(),
})
Expand Down
6 changes: 3 additions & 3 deletions pingora-core/src/listeners/tls/boringssl_openssl/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -129,11 +129,11 @@ impl TlsSettings {
}
}

pub(crate) fn build(self) -> Acceptor {
Acceptor {
pub(crate) fn build(self) -> Result<Acceptor> {
Ok(Acceptor {
ssl_acceptor: self.accept_builder.build(),
callbacks: self.callbacks,
}
})
}
}

Expand Down
21 changes: 14 additions & 7 deletions pingora-core/src/listeners/tls/rustls/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ use crate::listeners::TlsAcceptCallbacks;
use crate::protocols::tls::{server::handshake, server::handshake_with_callback, TlsStream};
use log::debug;
use pingora_error::ErrorType::InternalError;
use pingora_error::{Error, OrErr, Result};
use pingora_error::{Error, ErrorSource, ErrorType, ImmutStr, OrErr, Result, RetryType};
use pingora_rustls::load_certs_and_key_files;
use pingora_rustls::ClientCertVerifier;
use pingora_rustls::ServerConfig;
Expand Down Expand Up @@ -46,17 +46,24 @@ impl TlsSettings {
/// _NOTE_ This function will panic if there is an error in loading
/// certificate files or constructing the builder
///
/// Todo: Return a result instead of panicking XD
pub fn build(self) -> Acceptor {
pub fn build(self) -> Result<Acceptor> {
// rustls 0.23+ requires an explicit CryptoProvider.
pingora_rustls::install_default_crypto_provider();

let Ok(Some((certs, key))) = load_certs_and_key_files(&self.cert_path, &self.key_path)
else {
panic!(
let error_message = format!(
"Failed to load provided certificates \"{}\" or key \"{}\".",
self.cert_path, self.key_path
)
);

return Err(Box::new(Error {
etype: ErrorType::InternalError,
esource: ErrorSource::Internal,
retry: RetryType::Decided(false),
cause: None,
context: Some(ImmutStr::Owned(error_message.into_boxed_str())),
}));
};

let builder =
Expand All @@ -77,10 +84,10 @@ impl TlsSettings {
config.alpn_protocols = alpn_protocols;
}

Acceptor {
Ok(Acceptor {
acceptor: RusTlsAcceptor::from(Arc::new(config)),
callbacks: None,
}
})
}

/// Enable HTTP/2 support for this endpoint, which is default off.
Expand Down
20 changes: 13 additions & 7 deletions pingora-core/src/listeners/tls/s2n/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
use std::sync::Arc;

use log::debug;
use pingora_error::Result;
use pingora_error::{Error, ErrorSource, ErrorType, ImmutStr, Result, RetryType};
use pingora_s2n::{
load_certs_and_key_files, ClientAuthType, Config, IgnoreVerifyHostnameCallback, S2NPolicy,
TlsAcceptor, DEFAULT_TLS13,
Expand Down Expand Up @@ -43,7 +43,7 @@ pub struct Acceptor {
}

impl TlsSettings {
pub fn build(self) -> Acceptor {
pub fn build(self) -> Result<Acceptor> {
let mut builder = Config::builder();

// Default security policy with TLS 1.3 support
Expand Down Expand Up @@ -82,9 +82,15 @@ impl TlsSettings {
}

if !self.verify_client_hostname {
builder
.set_verify_host_callback(IgnoreVerifyHostnameCallback::new())
.unwrap();
if let Err(_) = builder.set_verify_host_callback(IgnoreVerifyHostnameCallback::new()) {
return Err(Box::new(Error {
etype: ErrorType::InternalError,
esource: ErrorSource::Internal,
retry: RetryType::Decided(false),
cause: None,
context: Some(ImmutStr::from("Failed to verify client hostname")),
}));
}
}

let config = builder.build().unwrap();
Expand All @@ -94,9 +100,9 @@ impl TlsSettings {
security_policy: Some(policy.clone()),
};

Acceptor {
Ok(Acceptor {
acceptor: TlsAcceptor::new(connection_builder),
}
})
}

/// Enable HTTP/2 support for this endpoint, which is default off.
Expand Down
4 changes: 2 additions & 2 deletions pingora-core/src/protocols/tls/noop_tls/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -80,8 +80,8 @@ pub mod listeners {
pub struct TlsSettings;

impl TlsSettings {
pub fn build(&self) -> Acceptor {
Acceptor
pub fn build(&self) -> Result<Acceptor> {
Ok(Acceptor)
}

pub fn intermediate(_: &str, _: &str) -> Result<Self> {
Expand Down
Loading