Mixed SSL requirements and config praser error #49
Description
Hi Dave
Found maybe a logic bug, what I expected
I expected rustguac to:
stay on HTTP for its own web server
use TLS only for the outbound connection to guacd. I had to make this change also as guacd is by default running on HTTPS so the config needs to be there or the frontend fails to connect to guard.
What actually happens
If [tls] is present with only guacd_cert_path, config parsing fails and rustguac falls back to defaults with no logging of why it failed
From the source:
TlsConfig requires:
cert_path
key_path
guacd_cert_path is optional
So as soon as [tls] exists, cert_path and key_path become mandatory, even if I only want guacd TLS.
Also, config.tls.is_some() is later used to decide whether the server itself should bind with HTTPS.
Why this seems like a bug
guacd_cert_path and server HTTPS are two separate concerns:
inbound TLS for the rustguac web server
outbound TLS for the rustguac -> guacd connection
Right now they are coupled into one section, so there is no way to configure:
Traefik -> HTTPS termination externally
rustguac web server on HTTP internally
rustguac -> guacd over TLS
unless I also provide cert_path and key_path for the rustguac web server, even though I do not want rustguac itself to serve HTTPS directly.
Suggested fix
One of these would solve it cleanly:
Split server TLS and guacd TLS into separate config sections, for example:
[server_tls]
[guacd_tls]
Or make cert_path and key_path optional, and only require them when rustguac is actually configured to serve HTTPS itself.
Or move guacd_cert_path outside [tls] entirely.
Workaround
My current workaround is to make Traefik use HTTPS to rustguac as well, and provide cert_path + key_path, but that should not be required just to enable guacd TLS.
Thanks.
Simon