[PR #1367] [CLOSED] Server: Implement native HTTPS support for the web interface #1283

New issue

Closed

opened 2026-02-27 09:11:36 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 09:11:36 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/lldap/lldap/pull/1367
Author: @lyzstrik
Created: 12/20/2025
Status: ❌ Closed

Base: main ← Head: server/native-https

📝 Commits (6)

e0bf2c0 server: Implement native HTTPS support for the web interface
aed5ba8 Merge branch 'main' into server/native-https
83bf3ba Merge branch 'main' into server/native-https
3b1d3c5 refactor(server): migrate to rustls 0.23 and improve TLS handling
bdaf6a3 fix(review): address coderabbit review comments (cargo features and
1a03924 fmt

📊 Changes

12 files changed (+474 additions, -205 deletions)

View changed files

📝 Cargo.lock (+132 -50)
📝 docs/install.md (+11 -4)
📝 lldap_config.docker_template.toml (+10 -0)
📝 server/Cargo.toml (+16 -9)
📝 server/src/cli.rs (+23 -0)
📝 server/src/configuration.rs (+42 -2)
📝 server/src/healthcheck.rs (+114 -47)
📝 server/src/ldap_server.rs (+12 -49)
📝 server/src/main.rs (+8 -3)
📝 server/src/mod.rs (+1 -0)
📝 server/src/tcp_server.rs (+85 -41)
➕ server/src/tls.rs (+20 -0)

📄 Description

Fixes #813

Description

This PR implements native HTTPS support for the LLDAP web interface. This allows users to expose the web UI securely without strictly requiring a reverse proxy for basic setups.

Additionally, this PR performs a major modernization of the TLS stack, migrating the entire project to Rustls 0.23 (via rustls-pki-types and ring provider).

Changes

Dependency Upgrades:
Upgraded rustls to v0.23 (was v0.20/v0.21) and tokio-rustls to v0.26.
Upgraded actix-web to v4.12 to enable the rustls-0_23 feature.
Updated rustls-pemfile to v2 and webpki-roots to v0.26.
Introduced rustls-pki-types for modern type handling throughout the codebase.
Configuration:
Added https_options to Configuration and corresponding CLI arguments (--https-enabled, --https-port, --https-cert-file, --https-key-file).
Refactoring (DRY & Modernization):
Created a new shared module server/src/tls.rs to centralize private key and certificate loading using CertificateDer and PrivateKeyDer.
Server Factory: Refactored tcp_server.rs to use a closure-based factory pattern. This allows building the App once and binding it either via .tcp() (HTTP) or .rustls_0_23() (HTTPS) without code duplication.
LDAP Server: Updated ldap_server.rs to use the new ServerConfig::builder_with_provider API from Rustls 0.23.
Healthcheck Improvements:
Split check_api into distinct check_http and check_https functions.
The check_https function now performs strict certificate validation (pinning) against the local certificate file instead of blindly accepting insecure certificates.
Updated main.rs to run LDAP, LDAPS, HTTP, and HTTPS healthchecks in parallel.
Documentation:
Edit lldap_config.docker_template.toml to enable HTTPS via configuration.
Edit docs/install.md to enable HTTPS via docker-compose.yml.

Verification

I verified the changes locally using self-signed certificates and a full CA chain.

1. Configuration:
Tested via lldap_config.toml:

[https_options]
enabled = true
port = 17174
cert_file = "/data/fullchain.pem"
key_file = "/data/server.key"

Tested via docker-compose.yml env variable:

      ports:
            - "17174:17174"
      environment:
            - LLDAP_HTTPS_OPTIONS__ENABLED=true
            - LLDAP_HTTPS_OPTIONS__PORT=17174
            - LLDAP_HTTPS_OPTIONS__CERT_FILE=/certs/fullchain.pem
            - LLDAP_HTTPS_OPTIONS__KEY_FILE=/certs/server.key

2. Startup Logs:
The server correctly identifies the HTTPS configuration and binds to the correct port using Rustls 0.23:

INFO     ┕━ ｉ [info]: Starting the API/web server in HTTPS on port 17174
INFO        ｉ [info]: starting service: "https", workers: 4, listening on: 0.0.0.0:17174

3. Connectivity:
Tested with curl --cacert certs/rootCA.crt https://localhost:17174/health

TLS Handshake successful (TLS 1.3).
Protocol negotiated: h2 (HTTP/2).
Application serves content correctly (Status 200).

4. Healthcheck:
Tested the built-in lldap healthcheck command. It now correctly reports status for all enabled services:

[INFO] Starting healthchecks
[INFO] Success (LDAP)
[INFO] Success (HTTP)
[INFO] Success (HTTPS)

Notes

Logs with self-signed certificates: When using a self-signed certificate, if a client (like a browser or curl) connects without trusting the CA, rustls will log a Fatal: CertificateUnknown error. This is expected behavior with strict TLS.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/lldap/lldap/pull/1367 **Author:** [@lyzstrik](https://github.com/lyzstrik) **Created:** 12/20/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `server/native-https` --- ### 📝 Commits (6) - [`e0bf2c0`](https://github.com/lldap/lldap/commit/e0bf2c04845c5ab8d05eba99a0d15a6f68ed028e) server: Implement native HTTPS support for the web interface - [`aed5ba8`](https://github.com/lldap/lldap/commit/aed5ba8d2841d1d04172d4d07805793296f9a26d) Merge branch 'main' into server/native-https - [`83bf3ba`](https://github.com/lldap/lldap/commit/83bf3ba078865fd1c907f776c18571a6c0e9f0a3) Merge branch 'main' into server/native-https - [`3b1d3c5`](https://github.com/lldap/lldap/commit/3b1d3c5fe56259509067b0dd1f86e22dfff1add7) refactor(server): migrate to rustls 0.23 and improve TLS handling - [`bdaf6a3`](https://github.com/lldap/lldap/commit/bdaf6a305bdbbe0b4c2fa7e990cd5f8208eea866) fix(review): address coderabbit review comments (cargo features and - [`1a03924`](https://github.com/lldap/lldap/commit/1a039240061c26ee6585f2ae561f0666c903b57d) fmt ### 📊 Changes **12 files changed** (+474 additions, -205 deletions) <details> <summary>View changed files</summary> 📝 `Cargo.lock` (+132 -50) 📝 `docs/install.md` (+11 -4) 📝 `lldap_config.docker_template.toml` (+10 -0) 📝 `server/Cargo.toml` (+16 -9) 📝 `server/src/cli.rs` (+23 -0) 📝 `server/src/configuration.rs` (+42 -2) 📝 `server/src/healthcheck.rs` (+114 -47) 📝 `server/src/ldap_server.rs` (+12 -49) 📝 `server/src/main.rs` (+8 -3) 📝 `server/src/mod.rs` (+1 -0) 📝 `server/src/tcp_server.rs` (+85 -41) ➕ `server/src/tls.rs` (+20 -0) </details> ### 📄 Description Fixes #813 ### Description This PR implements native HTTPS support for the LLDAP web interface. This allows users to expose the web UI securely without strictly requiring a reverse proxy for basic setups. Additionally, this PR performs a **major modernization of the TLS stack**, migrating the entire project to **Rustls 0.23** (via `rustls-pki-types` and `ring` provider). ### Changes * **Dependency Upgrades:** * Upgraded `rustls` to **v0.23** (was v0.20/v0.21) and `tokio-rustls` to **v0.26**. * Upgraded `actix-web` to **v4.12** to enable the `rustls-0_23` feature. * Updated `rustls-pemfile` to v2 and `webpki-roots` to v0.26. * Introduced `rustls-pki-types` for modern type handling throughout the codebase. * **Configuration:** * Added `https_options` to `Configuration` and corresponding CLI arguments (`--https-enabled`, `--https-port`, `--https-cert-file`, `--https-key-file`). * **Refactoring (DRY & Modernization):** * Created a new shared module `server/src/tls.rs` to centralize private key and certificate loading using `CertificateDer` and `PrivateKeyDer`. * **Server Factory:** Refactored `tcp_server.rs` to use a closure-based factory pattern. This allows building the `App` once and binding it either via `.tcp()` (HTTP) or `.rustls_0_23()` (HTTPS) without code duplication. * **LDAP Server:** Updated `ldap_server.rs` to use the new `ServerConfig::builder_with_provider` API from Rustls 0.23. * **Healthcheck Improvements:** * Split `check_api` into distinct `check_http` and `check_https` functions. * The `check_https` function now performs **strict certificate validation** (pinning) against the local certificate file instead of blindly accepting insecure certificates. * Updated `main.rs` to run LDAP, LDAPS, HTTP, and HTTPS healthchecks in parallel. * **Documentation:** * Edit `lldap_config.docker_template.toml` to enable HTTPS via configuration. * Edit `docs/install.md` to enable HTTPS via `docker-compose.yml`. ### Verification I verified the changes locally using self-signed certificates and a full CA chain. **1. Configuration:** Tested via `lldap_config.toml`: ```toml [https_options] enabled = true port = 17174 cert_file = "/data/fullchain.pem" key_file = "/data/server.key" ``` Tested via `docker-compose.yml` env variable: ```yml ports: - "17174:17174" environment: - LLDAP_HTTPS_OPTIONS__ENABLED=true - LLDAP_HTTPS_OPTIONS__PORT=17174 - LLDAP_HTTPS_OPTIONS__CERT_FILE=/certs/fullchain.pem - LLDAP_HTTPS_OPTIONS__KEY_FILE=/certs/server.key ``` **2. Startup Logs:** The server correctly identifies the HTTPS configuration and binds to the correct port using Rustls 0.23: ```logs INFO ┕━ ｉ [info]: Starting the API/web server in HTTPS on port 17174 INFO ｉ [info]: starting service: "https", workers: 4, listening on: 0.0.0.0:17174 ``` **3. Connectivity:** Tested with `curl --cacert certs/rootCA.crt https://localhost:17174/health` * TLS Handshake successful (TLS 1.3). * Protocol negotiated: h2 (HTTP/2). * Application serves content correctly (Status 200). **4. Healthcheck:** Tested the built-in `lldap healthcheck` command. It now correctly reports status for all enabled services: ```text [INFO] Starting healthchecks [INFO] Success (LDAP) [INFO] Success (HTTP) [INFO] Success (HTTPS) ``` ### Notes **Logs with self-signed certificates:** When using a self-signed certificate, if a client (like a browser or curl) connects without trusting the CA, rustls will log a Fatal: `CertificateUnknown error`. This is expected behavior with strict TLS. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>