diff --git a/Cargo.toml b/Cargo.toml index 14c7791..8bd254d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -24,3 +24,10 @@ "net", "rt-multi-thread" ] } + +[profile.release] +opt-level = 3 +strip = true +lto = "fat" +panic = "unwind" +codegen-units = 1 diff --git a/Dockerfile b/Dockerfile index 8397e32..5a26d12 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,20 @@ -FROM --platform=${BUILDPLATFORM} pull registry.opensuse.org/opensuse/bci/rust:latest as builder +# https://github.com/f2calv/multi-arch-container-rust/blob/main/Dockerfile +# sudo docker buildx build --platform linux/amd64,linux/arm64 -t hkj:latest --output type=image,compression=zstd . -RUN \ -if [ "${TARGETPLATFORM}" != "${BUILDPLATFORM}" ]; then \ +FROM --platform=${BUILDPLATFORM} registry.opensuse.org/opensuse/bci/gcc:latest AS common +# ENV RUSTUP_DIST_SERVER=https://mirrors.tuna.tsinghua.edu.cn/rustup +RUN zypper in -y cmake rustup && rustup install stable + +FROM common AS builder + +ARG TARGETPLATFORM +ARG BUILDPLATFORM +WORKDIR /app + +COPY Cargo.toml Cargo.lock ./ +RUN cargo fetch + +RUN if [ "${TARGETPLATFORM}" != "${BUILDPLATFORM}" ]; then \ if [ "${TARGETPLATFORM}" == "linux/amd64" ]; then \ zypper in -y cross-x86_64-gcc15 ; \ rustup target add x86_64-unknown-linux-gnu ; \ @@ -9,26 +22,27 @@ zypper in -y cross-aarch64-gcc15 ; \ rustup target add aarch64-unknown-linux-gnu ; \ fi; \ -fi ; \ -if [ "${TARGETPLATFORM}" == "linux/amd64" ]; then \ +fi + +COPY src ./src + +RUN if [ "${TARGETPLATFORM}" == "linux/amd64" ]; then \ export CARGO_BUILD_TARGET=x86_64-unknown-linux-gnu ; \ export CARGO_TARGET_X86_64_UNKNOWN_LINUX_GNU_LINKER=x86_64-suse-linux-gcc-15 ; \ export CC_X86_64_UNKNOWN_LINUX_GNU=x86_64-suse-linux-gcc-15 ; \ export CXX_X86_64_UNKNOWN_LINUX_GNU=x86_64-suse-linux-g++-15 ; \ + export CC=x86_64-suse-linux-gcc-15 ; \ + export CXX=x86_64-suse-linux-g++-15 ; \ elif [ "${TARGETPLATFORM}" == "linux/arm64" ]; then \ export CARGO_BUILD_TARGET=aarch64-unknown-linux-gnu ; \ export CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-suse-linux-gcc-15 ; \ export CC_AARCH64_UNKNOWN_LINUX_GNU=aarch64-suse-linux-gcc-15 ; \ export CXX_AARCH64_UNKNOWN_LINUX_GNU=aarch64-suse-linux-g++-15 ; \ -fi + export CC=aarch64-suse-linux-gcc-15 ; \ + export CXX=aarch64-suse-linux-g++-15 ; \ +fi && cargo build --release && mv "/app/target/${CARGO_BUILD_TARGET}" /app/target/final -WORKDIR /app - -COPY . ./ - -RUN cargo build --release && mv "/app/target/${CARGO_BUILD_TARGET}" /app/target/final - -FROM --platform=${TARGETPLATFORM} registry.suse.com/bci/bci-micro:latest +FROM registry.suse.com/bci/bci-micro:16.0 COPY --link --from=builder /app/target/final/release/hkj /usr/local/bin/hkj diff --git a/README.md b/README.md new file mode 100644 index 0000000..e53ddfc --- /dev/null +++ b/README.md @@ -0,0 +1,27 @@ +# hkj + +Run faster than anyone. + +## FAQ + +### Caddy is good enough, why RIIR? + +We need some diversity besides Go’s TLS. + +### Why Pingora? + +It’s like a real server, being tolerant of non-conformant traffic. + +Alternative: + +* h2o (but I don’t understand C) + +## Known issues + +- [ ] When passing an ipv6 instead of a hostname to server, it fails. (ipv4 is ok) + +## TODO + +- [ ] h3 (https://github.com/cloudflare/pingora/issues/95) +- [ ] io-uring (https://github.com/cloudflare/pingora/issues/94) +- [ ] auto acme diff --git a/compose.yml b/compose.yml new file mode 100644 index 0000000..4891b90 --- /dev/null +++ b/compose.yml @@ -0,0 +1,14 @@ +services: + web: + image: hkj + restart: unless-stopped + # network_mode: "host" + ports: + - 443:443 + # - 443:443/udp + environment: + - HKJ_USERNAME=user + - HKJ_PASSWORD=pass + - HKJ_PROBE_RESISTANCE=1 + - HKJ_CERT_PATH=/certs/cert.crt + - HKJ_KEY_PATH=/certs/key.key diff --git a/src/main.rs b/src/main.rs index 4b0b017..66e815b 100644 --- a/src/main.rs +++ b/src/main.rs @@ -459,13 +459,14 @@ let _ = env_logger::Builder::from_env(env_logger::Env::default().default_filter_or("info")) .try_init(); - let username = env::var("PROXY_USERNAME").expect("PROXY_USERNAME is required"); - let password = env::var("PROXY_PASSWORD").expect("PROXY_PASSWORD is required"); - let resist_407 = env::var("PROXY_PROBE_RESISTANCE") + let port = env::var("HKJ_PORT").unwrap_or_else(|_| "443".to_string()); + let username = env::var("HKJ_USERNAME").expect("HKJ_USERNAME is required"); + let password = env::var("HKJ_PASSWORD").expect("HKJ_PASSWORD is required"); + let resist_407 = env::var("HKJ_PROBE_RESISTANCE") .map(|v| v != "0") .unwrap_or(true); - let cert_path = env::var("PROXY_CERT_PATH").expect("PROXY_CERT_PATH is required"); - let key_path = env::var("PROXY_KEY_PATH").expect("PROXY_KEY_PATH is required"); + let cert_path = env::var("HKJ_CERT_PATH").expect("HKJ_CERT_PATH is required"); + let key_path = env::var("HKJ_KEY_PATH").expect("HKJ_KEY_PATH is required"); let mut server = Server::new(Some(Opt::parse_args())).unwrap(); server.bootstrap(); @@ -488,9 +489,9 @@ let mut tls_settings = TlsSettings::intermediate(&cert_path, &key_path).expect("invalid TLS cert/key"); tls_settings.enable_h2(); - service.add_tls_with_settings("0.0.0.0:8080", None, tls_settings); + service.add_tls_with_settings(&format!("0.0.0.0:{port}"), None, tls_settings); server.add_service(service); - println!("HTTP/2 forward proxy listening on https://0.0.0.0:8080"); + log::info!("HTTP/2 forward proxy listening on https://0.0.0.0:{port}"); server.run_forever(); }