TIPS

Using Private Key Issued by Let’s Encrypt

If you obtain certificates and private keys from Let’s Encrypt, you have PKCS1-formatted private keys. So you need to convert such retrieved private keys into PKCS8 format to use in rpxy.

The easiest way is to use openssl by

% openssl pkcs8 -topk8 -nocrypt \
    -in yoru_domain_from_le.key \
    -inform PEM \
    -out your_domain_pkcs8.key.pem \
    -outform PEM

Client Authentication using Client Certificate Signed by Your Own Root CA

First, you need to prepare a CA certificate used to verify client certificate. If you do not have one, you can generate CA key and certificate by OpenSSL commands as follows. Note that rustls accepts X509v3 certificates and reject SHA-1, and that rpxy relys on Version 3 extension fields of KeyIDs of Subject Key Identifier and Authority Key Identifier.

1. Generate CA key of secp256v1, CSR, and then generate CA certificate that will be set for tls.client_ca_cert_path for each server app in config.toml.

% openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out client.ca.key

% openssl req -new -key client.ca.key -out client.ca.csr
...
-----
Country Name (2 letter code) []: ...
State or Province Name (full name) []: ...
Locality Name (eg, city) []: ...
Organization Name (eg, company) []: ...
Organizational Unit Name (eg, section) []: ...
Common Name (eg, fully qualified host name) []: <Should not input CN>
Email Address []: ...

% openssl x509 -req -days 3650 -sha256 -in client.ca.csr -signkey client.ca.key -out client.ca.crt -extfile client.ca.ext

2. Generate a client key of secp256v1 and certificate signed by CA key.

% openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:prime256v1 -out client.key

% openssl req -new -key client.key -out client.csr
...
-----
Country Name (2 letter code) []:
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []: <Should not input CN>
Email Address []:

% openssl x509 -req -days 365 -sha256 -in client.csr -CA client.ca.crt -CAkey client.ca.key -CAcreateserial -out client.crt -extfile client.ext

Now you have a client key client.key and certificate client.crt (version 3). pfx (p12) file can be retrieved as

% openssl pkcs12 -export -inkey client.key -in client.crt -certfile client.ca.crt -out client.pfx

Note that on MacOS, a pfx generated by OpenSSL 3.0.6 cannot be imported to MacOS KeyChain Access. We generated the sample pfx using LibreSSL 2.8.3 instead OpenSSL.

All of sample certificate files are found in ./example-certs/ directory.

(Work Around) Deployment on Ubuntu 22.04LTS using docker behind ufw

Basically, docker automatically manage your iptables if you use the port-mapping option, i.e., --publish for docker run or ports in docker-compose.yml. This means you do not need to manually expose your port, e.g., 443 TCP/UDP for HTTPS, using ufw-like management command.

However, we found that if you want to use the brand-new UDP-based protocol, HTTP/3, on rpxy, you need to explicitly expose your HTTPS port by using ufw-like command.

% sudo ufw allow 443
% sudo ufw enable

Your docker container can receive only TCP-based connection, i.e., HTTP/2 or before, unless you manually manage the port. We see that this is weird and expect that it is a kind of bug (of docker? ubuntu? or something else?). But at least for Ubuntu 22.04LTS, you need to handle it as above.

Managing rpxy via web interface

Check a third party project Gamerboy59/rpxy-webui to manage rpxy via web interface.