🐛 Fix(CI): Resolve Pingora 0.6.0 build failures 🏗️

SinclairChao · SinclairChao · commit fa0dac86f815 · 2026-01-28T07:44:31.000+01:00
- 🗑️ Removed deprecated resolve_tls_ctx from proxy
- 🔄 Switched pingclair binary to OpenSSL backend 🔐
- ✨ Implemented DynamicCertResolver with TlsAccept trait
- 🛠️ Fixed Cargo dependencies (futures, async-trait)
- ✅ Verified local build passes
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/implementation_plan.md.resolved b/implementation_plan.md.resolved
@@ -0,0 +1,59 @@
+# Pingclair 项目里程碑与优化计划 🦀
+
+> **愿景**: 打造一个像 Caddy 一样易用，且拥有 Pingora 级性能的现代化 Rust Web 服务器。
+
+---
+
+## ✅ 阶段一：核心构建与性能优化 (P0-P1) - 已完成
+
+### 🚀 性能基座
+- [x] **正则表达式预编译**: 在 `Router` 中预处理各种匹配模式，避免请求时即时解析。
+- [x] **无锁/低锁并发**: 全面从 `std::sync` 迁移到 `parking_lot`。
+- [x] **静态资源优化**: 支持预压缩检测 (`.br`, `.gz`, `.zst`) 与零拷贝大文件流。
+- [x] **内存分配器**: 在 Linux 下启用 `jemalloc` 优化长时堆分配。
+
+### 🛡️ 核心功能集
+- [x] **全功能反向代理**: 负载均衡 (RR, Hash, etc.)、健康检查、TLS 终止。
+- [x] **自动 HTTPS**: 集成 ACME (Let's Encrypt/ZeroSSL) 一键证书管理。
+- [x] **中间件生态**: Rate Limiting (令牌桶)、BasicAuth、Rewrite、Headers 过滤。
+- [x] **HTTP/3 支持**: 基于 QUIC 的高性能传输。
+
+---
+
+## ✅ 阶段二：部署自动化与 UX 飞跃 - 已完成 (当前版本)
+
+### 📦 工业级部署 (`scripts/`)
+- [x] **[install.sh](file:///Users/zhaoyikai/code/pingclair/scripts/install.sh)**: 实现 Ubuntu/Debian 自动化一键部署，脚本含架构自适应、权限加固 (`setcap`) 与 FHS 规范。
+- [x] **[uninstall.sh](file:///Users/zhaoyikai/code/pingclair/scripts/uninstall.sh)**: 安全卸载，干净清理用户与数据。
+- [x] **Systemd 深度集成**: 提供标准化服务单元，支持 CLI 快捷管理。
+
+### 🔄 平滑重载与稳定性
+- [x] **SIGHUP 动态重载**: 实现 `PingclairProxy::update_config`，支持无需停机的配置热加载。
+- [x] **隔离的异步运行时**: 解决 Pingora 与背景任务 (H3/Signals) 的运行时冲突。
+- [x] **CI 构建加固**: 修复 AArch64 交叉编译工具链，清理跨平台警告。
+
+### 🎨 极致用户体验
+- [x] **Premium 默认页**: 现代化 **Futuristic Dark Mode** 落地页，支持 **中英双语** 🌐。
+- [x] **全注释示例配置**: [Pingclairfile.example](file:///Users/zhaoyikai/code/pingclair/examples/Pingclairfile.example) 指南，让新手一眼读懂。
+- [x] **品牌透传**: 响应中全局注入 `Server: Pingclair` 标识。
+
+---
+
+## 🛠️ 阶段三：工业级特性下沉 (P2-P3) - 未来方向
+
+### ⚙️ 极致性能
+- [ ] **io_uring 事件驱动**: 进一步提升 Linux 下的网络吞吐。
+- [ ] **CPU 亲和性**: 软硬结合，减少上下文切换开销。
+
+### 🌐 协议补全
+- [ ] **gRPC 代理**: 支持现代微服务间的通信透传。
+- [ ] **On-Demand TLS**: 实现动态域名实时颁发证书。
+
+### 📊 生态建设
+- [ ] **Visual Dashboard**: 提供 Web UI 实时查看流量、QPS 与上游健康度。
+- [ ] **插件系统**: 完善 WebAssembly 插件接口，让用户编写自定义逻辑。
+
+---
+
+**最后审计**: 2026-01-27 23:15 🚀
+**状态**: 核心里程碑全部达成，进入稳定维护期。✨
diff --git a/pingclair-proxy/src/server.rs b/pingclair-proxy/src/server.rs
@@ -10,7 +10,7 @@ use pingora_core::upstreams::peer::HttpPeer;
 use pingora_core::Result as PingoraResult;
 use pingora_proxy::{ProxyHttp, Session};
 use pingora_http::{RequestHeader, ResponseHeader};
-use pingora_core::protocols::tls::TlsAcceptor;
+// 
 use std::sync::Arc;
 use std::collections::HashMap;
 use parking_lot::RwLock;
@@ -462,36 +462,10 @@ impl ProxyHttp for PingclairProxy {
         RequestCtx::default()
     }
 
+    /* 
+    // Removed in Pingora 0.6: TLS resolution is handled by listeners, not the proxy trait.
     /// Resolve TLS certificate for SNI
-    async fn resolve_tls_ctx(
-        &self,
-        session: &mut Session,
-        _ctx: &mut Self::CTX,
-    ) -> pingora_core::Result<Option<TlsAcceptor>> {
-        if let Some(tls_manager) = &self.tls_manager {
-            let sni = session.req_header().headers.get("Host")
-                .and_then(|v| v.to_str().ok())
-                .unwrap_or("")
-                .split(':')
-                .next()
-                .unwrap_or("");
-            
-            if sni.is_empty() {
-                return Ok(None);
-            }
-
-            if let Some(cert) = tls_manager.resolve_cert(sni).await {
-                let acceptor = TlsAcceptor::from_certified_key(cert)
-                    .map_err(|e| pingora_core::Error::because(
-                        pingora_core::ErrorType::TLSHandshakeFailure,
-                        "Failed to create TlsAcceptor",
-                        e
-                    ))?;
-                return Ok(Some(acceptor));
-            }
-        }
-        Ok(None)
-    }
+    */
     
     /// Request filter (Handle static files and early return)
     async fn request_filter(&self, session: &mut Session, ctx: &mut Self::CTX) -> pingora_core::Result<bool> {
diff --git a/pingclair/Cargo.toml b/pingclair/Cargo.toml
@@ -21,15 +21,23 @@ pingclair-tls = { path = "../pingclair-tls" }
 pingclair-api = { path = "../pingclair-api" }
 pingclair-plugin = { path = "../pingclair-plugin" }
 
-pingora = { workspace = true, features = ["proxy"] }
+pingora = { workspace = true, features = ["proxy", "openssl"] }
+openssl = { version = "0.10", features = ["v110"] }
+
 pingora-core.workspace = true
 pingora-proxy.workspace = true
+rustls.workspace = true
+
 clap.workspace = true
+async-trait.workspace = true
+
 tokio.workspace = true
 tracing.workspace = true
 tracing-subscriber.workspace = true
 anyhow.workspace = true
 parking_lot = "0.12"
+futures = "0.3"
+
 
 [target.'cfg(target_os = "linux")'.dependencies]
 tikv-jemallocator = "0.6"
diff --git a/pingclair/src/main.rs b/pingclair/src/main.rs
@@ -4,11 +4,74 @@
 
 use clap::{Parser, Subcommand};
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
+use std::sync::Arc;
+use pingora_core::listeners::tls::TlsSettings;
+use pingora_core::listeners::TlsAccept;
+use pingora_core::protocols::tls::TlsRef;
+use pingclair_tls::manager::TlsManager;
+use openssl::ssl::NameType;
+use openssl::x509::X509;
+use openssl::pkey::PKey;
 
 #[cfg(target_os = "linux")]
 #[global_allocator]
 static GLOBAL: tikv_jemallocator::Jemalloc = tikv_jemallocator::Jemalloc;
 
+/// Resolves certificates dynamically using TlsManager
+struct DynamicCertResolver(Arc<TlsManager>);
+
+// Manual Debug because TlsManager might not implement it
+impl std::fmt::Debug for DynamicCertResolver {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("DynamicCertResolver").finish()
+    }
+}
+
+#[async_trait::async_trait]
+impl TlsAccept for DynamicCertResolver {
+    async fn certificate_callback(&self, ssl: &mut TlsRef) {
+        // Get SNI
+        let sni = ssl.servername(NameType::HOST_NAME).unwrap_or("").to_string();
+        if sni.is_empty() {
+            return;
+        }
+
+        tracing::debug!("🔐 Resolving cert for SNI: {}", sni);
+
+        if let Some((cert_pem, key_pem)) = self.0.resolve_pem(&sni).await {
+            // Parse PEM
+            // Note: In real production code, caching parsed X509/PKey might be better than parsing every handshake.
+            // pingclair-tls caches rustls keys, but not openssl ones.
+            // Optimization TODO: Cache OpenSSL objects in TlsManager.
+            
+            let x509 = match X509::from_pem(cert_pem.as_bytes()) {
+                Ok(c) => c,
+                Err(e) => {
+                    tracing::error!("Failed to parse cert PEM: {}", e);
+                    return;
+                }
+            };
+            
+            let pkey = match PKey::private_key_from_pem(key_pem.as_bytes()) {
+                Ok(k) => k,
+                Err(e) => {
+                    tracing::error!("Failed to parse key PEM: {}", e);
+                    return;
+                }
+            };
+            
+            // Set into SSL
+            if let Err(e) = ssl.set_certificate(&x509) {
+                tracing::error!("Failed to set certificate: {}", e);
+            }
+            if let Err(e) = ssl.set_private_key(&pkey) {
+                tracing::error!("Failed to set private key: {}", e);
+            }
+
+        }
+    }
+}
+
 /// Pingclair - Modern web server inspired by Caddy, powered by Pingora
 #[derive(Parser)]
 #[command(name = "pingclair")]
@@ -350,7 +413,24 @@ fn run_server(config_path: String, config: pingclair_core::config::PingclairConf
             );
             
             let mut service = proxy_service;
-            service.add_tcp(addr);
+            
+            // Determine if this is an HTTPS port
+            if addr.ends_with(":443") || addr.ends_with(":8443") {
+                 // Setup TLS with dynamic resolver (OpenSSL)
+                 // Use TlsSettings::with_callbacks
+                 let acceptor = DynamicCertResolver(tls_manager.clone());
+                 match TlsSettings::with_callbacks(Box::new(acceptor)) {
+                    Ok(tls_settings) => {
+                         service.add_tls_with_settings(addr, None, tls_settings);
+                         tracing::info!("   🔒 HTTPS/TLS enabled on {}", addr);
+                    }
+                    Err(e) => {
+                        tracing::error!("Failed to create TlsSettings: {}", e);
+                    }
+                 }
+            } else {
+                 service.add_tcp(addr);
+            }
             server.add_service(service);
 
             // Check if this port should also support HTTP/3
