v0.2.3: default feature rustls, native-tls uses openssl

Author: erdemgoksel

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## v0.2.3
+
+Release date: 2026-03-26
+
+### Changed
+
+- **Default feature changed from `native-tls` to `rustls`**. The default build now uses `axum-server/tls-rustls` + `reqwest/rustls-tls` — pure Rust, no system dependencies.
+- `native-tls` feature now uses `axum-server/tls-openssl` for server-side TLS. Requires OpenSSL as a system library (`libssl-dev` on Ubuntu, `openssl-devel` on Fedora, vcpkg/`OPENSSL_DIR` on Windows).
+
 ## v0.2.2
 
 Release date: 2026-03-26
@@ -18,7 +27,10 @@ Release date: 2026-03-26
   - Any path prefix (e.g. `"/api"`) — nested via `Router::nest`, registered longest-first so more-specific paths shadow shorter ones.
 - `http_port` (top-level, default `3000`) — HTTP listen port.
 - `https_port` (top-level, optional) — HTTPS listen port. When set, `cert_path` and `key_path` are required.
-- `cert_path` / `key_path` — PEM certificate and private key paths for HTTPS. TLS is served via `axum-server` with rustls (pure-Rust, no system dependencies).
+- `cert_path` / `key_path` — PEM certificate and private key paths for HTTPS.
+  - `rustls` feature (default): TLS via `axum-server/tls-rustls` — pure Rust, no system dependencies.
+  - `native-tls` feature: TLS via `axum-server/tls-openssl` — requires OpenSSL installed as a system library.
+- **Default feature changed from `native-tls` to `rustls`**. Users who relied on the previous default must now explicitly opt in with `--features native-tls --no-default-features`.
 - Startup validation: missing cert/key when `https_port` is set, or an empty `server` map, produce a clear error before the server starts.
 - `control::create_control_router` now accepts `Vec<CacheHandle>`. A single `/refresh-cache` call invalidates all registered server caches.
 

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "phantom-frame"
-version = "0.2.2"
+version = "0.2.3"
 edition = "2021"
 authors = ["Erdem Göksel <erdem.goksel.dev@gmail.com>"]
 description = "A high-performance prerendering proxy engine with caching support"
@@ -32,12 +32,8 @@ flate2 = "1.1"
 axum-server = { version = "0.7", optional = true }
 
 [features]
-default = ["native-tls"]
-# Server-side TLS uses rustls via axum-server for both features.
-# axum-server has tls-rustls and tls-openssl but no SChannel (Windows native-tls);
-# rustls is pure-Rust and works on all platforms without system dependencies.
-# The native-tls feature only affects outbound reqwest client connections.
-native-tls = ["reqwest/native-tls", "dep:axum-server", "axum-server/tls-rustls"]
+default = ["rustls"]
+native-tls = ["reqwest/native-tls", "dep:axum-server", "axum-server/tls-openssl"]
 rustls = ["reqwest/rustls-tls", "dep:axum-server", "axum-server/tls-rustls"]
 
 [lib]

src/main.rs

@@ -173,11 +173,7 @@ async fn run_https_server(
     start_tls(addr, cert_path, key_path, app).await
 }
 
-// Server-side TLS uses rustls via axum-server for both the `rustls` and
-// `native-tls` features. axum-server supports tls-rustls and tls-openssl;
-// on Windows native-tls maps to SChannel which axum-server does not support,
-// and tls-openssl requires a system OpenSSL installation. rustls is
-// pure-Rust and works everywhere without system dependencies.
+#[cfg(feature = "rustls")]
 async fn start_tls(
     addr: std::net::SocketAddr,
     cert_path: PathBuf,
@@ -191,3 +187,18 @@ async fn start_tls(
         .await
         .map_err(Into::into)
 }
+
+#[cfg(feature = "native-tls")]
+async fn start_tls(
+    addr: std::net::SocketAddr,
+    cert_path: PathBuf,
+    key_path: PathBuf,
+    app: Router,
+) -> anyhow::Result<()> {
+    let tls_config =
+        axum_server::tls_openssl::OpenSSLConfig::from_pem_file(cert_path, key_path)?;
+    axum_server::bind_openssl(addr, tls_config)
+        .serve(app.into_make_service())
+        .await
+        .map_err(Into::into)
+}