ixpantia
diff --git a/‎PROXY.md‎
Lines changed: 26 additions & 3 deletions b/‎PROXY.md‎
Lines changed: 26 additions & 3 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 0 deletions b/‎README.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/main.rs‎
Lines changed: 6 additions & 2 deletions b/‎src/main.rs‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎src/proxy/acme.rs‎
Lines changed: 10 additions & 7 deletions b/‎src/proxy/acme.rs‎
Lines changed: 10 additions & 7 deletions
diff --git a/‎src/proxy/mod.rs‎
Lines changed: 127 additions & 95 deletions b/‎src/proxy/mod.rs‎
Lines changed: 127 additions & 95 deletions
@@ -5,14 +5,37 @@ Dispenser includes a built-in, high-performance reverse proxy powered by [Pingor
 ## Overview
 
 The Dispenser proxy listens on ports 80 (HTTP) and 443 (HTTPS). It automatically:
-1.  Redirects all HTTP traffic to HTTPS.
+1.  Optionally redirects HTTP traffic to HTTPS (configurable).
 2.  Routes incoming requests to the correct container based on the `Host` header.
 3.  Manages SSL/TLS certificates via Let's Encrypt or self-signed "simulation" mode.
 4.  Handles Zero-Downtime reloads when configuration changes or certificates are updated.
 
-## Global Toggle
+## Global Configuration
 
-The reverse proxy is enabled by default. You can explicitly enable or disable it in your main `dispenser.toml` file. When disabled, both the proxy server (ports 80/443) and the automatic certificate maintenance tasks are turned off.
+The reverse proxy is enabled by default and defaults to enforcing HTTPS. You can configure the behavior in your main `dispenser.toml` file.
+
+### Proxy Strategy
+
+The `strategy` field determines how Dispenser handles HTTP (80) and HTTPS (443) traffic.
+
+```toml
+# dispenser.toml
+
+[proxy]
+enabled = true
+# Available options: "https-only", "http-only", "both"
+strategy = "https-only"
+```
+
+| Strategy | Behavior |
+| :--- | :--- |
+| `https-only` | (Default) Port 80 redirects all traffic to Port 443. SSL is required. |
+| `http-only` | Port 80 serves application traffic. Port 443 and SSL management are disabled. |
+| `both` | Both ports serve application traffic. No automatic redirects occur. |
+
+### Global Toggle
+
+When the `enabled` flag is set to `false`, both the proxy server and the automatic certificate maintenance tasks are turned off.
 
 ```toml
 # dispenser.toml
 
@@ -341,6 +341,13 @@ In addition to the default network, you can declare custom networks in `dispense
         enabled = false
         ```
 
+    4.  (Optional) Configure the proxy strategy in `dispenser.toml`. Choose between `https-only` (default), `http-only`, or `both`.
+
+        ```toml
+        [proxy]
+        strategy = "http-only"
+        ```
+
     For more details, see the [Reverse Proxy Guide](PROXY.md).
 
     ### Step 10: Validating Configuration
 
@@ -158,7 +158,9 @@ async fn main() -> ExitCode {
 
                     // Abort manager-bound tasks
                     polling_handle.abort();
-                    acme_handle.map(|t| t.abort());
+                    if let Some(t) = &acme_handle {
+                        t.abort();
+                    }
 
                     if let Err(e) = signals::reload_manager(manager_holder.clone(), service_filter).await {
                         log::error!("Reload failed: {e}");
@@ -171,7 +173,9 @@ async fn main() -> ExitCode {
 
                     // Abort manager-bound tasks
                     polling_handle.abort();
-                    acme_handle.map(|t| t.abort());
+                    if let Some(t) = &acme_handle {
+                        t.abort();
+                    }
 
                     let manager = manager_holder.lock().await;
                     manager.cancel().await;
 
@@ -28,6 +28,11 @@ pub async fn maintain_certificates(
     let _ = tokio::fs::create_dir_all(CHALLENGES_DIR).await;
     let settings = manager.get_certbot_settings();
 
+    if manager.get_proxy_strategy() == crate::service::file::ProxyStrategy::HttpOnly {
+        info!("Proxy strategy is HttpOnly, skipping certificate maintenance.");
+        return;
+    }
+
     loop {
         info!("Starting certificate maintenance check...");
         let mut changed = false;
@@ -45,13 +50,11 @@ pub async fn maintain_certificates(
                 if ensure_simulated_cert(host).await {
                     changed = true;
                 }
-            } else {
-                if let Some(settings) = &settings {
-                    match ensure_acme_cert(&settings, host).await {
-                        Ok(true) => changed = true,
-                        Ok(false) => {}
-                        Err(e) => error!("ACME error for {}: {}", host, e),
-                    }
+            } else if let Some(settings) = &settings {
+                match ensure_acme_cert(settings, host).await {
+                    Ok(true) => changed = true,
+                    Ok(false) => {}
+                    Err(e) => error!("ACME error for {}: {}", host, e),
                 }
             }
         }
 
@@ -2,97 +2,117 @@ pub mod acme;
 pub mod certs;
 
 use async_trait::async_trait;
-use http::{header, HeaderValue, Response, StatusCode};
+use http::{header, HeaderValue, StatusCode};
 use log::{debug, info};
 use openssl::ssl::{NameType, SniError};
-use pingora::apps::http_app::ServeHttp;
 use pingora::listeners::tls::TlsSettings;
-use pingora::protocols::http::ServerSession;
 use pingora::server::{RunArgs, ShutdownSignal};
-use pingora::services::listening::Service;
 use pingora_error::ErrorType::HTTPStatus;
 use std::sync::Arc;
 
 use pingora_core::server::configuration::Opt;
 use pingora_core::server::Server;
+use pingora_http::ResponseHeader;
 
 use pingora::prelude::*;
 
+use crate::service::file::ProxyStrategy;
 use crate::service::manager::ServicesManager;
 
-pub struct AcmeService;
+/// Router that holds multiple Service configurations and routes based on SNI/Host
+pub struct DispenserProxy {
+    pub services_manager: Arc<ServicesManager>,
+    pub is_ssl: bool,
+    pub strategy: ProxyStrategy,
+}
 
 #[async_trait]
-impl ServeHttp for AcmeService {
-    async fn response(&self, http_stream: &mut ServerSession) -> Response<Vec<u8>> {
-        let path = http_stream.req_header().uri.path();
+impl ProxyHttp for DispenserProxy {
+    type CTX = ();
+
+    fn new_ctx(&self) {}
+
+    async fn request_filter(&self, session: &mut Session, _ctx: &mut Self::CTX) -> Result<bool> {
+        let path = session.req_header().uri.path();
 
-        // 1. Handle ACME challenges
-        if path.starts_with("/.well-known/acme-challenge/") {
+        // 1. Handle ACME challenges (only on Port 80)
+        if !self.is_ssl && path.starts_with("/.well-known/acme-challenge/") {
             let token = path
                 .strip_prefix("/.well-known/acme-challenge/")
                 .unwrap_or("");
             let challenge_path = std::path::Path::new(".dispenser/challenges").join(token);
 
             if let Ok(content) = tokio::fs::read(challenge_path).await {
-                return Response::builder()
-                    .status(StatusCode::OK)
-                    .header(header::CONTENT_TYPE, "text/plain")
-                    .header(header::CONTENT_LENGTH, content.len())
-                    .body(content)
+                let mut resp_header = ResponseHeader::build(StatusCode::OK, None).unwrap();
+                resp_header
+                    .insert_header(header::CONTENT_TYPE, "text/plain")
                     .unwrap();
+                resp_header
+                    .insert_header(header::CONTENT_LENGTH, content.len())
+                    .unwrap();
+                session.set_keepalive(None);
+                session
+                    .write_response_header(Box::new(resp_header), false)
+                    .await?;
+                session
+                    .write_response_body(Some(content.into()), true)
+                    .await?;
+                return Ok(true);
             }
         }
 
-        let host_header = http_stream
-            .get_header(header::HOST)
-            .unwrap()
-            .to_str()
-            .unwrap();
-        debug!("host header: {host_header}");
-
-        let path_and_query = http_stream
-            .req_header()
-            .uri
-            .path_and_query()
-            .map(|pq| pq.as_str())
-            .unwrap_or("/");
-
-        let body = "<html><body>301 Moved Permanently</body></html>"
-            .as_bytes()
-            .to_owned();
-
-        Response::builder()
-            .status(StatusCode::MOVED_PERMANENTLY)
-            .header(header::CONTENT_TYPE, "text/html")
-            .header(header::CONTENT_LENGTH, body.len())
-            .header(
-                header::LOCATION,
-                format!("https://{}{}", host_header, path_and_query),
-            )
-            .body(body)
-            .unwrap()
-    }
-}
+        // 2. Handle HTTPS Redirects
+        if !self.is_ssl && self.strategy == ProxyStrategy::HttpsOnly {
+            let host_header = session
+                .get_header(header::HOST)
+                .and_then(|h| h.to_str().ok())
+                .unwrap_or("localhost");
 
-/// Router that holds multiple Service configurations and routes based on SNI/Host
-pub struct DispenserProxy {
-    pub services_manager: Arc<ServicesManager>,
-}
+            let path_and_query = session
+                .req_header()
+                .uri
+                .path_and_query()
+                .map(|pq| pq.as_str())
+                .unwrap_or("/");
+
+            let body = "<html><body>301 Moved Permanently</body></html>"
+                .as_bytes()
+                .to_owned();
+
+            let mut resp_header =
+                ResponseHeader::build(StatusCode::MOVED_PERMANENTLY, None).unwrap();
+            resp_header
+                .insert_header(header::CONTENT_TYPE, "text/html")
+                .unwrap();
+            resp_header
+                .insert_header(header::CONTENT_LENGTH, body.len())
+                .unwrap();
+            resp_header
+                .insert_header(
+                    header::LOCATION,
+                    format!("https://{}{}", host_header, path_and_query),
+                )
+                .unwrap();
 
-#[async_trait]
-impl ProxyHttp for DispenserProxy {
-    type CTX = ();
+            session.set_keepalive(None);
+            session
+                .write_response_header(Box::new(resp_header), false)
+                .await?;
+            session.write_response_body(Some(body.into()), true).await?;
+            return Ok(true);
+        }
 
-    fn new_ctx(&self) {}
+        Ok(false)
+    }
 
     async fn upstream_request_filter(
         &self,
         _session: &mut Session,
         upstream_request: &mut RequestHeader,
         _ctx: &mut Self::CTX,
     ) -> Result<()> {
-        upstream_request.insert_header("X-Forwarded-Proto", HeaderValue::from_static("https"))?;
+        let proto = if self.is_ssl { "https" } else { "http" };
+        upstream_request.insert_header("X-Forwarded-Proto", HeaderValue::from_static(proto))?;
         Ok(())
     }
 
@@ -163,52 +183,64 @@ pub fn run_dummy_proxy(signals: ProxySignals) {
 pub fn run_proxy(services_manager: Arc<ServicesManager>, signals: ProxySignals) {
     let opt = Opt::default();
     let mut my_server = Server::new(Some(opt)).unwrap();
-
-    // 1. Load certificates
-    let cert_map = Arc::new(certs::load_all_certificates(&services_manager));
-    let (default_cert, default_key) = certs::ensure_default_cert();
-
-    // 2. Setup Proxy
-    let mut proxy_service = http_proxy_service(
-        &my_server.configuration,
-        DispenserProxy {
+    let strategy = services_manager.get_proxy_strategy();
+
+    // 1. Setup HTTP Proxy (Port 80)
+    let http_proxy = DispenserProxy {
+        services_manager: services_manager.clone(),
+        is_ssl: false,
+        strategy,
+    };
+    let mut http_service = http_proxy_service(&my_server.configuration, http_proxy);
+    http_service.add_tcp("0.0.0.0:80");
+    my_server.add_service(http_service);
+
+    // 2. Setup HTTPS Proxy (Port 443) if enabled by strategy
+    if strategy != ProxyStrategy::HttpOnly {
+        // Load certificates
+        let cert_map = Arc::new(certs::load_all_certificates(&services_manager));
+        let (default_cert, default_key) = certs::ensure_default_cert();
+
+        let https_proxy = DispenserProxy {
             services_manager: services_manager.clone(),
-        },
-    );
-
-    // 3. Configure TLS with SNI callback
-    // We use intermediate settings and then override with callback
-    let mut tls_settings = TlsSettings::intermediate(
-        default_cert.to_str().unwrap(),
-        default_key.to_str().unwrap(),
-    )
-    .expect("Failed to load default fallback certificate");
-
-    tls_settings.enable_h2();
-
-    // Set SNI callback
-    let cert_map_for_sni = cert_map.clone();
-    tls_settings.set_servername_callback(move |ssl, _| {
-        let host = ssl.servername(NameType::HOST_NAME);
-        debug!("SNI callback for host: {:?}", host);
-        if let Some(host) = host {
-            if let Some(ctx) = cert_map_for_sni.get(host) {
-                let _ = ssl.set_ssl_context(ctx);
+            is_ssl: true,
+            strategy,
+        };
+        let mut https_service = http_proxy_service(&my_server.configuration, https_proxy);
+
+        // Configure TLS with SNI callback
+        let mut tls_settings = TlsSettings::intermediate(
+            default_cert.to_str().unwrap(),
+            default_key.to_str().unwrap(),
+        )
+        .expect("Failed to load default fallback certificate");
+
+        tls_settings.enable_h2();
+
+        // Set SNI callback
+        let cert_map_for_sni = cert_map.clone();
+        tls_settings.set_servername_callback(move |ssl, _| {
+            let host = ssl.servername(NameType::HOST_NAME);
+            debug!("SNI callback for host: {:?}", host);
+            if let Some(host) = host {
+                if let Some(ctx) = cert_map_for_sni.get(host) {
+                    let _ = ssl.set_ssl_context(ctx);
+                }
             }
-        }
-        Ok::<(), SniError>(())
-    });
-
-    proxy_service.add_tls_with_settings("0.0.0.0:443", None, tls_settings);
+            Ok::<(), SniError>(())
+        });
 
-    let mut acme_service = Service::new("Echo Service HTTP".to_string(), AcmeService);
-    acme_service.add_tcp("0.0.0.0:80");
+        https_service.add_tls_with_settings("0.0.0.0:443", None, tls_settings);
+        my_server.add_service(https_service);
+        info!(
+            "Proxy starting on port 80 and 443 (Strategy: {:?})",
+            strategy
+        );
+    } else {
+        info!("Proxy starting on port 80 (Strategy: HttpOnly)");
+    }
 
-    my_server.add_service(proxy_service);
-    my_server.add_service(acme_service);
     my_server.bootstrap();
-
-    info!("Proxy starting on port 443");
     my_server.run(RunArgs {
         shutdown_signal: Box::new(signals),
     });