NASP/rpki
60
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rpki/README.md
xiuting.xu 03c0ab0ec7 补充rtr-client,完善tls连接等
2026-03-25 10:08:40 +08:00

74 lines
2.8 KiB
Markdown
Raw Blame History

# RPKI RTR Server
Default runtime target: Ubuntu/Linux. Windows is only used during development.
## Tests
```bash
cargo test
```
To show test output:
```bash
cargo test -- --nocapture
```
## RTR Server
The RTR server binary reads its runtime configuration from environment variables.
If an environment variable is not set, the built-in default from `src/main.rs`
is used.
### Environment Variables
| Variable | Description | Example |
| --- | --- | --- |
| `RPKI_RTR_ENABLE_TLS` | Enable TLS listener in addition to TCP. Accepts `true/false`, `1/0`, `yes/no`, `on/off`. | `true` |
| `RPKI_RTR_TCP_ADDR` | TCP bind address. | `0.0.0.0:3323` |
| `RPKI_RTR_TLS_ADDR` | TLS bind address. | `0.0.0.0:3324` |
| `RPKI_RTR_DB_PATH` | RTR RocksDB path. | `./rtr-db` |
| `RPKI_RTR_VRP_FILE` | Input VRP file path. | `./data/vrps.txt` |
| `RPKI_RTR_TLS_CERT_PATH` | TLS server certificate path. | `./certs/server.crt` |
| `RPKI_RTR_TLS_KEY_PATH` | TLS server private key path. | `./certs/server.key` |
| `RPKI_RTR_TLS_CLIENT_CA_PATH` | Client CA certificate path used to verify router certificates. | `./certs/client-ca.crt` |
| `RPKI_RTR_MAX_DELTA` | Maximum retained delta count. | `100` |
| `RPKI_RTR_REFRESH_INTERVAL_SECS` | VRP reload interval in seconds. | `300` |
| `RPKI_RTR_MAX_CONNECTIONS` | Maximum concurrent RTR connections. | `512` |
| `RPKI_RTR_NOTIFY_QUEUE_SIZE` | Broadcast queue size for serial notify events. | `1024` |
| `RPKI_RTR_TCP_KEEPALIVE_SECS` | TCP keepalive time in seconds. Set `0` to disable. | `60` |
| `RPKI_RTR_WARN_INSECURE_TCP` | Emit a warning when plain TCP is enabled. Accepts boolean values. | `true` |
| `RPKI_RTR_REQUIRE_TLS_SERVER_DNS_NAME_SAN` | Strict mode: reject TLS server certificates that do not contain a `subjectAltName dNSName`. Accepts boolean values. | `false` |
### Notes
- Plain TCP should only be used on a trusted and controlled network.
- TLS mode requires client certificate authentication.
- In strict TLS server certificate mode, a server certificate without
`subjectAltName dNSName` will be rejected during startup.
- `RPKI_RTR_TCP_KEEPALIVE_SECS=0` disables TCP keepalive. Any non-zero value
enables keepalive for the lifetime of each accepted socket.
## Example Startup
### Bash
```sh
export RPKI_RTR_ENABLE_TLS=true
export RPKI_RTR_TCP_ADDR=0.0.0.0:3323
export RPKI_RTR_TLS_ADDR=0.0.0.0:3324
export RPKI_RTR_DB_PATH=./rtr-db
export RPKI_RTR_VRP_FILE=./data/vrps.txt
export RPKI_RTR_TLS_CERT_PATH=./certs/server-dns.crt
export RPKI_RTR_TLS_KEY_PATH=./certs/server-dns.key
export RPKI_RTR_TLS_CLIENT_CA_PATH=./certs/client-ca.crt
export RPKI_RTR_TCP_KEEPALIVE_SECS=60
export RPKI_RTR_WARN_INSECURE_TCP=true
export RPKI_RTR_REQUIRE_TLS_SERVER_DNS_NAME_SAN=true
cargo run
```
A ready-to-edit example script is provided at
[`scripts/start-rtr-server.sh`](/C:/Users/xuxiu/git_code/rpki/scripts/start-rtr-server.sh).
Reference in New Issue View Git Blame Copy Permalink