broken changes | 8448 -> 443

stevessr · stevessr · commit 129b3edd5ed3 · 2025-11-24T15:09:13.000+08:00
diff --git a/.github/workflows/build-deb-aarch64.yml b/.github/workflows/build-deb-aarch64.yml
@@ -0,0 +1,28 @@
+name: Build aarch64 .deb
+
+on:
+  push:
+    branches: [ main ]
+  workflow_dispatch: {}
+
+jobs:
+  build-deb:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Build aarch64 binary and .deb using cross Docker image
+        run: |
+          set -euo pipefail
+          # Use the cross Docker image to build for aarch64
+          docker run --rm -v "${{ github.workspace }}:/work" -w /work cross-rs/cross:latest \
+            sh -lc "cargo install cargo-deb --force && cross build --release --target aarch64-unknown-linux-gnu -p tuwunel && cp target/aarch64-unknown-linux-gnu/release/tuwunel target/release/tuwunel && cargo deb --no-build --target aarch64-unknown-linux-gnu -p tuwunel"
+
+      - name: Find .deb and upload
+        uses: actions/upload-artifact@v4
+        with:
+          name: tuwunel-deb-aarch64
+          path: |
+            target/debian/**/*.deb
+            target/**/*.deb
diff --git a/README.md b/README.md
@@ -57,7 +57,7 @@ using the configuration and Tuwunel can be deployed without a reverse proxy. Exa
 `/etc/caddy/Caddyfile` configuration with [Element](https://github.com/element-hq/element-web/releases)
 unzipped to `/var/www/element`:
 ```
-tuwunel.me, tuwunel.me:8448 {
+tuwunel.me, tuwunel.me:443 {
     reverse_proxy localhost:8008
 }
 web.tuwunel.me {
diff --git a/docker/Dockerfile.complement b/docker/Dockerfile.complement
@@ -72,7 +72,7 @@ COPY <<EOF complement.toml
     log_thread_ids = true
     media_compat_file_link = false
     media_startup_check = true
-    port = [8008, 8448]
+    port = [8008, 443]
     prune_missing_media = true
     query_trusted_key_servers_first = false
     query_trusted_key_servers_first_on_join = false
diff --git a/docker/bake.hcl b/docker/bake.hcl
@@ -790,7 +790,7 @@ target "docker" {
     dockerfile-inline =<<EOF
         FROM scratch AS install
         COPY --from=input . .
-        EXPOSE 8008 8448
+        EXPOSE 8008 443
         ENTRYPOINT ["tuwunel"]
 EOF
 }
diff --git a/docs/build-aarch64-deb.md b/docs/build-aarch64-deb.md
@@ -0,0 +1,41 @@
+如何为 aarch64 (arm64) 架构构建 tuwunel 的 Debian (.deb) 包
+
+概述
+ - 本文档说明如何在 x86_64 或任意 Linux 主机上，生成适用于 aarch64-unknown-linux-gnu 的 .deb 包。
+ - 推荐使用 cross（基于 Docker + QEMU），可以避免在宿主机安装交叉编译工具链。
+
+先决条件
+ - Rust（建议使用 rustup 管理 toolchain）
+ - Docker（如果使用 cross）
+ - cross（可选，但推荐）：cargo install cross 或 apt 安装含包
+ - cargo-deb：cargo install cargo-deb
+ - 如果不使用 cross，需要安装目标与交叉链接器：
+   - rustup target add aarch64-unknown-linux-gnu
+   - 在 Debian/Ubuntu 上安装： gcc-aarch64-linux-gnu 或 aarch64-linux-gnu-gcc
+
+使用脚本构建
+
+仓库中提供了脚本： `scripts/build-deb-aarch64.sh`。
+
+用法：
+
+```
+./scripts/build-deb-aarch64.sh
+```
+
+脚本逻辑
+ - 优先使用 `cross build --target aarch64-unknown-linux-gnu --release`。
+ - 若没有 cross，会尝试用 `cargo build --target aarch64-unknown-linux-gnu --release`（需本地交叉工具链）。
+ - 将生成的二进制复制到 `target/release/tuwunel`，然后运行 `cargo deb --no-build` 生成 .deb。
+ - 最终输出放在 `out/` 目录下。
+
+常见问题
+ - 找不到 cross：安装 `cargo install cross`，或在仓库根使用 Docker（需可用的 Docker）。
+ - cargo-deb 未安装： `cargo install cargo-deb`。
+ - 本地交叉构建失败：建议使用 cross；若必须本地构建，请确保交叉链接器已安装并在 PATH 中。
+
+进阶：在 CI 中使用
+ - 在 CI（例如 GitHub Actions）中，可使用官方 cross 镜像并运行脚本，或使用 QEMU + Docker runner。
+
+其他说明
+ - 打包元数据位于 `src/main/Cargo.toml` 的 `[package.metadata.deb]` 部分，包含了 systemd unit、配置文件、维护脚本路径等信息。
diff --git a/docs/deploying/docker-compose.yml b/docs/deploying/docker-compose.yml
@@ -7,7 +7,7 @@ services:
         image: jevolk/tuwunel:latest
         restart: unless-stopped
         ports:
-            - 8448:6167
+            - 443:6167
         volumes:
             - db:/var/lib/tuwunel
             #- ./tuwunel.toml:/etc/tuwunel.toml
diff --git a/docs/deploying/docker.md b/docs/deploying/docker.md
@@ -26,7 +26,7 @@ OCI images for tuwunel are available in the registries listed below.
 When you have the image you can simply run it with
 
 ```bash
-docker run -d -p 8448:6167 \
+docker run -d -p 443:6167 \
     -v db:/var/lib/tuwunel/ \
     -e TUWUNEL_SERVER_NAME="your.server.name" \
     -e TUWUNEL_ALLOW_REGISTRATION=false \
@@ -127,7 +127,7 @@ to deploy and use tuwunel, with a little caveat. If you already took a look at
 the files, then you should have seen the `well-known` service, and that is the
 little caveat. Traefik is simply a proxy and loadbalancer and is not able to
 serve any kind of content, but for tuwunel to federate, we need to either
-expose ports `443` and `8448` or serve two endpoints `.well-known/matrix/client`
+expose ports `443` and `443` or serve two endpoints `.well-known/matrix/client`
 and `.well-known/matrix/server`.
 
 With the service `well-known` we use a single `nginx` container that will serve
diff --git a/docs/deploying/generic.md b/docs/deploying/generic.md
@@ -69,7 +69,7 @@ sudo useradd -r --shell /usr/bin/nologin --no-create-home tuwunel
 
 ## Forwarding ports in the firewall or the router
 
-Matrix's default federation port is port 8448, and clients must be using port 443.
+Matrix's default federation port is port 443, and clients must be using port 443.
 If you would like to use only port 443, or a different port, you will need to setup
 delegation. Tuwunel has config options for doing delegation, or you can configure
 your reverse proxy to manually serve the necessary JSON files to do delegation
@@ -207,17 +207,17 @@ You can also use these commands as a quick health check (replace
 ```bash
 curl https://your.server.name/_tuwunel/server_version
 
-# If using port 8448
-curl https://your.server.name:8448/_tuwunel/server_version
+# If using port 443
+curl https://your.server.name:443/_tuwunel/server_version
 
 # If federation is enabled
-curl https://your.server.name:8448/_matrix/federation/v1/version
+curl https://your.server.name:443/_matrix/federation/v1/version
 ```
 
 - To check if your server can talk with other homeservers, you can use the
 [Matrix Federation Tester](https://federationtester.matrix.org/). If you can
 register but cannot join federated rooms check your config again and also check
-if the port 8448 is open and forwarded correctly.
+if the port 443 is open and forwarded correctly.
 
 # What's next?
 
diff --git a/docs/deploying/tuwunel.container b/docs/deploying/tuwunel.container
@@ -1,7 +1,7 @@
 [Container]
 Environment=TUWUNEL_SERVER_NAME=your.domain.here TUWUNEL_DATABASE_PATH=/var/lib/tuwunel TUWUNEL_PORT=6167 TUWUNEL_MAX_REQUEST_SIZE=20000000 TUWUNEL_ALLOW_REGISTRATION=true TUWUNEL_REGISTRATION_TOKEN=YOUR_TOKEN TUWUNEL_ALLOW_FEDERATION=true TUWUNEL_TRUSTED_SERVERS=["matrix.org"] TUWUNEL_ADDRESS=0.0.0.0 # Add TUWUNEL_CONFIG: '/etc/tuwunel.toml' if the config is mapped
 Image=docker.io/jevolk/tuwunel:latest
-PublishPort=8448:6167
+PublishPort=443:6167
 Volume=/path/to/db:/var/lib/tuwunel
 #Volume=/path/to/tuwunel.toml:/etc/tuwunel.toml #Uncomment to use the config file
 
diff --git a/nix/pkgs/complement/config.toml b/nix/pkgs/complement/config.toml
@@ -7,7 +7,7 @@ allow_public_room_directory_without_auth = true
 allow_registration = true
 database_path = "/database"
 log = "trace,h2=debug,hyper=debug"
-port = [8008, 8448]
+port = [8008, 443]
 trusted_servers = []
 only_query_trusted_key_servers = false
 query_trusted_key_servers_first = false
diff --git a/nix/pkgs/complement/default.nix b/nix/pkgs/complement/default.nix
@@ -83,7 +83,7 @@ dockerTools.buildImage {
 
     ExposedPorts = {
       "8008/tcp" = {};
-      "8448/tcp" = {};
+      "443/tcp" = {};
     };
   };
 }
diff --git a/scripts/build-deb-aarch64.sh b/scripts/build-deb-aarch64.sh
@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Builds an aarch64 Debian package for the `tuwunel` binary using either
+# `cross` (recommended) or a local cross toolchain. The script will:
+#  - build the aarch64 release binary
+#  - copy it to `target/release/tuwunel` (cargo-deb expects that path)
+#  - run `cargo deb` to produce a .deb
+#
+# Usage: ./scripts/build-deb-aarch64.sh
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+cd "$REPO_ROOT"
+
+TARGET=aarch64-unknown-linux-gnu
+CRATE=tuwunel
+
+out_dir="out"
+mkdir -p "$out_dir"
+
+echo "Building Debian package for target: $TARGET"
+
+if command -v cross >/dev/null 2>&1; then
+  echo "Using 'cross' to build (Docker/qemu powered)",\
+       " - this usually works without needing a native cross toolchain."
+  cross build --release --target "$TARGET" -p "$CRATE"
+else
+  echo "'cross' not found. Falling back to direct 'cargo' cross-build."
+  echo "Make sure you have rustup target '$TARGET' installed and an aarch64 linker (gcc-aarch64-linux-gnu) available."
+  if ! rustup target list --installed | grep -q "^$TARGET$"; then
+    echo "Adding rust target: $TARGET"
+    rustup target add "$TARGET"
+  fi
+
+  # Try to build; this can fail if no cross linker is installed
+  cargo build --release --target "$TARGET" -p "$CRATE"
+fi
+
+BIN_SRC="target/$TARGET/release/$CRATE"
+if [ ! -f "$BIN_SRC" ]; then
+  echo "Built binary not found at $BIN_SRC" >&2
+  echo "If you used 'cargo' directly you may need to install an aarch64 linker or use 'cross'." >&2
+  exit 1
+fi
+
+mkdir -p target/release
+cp -v "$BIN_SRC" target/release/$CRATE
+
+if ! command -v cargo-deb >/dev/null 2>&1; then
+  echo "cargo-deb not found, installing it now (cargo install cargo-deb)"
+  cargo install cargo-deb
+fi
+
+echo "Running cargo deb (no build) for target: $TARGET"
+# Use --no-build because we've already built the binary for the given target.
+cargo deb --no-build --target "$TARGET" -p "$CRATE"
+
+# cargo-deb writes the .deb into target/debian/ or target/debian/<arch>/
+debfile=$(ls -1 target/debian/*.deb 2>/dev/null || true)
+if [ -z "$debfile" ]; then
+  # try recursive search
+  debfile=$(find target -maxdepth 3 -type f -name "*.deb" | head -n1 || true)
+fi
+
+if [ -z "$debfile" ]; then
+  echo "Failed to locate the generated .deb file." >&2
+  exit 1
+fi
+
+cp -v "$debfile" "$out_dir/"
+
+echo "Created: $out_dir/$(basename "$debfile")"
+echo "Done."
diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs
@@ -117,7 +117,7 @@ pub struct Config {
 	/// If you are using Docker, don't change this, you'll need to map an
 	/// external port to this.
 	///
-	/// To listen on multiple ports, specify a vector e.g. [8080, 8448]
+	/// To listen on multiple ports, specify a vector e.g. [8080, 443]
 	///
 	/// default: 8008
 	#[serde(default = "default_port")]
diff --git a/src/service/resolver/actual.rs b/src/service/resolver/actual.rs
@@ -73,7 +73,7 @@ impl super::Service {
 				if let Some(pos) = dest.as_str().find(':') {
 					self.actual_dest_2(dest, cache, pos).await?
 				} else {
-					self.conditional_query_and_cache(dest.as_str(), 8448, true)
+					self.conditional_query_and_cache(dest.as_str(), 443, true)
 						.await?;
 					self.services.server.check_running()?;
 					match self.request_well_known(dest.as_str()).await? {
@@ -123,7 +123,7 @@ impl super::Service {
 	async fn actual_dest_2(&self, dest: &ServerName, cache: bool, pos: usize) -> Result<FedDest> {
 		debug!("2: Hostname with included port");
 		let (host, port) = dest.as_str().split_at(pos);
-		self.conditional_query_and_cache(host, port.parse::<u16>().unwrap_or(8448), cache)
+		self.conditional_query_and_cache(host, port.parse::<u16>().unwrap_or(443), cache)
 			.await?;
 
 		Ok(FedDest::Named(
@@ -166,7 +166,7 @@ impl super::Service {
 	async fn actual_dest_3_2(&self, cache: bool, delegated: &str, pos: usize) -> Result<FedDest> {
 		debug!("3.2: Hostname with port in .well-known file");
 		let (host, port) = delegated.split_at(pos);
-		self.conditional_query_and_cache(host, port.parse::<u16>().unwrap_or(8448), cache)
+		self.conditional_query_and_cache(host, port.parse::<u16>().unwrap_or(443), cache)
 			.await?;
 
 		Ok(FedDest::Named(
@@ -187,7 +187,7 @@ impl super::Service {
 		self.conditional_query_and_cache_override(
 			delegated,
 			&overrider.hostname(),
-			force_port.unwrap_or(8448),
+			force_port.unwrap_or(443),
 			cache,
 		)
 		.await?;
@@ -207,7 +207,7 @@ impl super::Service {
 
 	async fn actual_dest_3_4(&self, cache: bool, delegated: &str) -> Result<FedDest> {
 		debug!("3.4: No SRV records, just use the hostname from .well-known");
-		self.conditional_query_and_cache(delegated, 8448, cache)
+		self.conditional_query_and_cache(delegated, 443, cache)
 			.await?;
 
 		Ok(add_port_to_hostname(delegated))
@@ -224,7 +224,7 @@ impl super::Service {
 		self.conditional_query_and_cache_override(
 			host,
 			&overrider.hostname(),
-			force_port.unwrap_or(8448),
+			force_port.unwrap_or(443),
 			cache,
 		)
 		.await?;
@@ -242,7 +242,7 @@ impl super::Service {
 
 	async fn actual_dest_5(&self, dest: &ServerName, cache: bool) -> Result<FedDest> {
 		debug!("5: No SRV record found");
-		self.conditional_query_and_cache(dest.as_str(), 8448, cache)
+		self.conditional_query_and_cache(dest.as_str(), 443, cache)
 			.await?;
 
 		Ok(add_port_to_hostname(dest.as_str()))
diff --git a/src/service/resolver/fed.rs b/src/service/resolver/fed.rs
@@ -20,13 +20,13 @@ pub(super) type HostString = SmallString<[u8; 32]>;
 /// FedDest::Named numeric or service-name
 pub(super) type PortString = ArrayString<16>;
 
-const DEFAULT_PORT: &str = ":8448";
+const DEFAULT_PORT: &str = ":443";
 
 pub(crate) fn get_ip_with_port(dest_str: &str) -> Option<FedDest> {
 	if let Ok(dest) = dest_str.parse::<SocketAddr>() {
 		Some(FedDest::Literal(dest))
 	} else if let Ok(ip_addr) = dest_str.parse::<IpAddr>() {
-		Some(FedDest::Literal(SocketAddr::new(ip_addr, 8448)))
+		Some(FedDest::Literal(SocketAddr::new(ip_addr, 443)))
 	} else {
 		None
 	}
diff --git a/src/service/resolver/tests.rs b/src/service/resolver/tests.rs
@@ -4,11 +4,11 @@ use super::fed::{FedDest, add_port_to_hostname, get_ip_with_port};
 fn ips_get_default_ports() {
 	assert_eq!(
 		get_ip_with_port("1.1.1.1"),
-		Some(FedDest::Literal("1.1.1.1:8448".parse().unwrap()))
+		Some(FedDest::Literal("1.1.1.1:443".parse().unwrap()))
 	);
 	assert_eq!(
 		get_ip_with_port("dead:beef::"),
-		Some(FedDest::Literal("[dead:beef::]:8448".parse().unwrap()))
+		Some(FedDest::Literal("[dead:beef::]:443".parse().unwrap()))
 	);
 }
 
@@ -28,7 +28,7 @@ fn ips_keep_custom_ports() {
 fn hostnames_get_default_ports() {
 	assert_eq!(
 		add_port_to_hostname("example.com"),
-		FedDest::Named("example.com".into(), ":8448".try_into().unwrap())
+		FedDest::Named("example.com".into(), ":443".try_into().unwrap())
 	);
 }
 
diff --git a/tuwunel-example.toml b/tuwunel-example.toml
@@ -67,7 +67,7 @@
 # If you are using Docker, don't change this, you'll need to map an
 # external port to this.
 #
-# To listen on multiple ports, specify a vector e.g. [8080, 8448]
+# To listen on multiple ports, specify a vector e.g. [8080, 443]
 #
 #port = 8008
 

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ using the configuration and Tuwunel can be deployed without a reverse proxy. Exa`
`57`	`57`	`/etc/caddy/Caddyfile` configuration with [Element](https://github.com/element-hq/element-web/releases)
`58`	`58`	unzipped to `/var/www/element`:
`59`	`59`	```
`60`		`-tuwunel.me, tuwunel.me:8448 {`
	`60`	`+tuwunel.me, tuwunel.me:443 {`
`61`	`61`	`reverse_proxy localhost:8008`
`62`	`62`	`}`
`63`	`63`	`web.tuwunel.me {`
Original file line number	Diff line number	Diff line change
`@@ -790,7 +790,7 @@ target "docker" {`
`790`	`790`	`dockerfile-inline =<<EOF`
`791`	`791`	`FROM scratch AS install`
`792`	`792`	`COPY --from=input . .`
`793`		`- EXPOSE 8008 8448`
	`793`	`+ EXPOSE 8008 443`
`794`	`794`	`ENTRYPOINT ["tuwunel"]`
`795`	`795`	`EOF`
`796`	`796`	`}`