Add hysteria and acme TLS certificate issuer (#18)

* Add hysteria client/server * Add acme TLS certificate issuer
2026-05-14 00:51:12 +03:00 · 2022-08-19 15:42:57 +08:00
parent 3dfa99efe1
commit d1c3dd0ee1
42 changed files with 2670 additions and 127 deletions
--- a/inbound/builder.go
+++ b/inbound/builder.go
@@ -37,6 +37,8 @@ func New(ctx context.Context, router adapter.Router, logger log.ContextLogger, o
 		return NewTrojan(ctx, router, logger, options.Tag, options.TrojanOptions)
 	case C.TypeNaive:
 		return NewNaive(ctx, router, logger, options.Tag, options.NaiveOptions)
+	case C.TypeHysteria:
+		return NewHysteria(ctx, router, logger, options.Tag, options.HysteriaOptions)
 	default:
 		return nil, E.New("unknown inbound type: ", options.Type)
 	}
--- a/inbound/http.go
+++ b/inbound/http.go
@@ -41,7 +41,7 @@ func NewHTTP(ctx context.Context, router adapter.Router, logger log.ContextLogge
 		authenticator: auth.NewAuthenticator(options.Users),
 	}
 	if options.TLS != nil {
-		tlsConfig, err := NewTLSConfig(logger, common.PtrValueOrDefault(options.TLS))
+		tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
--- a/inbound/hysteria.go
+++ b/inbound/hysteria.go
@@ -0,0 +1,319 @@
+//go:build with_quic
+
+package inbound
+
+import (
+	"bytes"
+	"context"
+	"net"
+	"net/netip"
+	"sync"
+
+	"github.com/sagernet/quic-go"
+	"github.com/sagernet/quic-go/congestion"
+	"github.com/sagernet/sing-box/adapter"
+	C "github.com/sagernet/sing-box/constant"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing-box/transport/hysteria"
+	"github.com/sagernet/sing-dns"
+	"github.com/sagernet/sing/common"
+	E "github.com/sagernet/sing/common/exceptions"
+	M "github.com/sagernet/sing/common/metadata"
+	N "github.com/sagernet/sing/common/network"
+)
+
+var _ adapter.Inbound = (*Hysteria)(nil)
+
+type Hysteria struct {
+	ctx           context.Context
+	router        adapter.Router
+	logger        log.ContextLogger
+	tag           string
+	listenOptions option.ListenOptions
+	quicConfig    *quic.Config
+	tlsConfig     *TLSConfig
+	authKey       []byte
+	xplusKey      []byte
+	sendBPS       uint64
+	recvBPS       uint64
+	listener      quic.Listener
+	udpAccess     sync.RWMutex
+	udpSessionId  uint32
+	udpSessions   map[uint32]chan *hysteria.UDPMessage
+	udpDefragger  hysteria.Defragger
+}
+
+func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HysteriaInboundOptions) (*Hysteria, error) {
+	quicConfig := &quic.Config{
+		InitialStreamReceiveWindow:     options.ReceiveWindowConn,
+		MaxStreamReceiveWindow:         options.ReceiveWindowConn,
+		InitialConnectionReceiveWindow: options.ReceiveWindowClient,
+		MaxConnectionReceiveWindow:     options.ReceiveWindowClient,
+		MaxIncomingStreams:             int64(options.MaxConnClient),
+		KeepAlivePeriod:                hysteria.KeepAlivePeriod,
+		DisablePathMTUDiscovery:        options.DisableMTUDiscovery || !(C.IsLinux || C.IsWindows),
+		EnableDatagrams:                true,
+	}
+	if options.ReceiveWindowConn == 0 {
+		quicConfig.InitialStreamReceiveWindow = hysteria.DefaultStreamReceiveWindow
+		quicConfig.MaxStreamReceiveWindow = hysteria.DefaultStreamReceiveWindow
+	}
+	if options.ReceiveWindowClient == 0 {
+		quicConfig.InitialConnectionReceiveWindow = hysteria.DefaultConnectionReceiveWindow
+		quicConfig.MaxConnectionReceiveWindow = hysteria.DefaultConnectionReceiveWindow
+	}
+	if quicConfig.MaxIncomingStreams == 0 {
+		quicConfig.MaxIncomingStreams = hysteria.DefaultMaxIncomingStreams
+	}
+	var auth []byte
+	if len(options.Auth) > 0 {
+		auth = options.Auth
+	} else {
+		auth = []byte(options.AuthString)
+	}
+	var xplus []byte
+	if options.Obfs != "" {
+		xplus = []byte(options.Obfs)
+	}
+	var up, down uint64
+	if len(options.Up) > 0 {
+		up = hysteria.StringToBps(options.Up)
+		if up == 0 {
+			return nil, E.New("invalid up speed format: ", options.Up)
+		}
+	} else {
+		up = uint64(options.UpMbps) * hysteria.MbpsToBps
+	}
+	if len(options.Down) > 0 {
+		down = hysteria.StringToBps(options.Down)
+		if down == 0 {
+			return nil, E.New("invalid down speed format: ", options.Down)
+		}
+	} else {
+		down = uint64(options.DownMbps) * hysteria.MbpsToBps
+	}
+	if up < hysteria.MinSpeedBPS {
+		return nil, E.New("invalid up speed")
+	}
+	if down < hysteria.MinSpeedBPS {
+		return nil, E.New("invalid down speed")
+	}
+	inbound := &Hysteria{
+		ctx:           ctx,
+		router:        router,
+		logger:        logger,
+		tag:           tag,
+		quicConfig:    quicConfig,
+		listenOptions: options.ListenOptions,
+		authKey:       auth,
+		xplusKey:      xplus,
+		sendBPS:       up,
+		recvBPS:       down,
+		udpSessions:   make(map[uint32]chan *hysteria.UDPMessage),
+	}
+	if options.TLS == nil || !options.TLS.Enabled {
+		return nil, errTLSRequired
+	}
+	if len(options.TLS.ALPN) == 0 {
+		options.TLS.ALPN = []string{hysteria.DefaultALPN}
+	}
+	tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
+	if err != nil {
+		return nil, err
+	}
+	inbound.tlsConfig = tlsConfig
+	return inbound, nil
+}
+
+func (h *Hysteria) Type() string {
+	return C.TypeHysteria
+}
+
+func (h *Hysteria) Tag() string {
+	return h.tag
+}
+
+func (h *Hysteria) Start() error {
+	listenAddr := M.SocksaddrFrom(netip.Addr(h.listenOptions.Listen), h.listenOptions.ListenPort)
+	var packetConn net.PacketConn
+	var err error
+	packetConn, err = net.ListenUDP(M.NetworkFromNetAddr("udp", listenAddr.Addr), listenAddr.UDPAddr())
+	if err != nil {
+		return err
+	}
+	if len(h.xplusKey) > 0 {
+		packetConn = hysteria.NewXPlusPacketConn(packetConn, h.xplusKey)
+		packetConn = &hysteria.PacketConnWrapper{PacketConn: packetConn}
+	}
+	err = h.tlsConfig.Start()
+	if err != nil {
+		return err
+	}
+	listener, err := quic.Listen(packetConn, h.tlsConfig.Config(), h.quicConfig)
+	if err != nil {
+		return err
+	}
+	h.listener = listener
+	h.logger.Info("udp server started at ", listener.Addr())
+	go h.acceptLoop()
+	return nil
+}
+
+func (h *Hysteria) acceptLoop() {
+	for {
+		ctx := log.ContextWithNewID(h.ctx)
+		conn, err := h.listener.Accept(ctx)
+		if err != nil {
+			return
+		}
+		h.logger.InfoContext(ctx, "inbound connection from ", conn.RemoteAddr())
+		go func() {
+			hErr := h.accept(ctx, conn)
+			if hErr != nil {
+				conn.CloseWithError(0, "")
+				NewError(h.logger, ctx, E.Cause(hErr, "process connection from ", conn.RemoteAddr()))
+			}
+		}()
+	}
+}
+
+func (h *Hysteria) accept(ctx context.Context, conn quic.Connection) error {
+	controlStream, err := conn.AcceptStream(ctx)
+	if err != nil {
+		return err
+	}
+	clientHello, err := hysteria.ReadClientHello(controlStream)
+	if err != nil {
+		return err
+	}
+	if !bytes.Equal(clientHello.Auth, h.authKey) {
+		err = hysteria.WriteServerHello(controlStream, hysteria.ServerHello{
+			Message: "wrong password",
+		})
+		return E.Errors(E.New("wrong password: ", string(clientHello.Auth)), err)
+	}
+	if clientHello.SendBPS == 0 || clientHello.RecvBPS == 0 {
+		return E.New("invalid rate from client")
+	}
+	serverSendBPS, serverRecvBPS := clientHello.RecvBPS, clientHello.SendBPS
+	if h.sendBPS > 0 && serverSendBPS > h.sendBPS {
+		serverSendBPS = h.sendBPS
+	}
+	if h.recvBPS > 0 && serverRecvBPS > h.recvBPS {
+		serverRecvBPS = h.recvBPS
+	}
+	err = hysteria.WriteServerHello(controlStream, hysteria.ServerHello{
+		OK:      true,
+		SendBPS: serverSendBPS,
+		RecvBPS: serverRecvBPS,
+	})
+	if err != nil {
+		return err
+	}
+	conn.SetCongestionControl(hysteria.NewBrutalSender(congestion.ByteCount(serverSendBPS)))
+	go h.udpRecvLoop(conn)
+	for {
+		var stream quic.Stream
+		stream, err = conn.AcceptStream(ctx)
+		if err != nil {
+			return err
+		}
+		go func() {
+			hErr := h.acceptStream(ctx, conn /*&hysteria.StreamWrapper{Stream: stream}*/, stream)
+			if hErr != nil {
+				stream.Close()
+				NewError(h.logger, ctx, E.Cause(hErr, "process stream from ", conn.RemoteAddr()))
+			}
+		}()
+	}
+}
+
+func (h *Hysteria) udpRecvLoop(conn quic.Connection) {
+	for {
+		packet, err := conn.ReceiveMessage()
+		if err != nil {
+			return
+		}
+		message, err := hysteria.ParseUDPMessage(packet)
+		if err != nil {
+			h.logger.Error("parse udp message: ", err)
+			continue
+		}
+		dfMsg := h.udpDefragger.Feed(message)
+		if dfMsg == nil {
+			continue
+		}
+		h.udpAccess.RLock()
+		ch, ok := h.udpSessions[dfMsg.SessionID]
+		if ok {
+			select {
+			case ch <- dfMsg:
+				// OK
+			default:
+				// Silently drop the message when the channel is full
+			}
+		}
+		h.udpAccess.RUnlock()
+	}
+}
+
+func (h *Hysteria) acceptStream(ctx context.Context, conn quic.Connection, stream quic.Stream) error {
+	request, err := hysteria.ReadClientRequest(stream)
+	if err != nil {
+		return err
+	}
+	err = hysteria.WriteServerResponse(stream, hysteria.ServerResponse{
+		OK: true,
+	})
+	if err != nil {
+		return err
+	}
+	var metadata adapter.InboundContext
+	metadata.Inbound = h.tag
+	metadata.InboundType = C.TypeHysteria
+	metadata.SniffEnabled = h.listenOptions.SniffEnabled
+	metadata.SniffOverrideDestination = h.listenOptions.SniffOverrideDestination
+	metadata.DomainStrategy = dns.DomainStrategy(h.listenOptions.DomainStrategy)
+	metadata.Source = M.SocksaddrFromNet(conn.RemoteAddr())
+	metadata.Destination = M.ParseSocksaddrHostPort(request.Host, request.Port)
+	if !request.UDP {
+		h.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
+		metadata.Network = N.NetworkTCP
+		return h.router.RouteConnection(ctx, hysteria.NewConn(stream, metadata.Destination), metadata)
+	} else {
+		h.logger.InfoContext(ctx, "inbound packet connection to ", metadata.Destination)
+		var id uint32
+		h.udpAccess.Lock()
+		id = h.udpSessionId
+		nCh := make(chan *hysteria.UDPMessage, 1024)
+		h.udpSessions[id] = nCh
+		h.udpSessionId += 1
+		h.udpAccess.Unlock()
+		metadata.Network = N.NetworkUDP
+		packetConn := hysteria.NewPacketConn(conn, stream, id, metadata.Destination, nCh, common.Closer(func() error {
+			h.udpAccess.Lock()
+			if ch, ok := h.udpSessions[id]; ok {
+				close(ch)
+				delete(h.udpSessions, id)
+			}
+			h.udpAccess.Unlock()
+			return nil
+		}))
+		go packetConn.Hold()
+		return h.router.RoutePacketConnection(ctx, packetConn, metadata)
+	}
+}
+
+func (h *Hysteria) Close() error {
+	h.udpAccess.Lock()
+	for _, session := range h.udpSessions {
+		close(session)
+	}
+	h.udpSessions = make(map[uint32]chan *hysteria.UDPMessage)
+	h.udpAccess.Unlock()
+	return common.Close(
+		h.listener,
+		common.PtrOrNil(h.tlsConfig),
+	)
+}
--- a/inbound/hysteria_stub.go
+++ b/inbound/hysteria_stub.go
@@ -0,0 +1,16 @@
+//go:build !with_quic
+
+package inbound
+
+import (
+	"context"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/log"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func NewHysteria(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.HysteriaInboundOptions) (adapter.Inbound, error) {
+	return nil, E.New(`QUIC is not included in this build, rebuild with -tags with_quic`)
+}
--- a/inbound/naive.go
+++ b/inbound/naive.go
@@ -45,10 +45,7 @@ type Naive struct {
 	h3Server      any
 }

-var (
-	ErrNaiveTLSRequired  = E.New("TLS required")
-	ErrNaiveMissingUsers = E.New("missing users")
-)
+var errTLSRequired = E.New("TLS required")

 func NewNaive(ctx context.Context, router adapter.Router, logger log.ContextLogger, tag string, options option.NaiveInboundOptions) (*Naive, error) {
 	inbound := &Naive{
@@ -61,12 +58,12 @@ func NewNaive(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		authenticator: auth.NewAuthenticator(options.Users),
 	}
 	if options.TLS == nil || !options.TLS.Enabled {
-		return nil, ErrNaiveTLSRequired
+		return nil, errTLSRequired
 	}
 	if len(options.Users) == 0 {
-		return nil, ErrNaiveMissingUsers
+		return nil, E.New("missing users")
 	}
-	tlsConfig, err := NewTLSConfig(logger, common.PtrValueOrDefault(options.TLS))
+	tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
 	if err != nil {
 		return nil, err
 	}
@@ -195,6 +192,8 @@ func (n *Naive) newConnection(ctx context.Context, conn net.Conn, source, destin
 	metadata.Network = N.NetworkTCP
 	metadata.Source = source
 	metadata.Destination = destination
+	n.logger.InfoContext(ctx, "inbound connection from ", metadata.Source)
+	n.logger.InfoContext(ctx, "inbound connection to ", metadata.Destination)
 	hErr := n.router.RouteConnection(ctx, conn, metadata)
 	if hErr != nil {
 		conn.Close()
--- a/inbound/tls.go
+++ b/inbound/tls.go
@@ -1,12 +1,14 @@
 package inbound

 import (
+	"context"
 	"crypto/tls"
 	"os"

 	"github.com/sagernet/sing-box/adapter"
 	"github.com/sagernet/sing-box/log"
 	"github.com/sagernet/sing-box/option"
+	"github.com/sagernet/sing/common"
 	E "github.com/sagernet/sing/common/exceptions"

 	"github.com/fsnotify/fsnotify"
@@ -17,6 +19,7 @@ var _ adapter.Service = (*TLSConfig)(nil)
 type TLSConfig struct {
 	config          *tls.Config
 	logger          log.Logger
+	acmeService     adapter.Service
 	certificate     []byte
 	key             []byte
 	certificatePath string
@@ -29,14 +32,18 @@ func (c *TLSConfig) Config() *tls.Config {
 }

 func (c *TLSConfig) Start() error {
-	if c.certificatePath == "" && c.keyPath == "" {
+	if c.acmeService != nil {
+		return c.acmeService.Start()
+	} else {
+		if c.certificatePath == "" && c.keyPath == "" {
+			return nil
+		}
+		err := c.startWatcher()
+		if err != nil {
+			c.logger.Warn("create fsnotify watcher: ", err)
+		}
 		return nil
 	}
-	err := c.startWatcher()
-	if err != nil {
-		c.logger.Warn("create fsnotify watcher: ", err)
-	}
-	return nil
 }

 func (c *TLSConfig) startWatcher() error {
@@ -109,17 +116,31 @@ func (c *TLSConfig) reloadKeyPair() error {
 }

 func (c *TLSConfig) Close() error {
+	if c.acmeService != nil {
+		return c.acmeService.Close()
+	}
 	if c.watcher != nil {
 		return c.watcher.Close()
 	}
 	return nil
 }

-func NewTLSConfig(logger log.Logger, options option.InboundTLSOptions) (*TLSConfig, error) {
+func NewTLSConfig(ctx context.Context, logger log.Logger, options option.InboundTLSOptions) (*TLSConfig, error) {
 	if !options.Enabled {
 		return nil, nil
 	}
-	var tlsConfig tls.Config
+	var tlsConfig *tls.Config
+	var acmeService adapter.Service
+	var err error
+	if options.ACME != nil && len(options.ACME.Domain) > 0 {
+		tlsConfig, acmeService, err = startACME(ctx, common.PtrValueOrDefault(options.ACME))
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		tlsConfig = &tls.Config{}
+	}
+	tlsConfig.NextProtos = []string{}
 	if options.ServerName != "" {
 		tlsConfig.ServerName = options.ServerName
 	}
@@ -153,39 +174,42 @@ func NewTLSConfig(logger log.Logger, options option.InboundTLSOptions) (*TLSConf
 		}
 	}
 	var certificate []byte
-	if options.Certificate != "" {
-		certificate = []byte(options.Certificate)
-	} else if options.CertificatePath != "" {
-		content, err := os.ReadFile(options.CertificatePath)
-		if err != nil {
-			return nil, E.Cause(err, "read certificate")
-		}
-		certificate = content
-	}
 	var key []byte
-	if options.Key != "" {
-		key = []byte(options.Key)
-	} else if options.KeyPath != "" {
-		content, err := os.ReadFile(options.KeyPath)
-		if err != nil {
-			return nil, E.Cause(err, "read key")
+	if acmeService == nil {
+		if options.Certificate != "" {
+			certificate = []byte(options.Certificate)
+		} else if options.CertificatePath != "" {
+			content, err := os.ReadFile(options.CertificatePath)
+			if err != nil {
+				return nil, E.Cause(err, "read certificate")
+			}
+			certificate = content
 		}
-		key = content
+		if options.Key != "" {
+			key = []byte(options.Key)
+		} else if options.KeyPath != "" {
+			content, err := os.ReadFile(options.KeyPath)
+			if err != nil {
+				return nil, E.Cause(err, "read key")
+			}
+			key = content
+		}
+		if certificate == nil {
+			return nil, E.New("missing certificate")
+		}
+		if key == nil {
+			return nil, E.New("missing key")
+		}
+		keyPair, err := tls.X509KeyPair(certificate, key)
+		if err != nil {
+			return nil, E.Cause(err, "parse x509 key pair")
+		}
+		tlsConfig.Certificates = []tls.Certificate{keyPair}
 	}
-	if certificate == nil {
-		return nil, E.New("missing certificate")
-	}
-	if key == nil {
-		return nil, E.New("missing key")
-	}
-	keyPair, err := tls.X509KeyPair(certificate, key)
-	if err != nil {
-		return nil, E.Cause(err, "parse x509 key pair")
-	}
-	tlsConfig.Certificates = []tls.Certificate{keyPair}
 	return &TLSConfig{
-		config:          &tlsConfig,
+		config:          tlsConfig,
 		logger:          logger,
+		acmeService:     acmeService,
 		certificate:     certificate,
 		key:             key,
 		certificatePath: options.CertificatePath,
--- a/inbound/tls_acme.go
+++ b/inbound/tls_acme.go
@@ -0,0 +1,66 @@
+//go:build with_acme
+
+package inbound
+
+import (
+	"context"
+	"crypto/tls"
+	"strings"
+
+	"github.com/sagernet/certmagic"
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+type acmeWrapper struct {
+	ctx    context.Context
+	cfg    *certmagic.Config
+	domain []string
+}
+
+func (w *acmeWrapper) Start() error {
+	return w.cfg.ManageSync(w.ctx, w.domain)
+}
+
+func (w *acmeWrapper) Close() error {
+	w.cfg.Unmanage(w.domain)
+	return nil
+}
+
+func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
+	var acmeServer string
+	switch options.Provider {
+	case "", "letsencrypt":
+		acmeServer = certmagic.LetsEncryptProductionCA
+	case "zerossl":
+		acmeServer = certmagic.ZeroSSLProductionCA
+	default:
+		if !strings.HasPrefix(options.Provider, "https://") {
+			return nil, nil, E.New("unsupported acme provider: " + options.Provider)
+		}
+		acmeServer = options.Provider
+	}
+	var storage certmagic.Storage
+	if options.DataDirectory != "" {
+		storage = &certmagic.FileStorage{
+			Path: options.DataDirectory,
+		}
+	}
+	config := certmagic.New(certmagic.NewCache(certmagic.CacheOptions{}), certmagic.Config{
+		DefaultServerName: options.DefaultServerName,
+		Issuers: []certmagic.Issuer{
+			&certmagic.ACMEIssuer{
+				CA:                      acmeServer,
+				Email:                   options.Email,
+				Agreed:                  true,
+				DisableHTTPChallenge:    options.DisableHTTPChallenge,
+				DisableTLSALPNChallenge: options.DisableTLSALPNChallenge,
+				AltHTTPPort:             int(options.AlternativeHTTPPort),
+				AltTLSALPNPort:          int(options.AlternativeTLSPort),
+			},
+		},
+		Storage: storage,
+	})
+	return config.TLSConfig(), &acmeWrapper{ctx, config, options.Domain}, nil
+}
--- a/inbound/tls_acme_stub.go
+++ b/inbound/tls_acme_stub.go
@@ -0,0 +1,16 @@
+//go:build !with_acme
+
+package inbound
+
+import (
+	"context"
+	"crypto/tls"
+
+	"github.com/sagernet/sing-box/adapter"
+	"github.com/sagernet/sing-box/option"
+	E "github.com/sagernet/sing/common/exceptions"
+)
+
+func startACME(ctx context.Context, options option.InboundACMEOptions) (*tls.Config, adapter.Service, error) {
+	return nil, nil, E.New(`ACME is not included in this build, rebuild with -tags with_acme`)
+}
--- a/inbound/trojan.go
+++ b/inbound/trojan.go
@@ -50,7 +50,7 @@ func NewTrojan(ctx context.Context, router adapter.Router, logger log.ContextLog
 		return nil, err
 	}
 	if options.TLS != nil {
-		tlsConfig, err := NewTLSConfig(logger, common.PtrValueOrDefault(options.TLS))
+		tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}
--- a/inbound/vmess.go
+++ b/inbound/vmess.go
@@ -52,7 +52,7 @@ func NewVMess(ctx context.Context, router adapter.Router, logger log.ContextLogg
 		return nil, err
 	}
 	if options.TLS != nil {
-		tlsConfig, err := NewTLSConfig(logger, common.PtrValueOrDefault(options.TLS))
+		tlsConfig, err := NewTLSConfig(ctx, logger, common.PtrValueOrDefault(options.TLS))
 		if err != nil {
 			return nil, err
 		}