ref(server): Move from actix-web to axum (#1938)

Replaces `actix-web` with `axum` in the web endpoint layer and upgrades
related dependencies.

## Motivation

Relay has used `actix-web` as web framework. Due to a failed upgrade
attempts in the past, Relay has remained on a version from 2018, which
relies on outdated dependencies and predates modern language features
such as `Futures` in the standard library. As such, the development
experience has been suboptimal. Most importantly, however, some of the
dependencies required by actix-web contain vulnerabilities or are
unmaintained and advised against at this point.

The latest version (4.3.1) of `actix-web` supports standard futures and
has added support for the stable version of `tokio`, the async runtime.
However, the differences between these versions are large enough to
consider other web frameworks.

The community currently prefers `axum`, which is developed closer to the
`tokio` project and provides quicker upgrade paths on more recent tokio
versions. Additionally, `axum` is a relatively thin routing layer built
on top of `hyper`, which is already used inside `reqwest` as our HTTP
client for outbound requests. Additionally, `axum` is built on top of
`tower`, a composable service library with wide-spread community support
offering building blocks for common HTTP functionality.

## Details

Actix-web required a proprietary system executor built on top of an
older version of the `tokio` runtime. It runs a central accept loop and
an additional thread pool to handle web requests. This system has been
removed. Web requests are now handled within the main executor.

Similar to actix-web, axum offers handler functions for endpoints and
extractors to resolve structured information from web requests. Changes
to the prior implementation include:

- The maximum body size is no longer checked directly in the extractor
  or endpoint implementation. Instead, this is now handled via a body
  size limit middleware.
- The server no longer consumes request bodies if the request is
  terminated early. This can be expanded to more cases in follow-ups to
  speed up request handling.

Hyper offers low-level SSL utilities. Achieving SSL support via
`native-tls` is slightly more involving, and we are not yet ready to
move to `rustls`. Since the best practices in operating guidelines
require to use a reverse proxy in front of Relay, we're dropping native
SSL support. Outbound HTTPS support and TLS for redis and kafka are now
enabled by default.

As part of this migration, we're embracing extraction more than before.
Instead of functional utilities, many inputs to endpoint handlers
composed from and written as extractors, which reduces endpoints to a
minimal set of processing logic, mostly delegating to services.

Axum's router is less capable than actix-web. Most notably, endpoints
that used to fall back to forwarding now need to handle forwarding
explicitly. For this reason, the forward endpoint is written as a
function that can be called directly on a request for convenience. Other
differences are minor, for instance that non-numeric project IDs are now
reported as error instead of 404.

## Dependencies

Since the actix-web framework was the last dependency to rely on
`failure`, `futures 0.1` and `bytes 0.4`, these dependencies have now
been removed from the dependency tree. This also resolves outstanding
security issues and ensures Relay continues to build with upcoming
compiler releases.

## Performance Impact

Performance was tested using the load testing infrastructure. CPU usage
is similar to the actix-web baseline, usually even faster. Same for
request roundtrip times. Memory consumption is 20% less.

Note that most of Relay's resource consumption occurs outside of HTTP
request handling, either in endpoint logic or internal services.

## Breaking Changes

Configuration:

- SSL support has been dropped. As per
  [official guidelines](https://docs.sentry.io/product/relay/operating-guidelines/),
  Relay should be operated behind a reverse proxy, which can perform SSL
  termination.
- Connection config options `max_connections`,
  `max_pending_connections`, and `max_connection_rate` no longer have an
  effect. Instead, configure the reverse proxy to handle connection
  concurrency as needed.

Endpoints:

- The security endpoint no longer forwards to upstream if the mime type
  doesn't match supported mime types. Instead, the request is rejected
  with a corresponding error.
- Passing store payloads as `?sentry_data=<base64>` query parameter is
  restricted to `GET` requests on the store endpoint. Other endpoints
  require the payload to be passed in the request body.
- Requests with an invalid `content-encoding` header will now be
  rejected. Exceptions to this are an empty string and `UTF-8`, which
  have been sent historically by some SDKs and are now treated as
  identity (no encoding). Previously, all unknown encodings were treated
  as identity.
- Temporarily, response bodies for some errors are rendered as plain
  text instead of JSON. This will be addressed in an upcoming release.

Metrics:

- The `route` tag of request metrics uses the route pattern instead of
  schematic names. There is an exact replacement for every previous
  route. For example, `"store-default"` is now tagged as
  `"/api/:project_id/store/"`.
- Statsd metrics `event.size_bytes.raw` and
  `event.size_bytes.uncompressed` have been removed.

Author: jan-auer

.github/workflows/build_binary.yml

@@ -22,7 +22,7 @@ jobs:
         run: scripts/docker-build-linux.sh
         env:
           BUILD_ARCH: x86_64
-          RELAY_FEATURES: ssl
+          RELAY_FEATURES:
 
       - name: Bundle Debug File
         run: |

.github/workflows/ci.yml

@@ -113,8 +113,6 @@ jobs:
 
       - name: Run Cargo Tests
         run: cargo test --workspace
-        env:
-          RUSTFLAGS: -Dwarnings
 
   test_all:
     timeout-minutes: 15

CHANGELOG.md

@@ -2,12 +2,31 @@
 
 ## Unreleased
 
-**Features**
+**Breaking Changes**:
+
+This release contains major changes to the web layer, including TCP and HTTP handling as well as all web endpoint handlers. Due to these changes, some functionality was retired and Relay responds differently in specific cases.
+
+Configuration:
+- SSL support has been dropped. As per [official guidelines](https://docs.sentry.io/product/relay/operating-guidelines/), Relay should be operated behind a reverse proxy, which can perform SSL termination.
+- Connection config options `max_connections`, `max_pending_connections`, and `max_connection_rate` no longer have an effect. Instead, configure the reverse proxy to handle connection concurrency as needed.
+
+Endpoints:
+- The security endpoint no longer forwards to upstream if the mime type doesn't match supported mime types. Instead, the request is rejected with a corresponding error.
+- Passing store payloads as `?sentry_data=<base64>` query parameter is restricted to `GET` requests on the store endpoint. Other endpoints require the payload to be passed in the request body.
+- Requests with an invalid `content-encoding` header will now be rejected. Exceptions to this are an empty string and `UTF-8`, which have been sent historically by some SDKs and are now treated as identity (no encoding). Previously, all unknown encodings were treated as identity.
+- Temporarily, response bodies for some errors are rendered as plain text instead of JSON. This will be addressed in an upcoming release.
+
+Metrics:
+- The `route` tag of request metrics uses the route pattern instead of schematic names. There is an exact replacement for every previous route. For example, `"store-default"` is now tagged as `"/api/:project_id/store/"`.
+- Statsd metrics `event.size_bytes.raw` and `event.size_bytes.uncompressed` have been removed.
+
+**Features**:
 
 - Allow monitor checkins to paass `monitor_config` for monitor upserts. ([#1962](https://github.com/getsentry/relay/pull/1962))
 
 **Internal**:
 
+- Upgrade the web framework and related dependencies. ([#1938](https://github.com/getsentry/relay/pull/1938))
 - Apply transaction clustering rules before UUID scrubbing rules. ([#1964](https://github.com/getsentry/relay/pull/1964))
 
 ## 23.3.1