Skip to content

Commit

Permalink
feat: Allow skipping Wave server TLS verification #1547 (#1556)
Browse files Browse the repository at this point in the history
  • Loading branch information
mturoci authored Aug 8, 2022
1 parent 2b2ca3e commit a6f37ae
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 12 deletions.
1 change: 1 addition & 0 deletions cmd/wave/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ func main() {
flag.StringVar(&conf.Compact, "compact", "", "compact AOF log")
stringVar(&conf.CertFile, "tls-cert-file", "", "path to certificate file (TLS only)")
stringVar(&conf.KeyFile, "tls-key-file", "", "path to private key file (TLS only)")
boolVar(&conf.SkipCertVerification, "no-tls-verify", false, "do not verify TLS certificates during external communication - DO NOT USE IN PRODUCTION")
stringVar(&httpHeadersFile, "http-headers-file", "", "path to a MIME-formatted file containing additional HTTP headers to add to responses from the server")
boolVar(&conf.Editable, "editable", false, "allow users to edit web pages")
stringVar(&maxRequestSize, "max-request-size", "5M", "maximum allowed size of HTTP requests to the server (e.g. 5M or 5MB or 5MiB)")
Expand Down
23 changes: 12 additions & 11 deletions conf.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ type ServerConf struct {
Init string
Compact string
CertFile string
SkipCertVerification bool
KeyFile string
Header http.Header
Editable bool
Expand All @@ -64,15 +65,15 @@ type ServerConf struct {
}

type AuthConf struct {
ClientID string
ClientSecret string
ProviderURL string
RedirectURL string
EndSessionURL string
PostLogoutRedirectURL string
Scopes []string
URLParameters [][]string
SkipLogin bool
SessionExpiry time.Duration
InactivityTimeout time.Duration
ClientID string
ClientSecret string
ProviderURL string
RedirectURL string
EndSessionURL string
PostLogoutRedirectURL string
Scopes []string
URLParameters [][]string
SkipLogin bool
SessionExpiry time.Duration
InactivityTimeout time.Duration
}
4 changes: 4 additions & 0 deletions server.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
package wave

import (
"crypto/tls"
"encoding/json"
"fmt"
"io"
Expand Down Expand Up @@ -156,6 +157,9 @@ func Run(conf ServerConf) {
echo(Log{"t": "listen_no_tls", "error": err.Error()})
}
}
if conf.SkipCertVerification {
http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
}
}

func splitDirMapping(m string) (string, string) {
Expand Down
13 changes: 12 additions & 1 deletion website/docs/configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ Usage of ./waved:
path to certificate file (TLS only)
-tls-key-file string
path to private key file (TLS only)
-no-tls-verify
do not verify TLS certificates during external communication - DO NOT USE IN PRODUCTION
-version
print version and exit
-web-dir string
Expand Down Expand Up @@ -138,6 +140,7 @@ H2O_WAVE_PUBLIC_DIR [2]
H2O_WAVE_PRIVATE_DIR [2]
H2O_WAVE_TLS_CERT_FILE
H2O_WAVE_TLS_KEY_FILE
H2O_WAVE_NO_TLS_VERIFY
H2O_WAVE_WEB_DIR
```

Expand All @@ -146,10 +149,18 @@ Notes:
- [1] `1`, `t`, `true` to enable; `0`, `f`, `false` to disable (case insensitive).
- [2] Use OS-specific path list separator to specify multiple arguments - `:` for Linux/OSX and `;` for Windows. For example, `H2O_WAVE_PUBLIC_DIR=/images/@./files/images:/downloads/@./files/downloads`.

## Public/Private dirs
### Public/Private dirs

Wave server serves whole directories as they are. This means that these directories are listable by default. If you wish to turn off this behavior, simply put an empty file called `index.html` into the folder you wish to not list.

### TLS verification

During development, you might want to test out TLS encryption, e.g. communication between Wave server and Keycloak. The easiest thing to do is to generate a self-signed certificate. However, Wave server verifies certificates for all communication by default, thus would throw an error for a self-signed one. ***FOR DEVELOPMENT PURPOSES ONLY***, it's possible to turn off the check using either `H2O_WAVE_NO_TLS_VERIFY` environment variable or `no-tls-verify` parameter.

:::warning
**Disabling TLS verification is a security risk.** Make sure TLS is not disabled in production environments.
:::

## Configuring your app

Your Wave application is an ASGI server. When you run your app during development, the app server runs at <http://127.0.0.1:8000/> by default (localhost, port 8000), and assumes that your Wave server is running at <http://127.0.0.1:10101/> (localhost, port 10101). The `wave run` command automatically picks another available port if `8000` is not available.
Expand Down

0 comments on commit a6f37ae

Please sign in to comment.