diff --git a/cmd/wave/main.go b/cmd/wave/main.go index 88b1bed1d3..c65ae9178f 100644 --- a/cmd/wave/main.go +++ b/cmd/wave/main.go @@ -97,6 +97,7 @@ func main() { flag.StringVar(&conf.Compact, "compact", "", "compact AOF log") stringVar(&conf.CertFile, "tls-cert-file", "", "path to certificate file (TLS only)") stringVar(&conf.KeyFile, "tls-key-file", "", "path to private key file (TLS only)") + boolVar(&conf.SkipCertVerification, "no-tls-verify", false, "do not verify TLS certificates during external communication - DO NOT USE IN PRODUCTION") stringVar(&httpHeadersFile, "http-headers-file", "", "path to a MIME-formatted file containing additional HTTP headers to add to responses from the server") boolVar(&conf.Editable, "editable", false, "allow users to edit web pages") stringVar(&maxRequestSize, "max-request-size", "5M", "maximum allowed size of HTTP requests to the server (e.g. 5M or 5MB or 5MiB)") diff --git a/conf.go b/conf.go index aa03d38542..3c9d0787bc 100644 --- a/conf.go +++ b/conf.go @@ -48,6 +48,7 @@ type ServerConf struct { Init string Compact string CertFile string + SkipCertVerification bool KeyFile string Header http.Header Editable bool @@ -64,15 +65,15 @@ type ServerConf struct { } type AuthConf struct { - ClientID string - ClientSecret string - ProviderURL string - RedirectURL string - EndSessionURL string - PostLogoutRedirectURL string - Scopes []string - URLParameters [][]string - SkipLogin bool - SessionExpiry time.Duration - InactivityTimeout time.Duration + ClientID string + ClientSecret string + ProviderURL string + RedirectURL string + EndSessionURL string + PostLogoutRedirectURL string + Scopes []string + URLParameters [][]string + SkipLogin bool + SessionExpiry time.Duration + InactivityTimeout time.Duration } diff --git a/server.go b/server.go index d2e90e16de..78307869c9 100644 --- a/server.go +++ b/server.go @@ -15,6 +15,7 @@ package wave import ( + "crypto/tls" "encoding/json" "fmt" "io" @@ -156,6 +157,9 @@ func Run(conf ServerConf) { echo(Log{"t": "listen_no_tls", "error": err.Error()}) } } + if conf.SkipCertVerification { + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} + } } func splitDirMapping(m string) (string, string) { diff --git a/website/docs/configuration.md b/website/docs/configuration.md index 820099893a..1a4c8c652f 100644 --- a/website/docs/configuration.md +++ b/website/docs/configuration.md @@ -83,6 +83,8 @@ Usage of ./waved: path to certificate file (TLS only) -tls-key-file string path to private key file (TLS only) + -no-tls-verify + do not verify TLS certificates during external communication - DO NOT USE IN PRODUCTION -version print version and exit -web-dir string @@ -138,6 +140,7 @@ H2O_WAVE_PUBLIC_DIR [2] H2O_WAVE_PRIVATE_DIR [2] H2O_WAVE_TLS_CERT_FILE H2O_WAVE_TLS_KEY_FILE +H2O_WAVE_NO_TLS_VERIFY H2O_WAVE_WEB_DIR ``` @@ -146,10 +149,18 @@ Notes: - [1] `1`, `t`, `true` to enable; `0`, `f`, `false` to disable (case insensitive). - [2] Use OS-specific path list separator to specify multiple arguments - `:` for Linux/OSX and `;` for Windows. For example, `H2O_WAVE_PUBLIC_DIR=/images/@./files/images:/downloads/@./files/downloads`. -## Public/Private dirs +### Public/Private dirs Wave server serves whole directories as they are. This means that these directories are listable by default. If you wish to turn off this behavior, simply put an empty file called `index.html` into the folder you wish to not list. +### TLS verification + +During development, you might want to test out TLS encryption, e.g. communication between Wave server and Keycloak. The easiest thing to do is to generate a self-signed certificate. However, Wave server verifies certificates for all communication by default, thus would throw an error for a self-signed one. ***FOR DEVELOPMENT PURPOSES ONLY***, it's possible to turn off the check using either `H2O_WAVE_NO_TLS_VERIFY` environment variable or `no-tls-verify` parameter. + +:::warning +**Disabling TLS verification is a security risk.** Make sure TLS is not disabled in production environments. +::: + ## Configuring your app Your Wave application is an ASGI server. When you run your app during development, the app server runs at by default (localhost, port 8000), and assumes that your Wave server is running at (localhost, port 10101). The `wave run` command automatically picks another available port if `8000` is not available.