mirror/Cleanuparr
1
0
Fork 0
mirror of https://github.com/Cleanuparr/Cleanuparr.git synced 2026-05-18 11:34:59 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add support for unstrusted certificates (#128)

Browse Source
This commit is contained in:
Flaminel
2025-05-06 15:42:41 +03:00
committed by GitHub
parent 7d2bf41bec
commit 9463d7587f
9 changed files with 181 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
code/Common/Configuration/General/HttpConfig.cs
View File

@@ -1,4 +1,5 @@
using Common.Exceptions;
using Common.Enums;
using Common.Exceptions;
using Microsoft.Extensions.Configuration;
namespace Common.Configuration.General;
@@ -10,6 +11,9 @@ public sealed record HttpConfig : IConfig
[ConfigurationKeyName("HTTP_TIMEOUT")]
public ushort Timeout { get; init; } = 100;
[ConfigurationKeyName("HTTP_VALIDATE_CERT")]
public CertificateValidationType CertificateValidation { get; init; } = CertificateValidationType.Enabled;
public void Validate()
{

8
code/Common/Enums/CertificateValidationType.cs Normal file
View File

@@ -0,0 +1,8 @@
namespace Common.Enums;
public enum CertificateValidationType
{
Enabled = 0,
DisabledForLocalAddresses = 1,
Disabled = 2
}

11
code/Executable/DependencyInjection/MainDI.cs
View File

@@ -1,10 +1,12 @@
using System.Net;
using Common.Configuration.General;
using Common.Helpers;
using Infrastructure.Services;
using Infrastructure.Verticals.DownloadClient.Deluge;
using Infrastructure.Verticals.Notifications.Consumers;
using Infrastructure.Verticals.Notifications.Models;
using MassTransit;
using Microsoft.Extensions.Options;
using Polly;
using Polly.Extensions.Http;
@@ -62,6 +64,15 @@ public static class MainDI
{
x.Timeout = TimeSpan.FromSeconds(config.Timeout);
})
.ConfigurePrimaryHttpMessageHandler(provider =>
{
CertificateValidationService service = provider.GetRequiredService<CertificateValidationService>();
return new HttpClientHandler
{
ServerCertificateCustomValidationCallback = service.ShouldByPassValidationError
};
})
.AddRetryPolicyHandler(config);
// add Deluge HttpClient

2
code/Executable/DependencyInjection/ServicesDI.cs
View File

@@ -3,6 +3,7 @@ using Common.Configuration.DownloadCleaner;
using Common.Configuration.QueueCleaner;
using Infrastructure.Interceptors;
using Infrastructure.Providers;
using Infrastructure.Services;
using Infrastructure.Verticals.Arr;
using Infrastructure.Verticals.ContentBlocker;
using Infrastructure.Verticals.DownloadCleaner;
@@ -21,6 +22,7 @@ public static class ServicesDI
public static IServiceCollection AddServices(this IServiceCollection services) =>
services
.AddTransient<IDryRunInterceptor, DryRunInterceptor>()
.AddTransient<CertificateValidationService>()
.AddTransient<SonarrClient>()
.AddTransient<RadarrClient>()
.AddTransient<LidarrClient>()

3
code/Executable/appsettings.Development.json
View File

@@ -1,7 +1,8 @@
{
"DRY_RUN": true,
"HTTP_MAX_RETRIES": 0,
"HTTP_TIMEOUT": 10,
"HTTP_TIMEOUT": 100,
"HTTP_VALIDATE_CERT": "enabled",
"Logging": {
"LogLevel": "Verbose",
"Enhanced": true,

1
code/Executable/appsettings.json
View File

@@ -2,6 +2,7 @@
"DRY_RUN": false,
"HTTP_MAX_RETRIES": 0,
"HTTP_TIMEOUT": 100,
"HTTP_VALIDATE_CERT": "enabled",
"Logging": {
"LogLevel": "Information",
"Enhanced": true,

55
code/Infrastructure/Extensions/IpAddressExtensions.cs Normal file
View File

@@ -0,0 +1,55 @@
using System.Net;
using System.Net.Sockets;
namespace Infrastructure.Extensions;
public static class IpAddressExtensions
{
public static bool IsLocalAddress(this IPAddress ipAddress)
{
// Map back to IPv4 if mapped to IPv6, for example "::ffff:1.2.3.4" to "1.2.3.4".
if (ipAddress.IsIPv4MappedToIPv6)
{
ipAddress = ipAddress.MapToIPv4();
}
// Checks loopback ranges for both IPv4 and IPv6.
if (IPAddress.IsLoopback(ipAddress))
{
return true;
}
// IPv4
if (ipAddress.AddressFamily == AddressFamily.InterNetwork)
{
return IsLocalIPv4(ipAddress.GetAddressBytes());
}
// IPv6
if (ipAddress.AddressFamily == AddressFamily.InterNetworkV6)
{
return ipAddress.IsIPv6LinkLocal ||
ipAddress.IsIPv6UniqueLocal ||
ipAddress.IsIPv6SiteLocal;
}
return false;
}
private static bool IsLocalIPv4(byte[] ipv4Bytes)
{
// Link local (no IP assigned by DHCP): 169.254.0.0 to 169.254.255.255 (169.254.0.0/16)
bool IsLinkLocal() => ipv4Bytes[0] == 169 && ipv4Bytes[1] == 254;
// Class A private range: 10.0.0.0 10.255.255.255 (10.0.0.0/8)
bool IsClassA() => ipv4Bytes[0] == 10;
// Class B private range: 172.16.0.0 172.31.255.255 (172.16.0.0/12)
bool IsClassB() => ipv4Bytes[0] == 172 && ipv4Bytes[1] >= 16 && ipv4Bytes[1] <= 31;
// Class C private range: 192.168.0.0 192.168.255.255 (192.168.0.0/16)
bool IsClassC() => ipv4Bytes[0] == 192 && ipv4Bytes[1] == 168;
return IsLinkLocal() || IsClassA() || IsClassC() || IsClassB();
}
}

86
code/Infrastructure/Services/CertificateValidationService.cs Normal file
View File

@@ -0,0 +1,86 @@
using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
using Common.Configuration.General;
using Common.Enums;
using Infrastructure.Extensions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
namespace Infrastructure.Services;
public class CertificateValidationService
{
private readonly ILogger<CertificateValidationService> _logger;
private readonly HttpConfig _config;
public CertificateValidationService(ILogger<CertificateValidationService> logger, IOptions<HttpConfig> config)
{
_logger = logger;
_config = config.Value;
}
public bool ShouldByPassValidationError(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors)
{
var targetHostName = string.Empty;
if (sender is not SslStream && sender is not string)
{
return true;
}
if (sender is SslStream request)
{
targetHostName = request.TargetHostName;
}
// Mailkit passes host in sender as string
if (sender is string stringHost)
{
targetHostName = stringHost;
}
if (certificate is X509Certificate2 cert2 && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
{
_logger.LogError(
$"https://{targetHostName} uses the obsolete md5 hash in its https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.");
}
if (sslPolicyErrors == SslPolicyErrors.None)
{
return true;
}
if (targetHostName is "localhost" or "127.0.0.1")
{
return true;
}
var ipAddresses = GetIpAddresses(targetHostName);
if (_config.CertificateValidation == CertificateValidationType.Disabled)
{
return true;
}
if (_config.CertificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
ipAddresses.All(i => i.IsLocalAddress()))
{
return true;
}
_logger.LogError($"certificate validation for {targetHostName} failed. {sslPolicyErrors}");
return false;
}
private static IPAddress[] GetIpAddresses(string host)
{
if (IPAddress.TryParse(host, out var ipAddress))
{
return [ipAddress];
}
return Dns.GetHostEntry(host).AddressList;
}
}

11
docs/src/components/configuration/GeneralSettings.tsx
View File

@@ -81,6 +81,17 @@ const settings: EnvVarProps[] = [
type: "positive integer number",
defaultValue: "100",
required: false,
},
{
name: "HTTP_VALIDATE_CERT",
description: [
"Controls whether to validate SSL certificates for HTTPS connections.",
"Set to `Disabled` to ignore SSL certificate errors."
],
type: "text",
defaultValue: "Enabled",
required: false,
acceptedValues: ["Enabled", "DisabledForLocalAddresses", "Disabled"],
}
];