Add support for unstrusted certificates (#128)

README.md

@@ -15,17 +15,37 @@ Cleanuperr was created primarily to address malicious files, such as `*.lnk` or
 > - Remove and block downloads that have a low download speed or high estimated completion time.
 > - Remove downloads blocked by qBittorrent or by Cleanuperr's **content blocker**.
 > - Trigger a search for downloads removed from the *arrs.
-> - Remove downloads that have been seeding for a certain amount of time.
-> - Remove downloads that have no hardlinks (have been upgraded by the *arrs).
+> - Clean up downloads that have been seeding for a certain amount of time.
 > - Notify on strike or download removal.
 > - Ignore certain torrent hashes, categories, tags or trackers from being processed by Cleanuperr.
 
 Cleanuperr supports both qBittorrent's built-in exclusion features and its own blocklist-based system. Binaries for all platforms are provided, along with Docker images for easy deployment.
 
+## Quick Start
+
+> [!NOTE]
+>
+> 1. **Docker (Recommended)**  
+> Pull the Docker image from `ghcr.io/flmorg/cleanuperr:latest`.
+>
+> 2. **Unraid (for Unraid users)**  
+> Use the Unraid Community App.
+>
+> 3. **Manual Installation (if you're not using Docker)**  
+> Go to [Windows](#windows), [Linux](#linux) or [MacOS](#macos).
+
 # Docs
 
 Docs can be found [here](https://flmorg.github.io/cleanuperr/).
 
+# <img width="24px" src="./Logo/256.png" alt="Cleanuperr"> Cleanuperr <svg width="14px" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 384 512"><!--!Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free Copyright 2025 Fonticons, Inc.--><path d="M376.6 84.5c11.3-13.6 9.5-33.8-4.1-45.1s-33.8-9.5-45.1 4.1L192 206 56.6 43.5C45.3 29.9 25.1 28.1 11.5 39.4S-3.9 70.9 7.4 84.5L150.3 256 7.4 427.5c-11.3 13.6-9.5 33.8 4.1 45.1s33.8 9.5 45.1-4.1L192 306 327.4 468.5c11.3 13.6 31.5 15.4 45.1 4.1s15.4-31.5 4.1-45.1L233.7 256 376.6 84.5z"/></svg> Huntarr <img width="24px" src="https://github.com/plexguide/Huntarr.io/blob/main/frontend/static/logo/256.png?raw=true" alt Huntarr></img>
+
+Think of **Cleanuperr** as the janitor of your server; it keeps your download queue spotless, removes clutter, and blocks malicious files. Now imagine combining that with **Huntarr**, the compulsive librarian who finds missing and upgradable media to complete your collection
+
+While **Huntarr** fills in the blanks and improves what you already have, **Cleanuperr** makes sure that only clean downloads get through. If you're aiming for a reliable and self-sufficient setup, **Cleanuperr** and **Huntarr** will take your automated media stack to another level.
+
+<span style="font-size:24px"> ➡️ [**Huntarr**](https://github.com/plexguide/Huntarr.io) ![Huntarr](https://img.shields.io/github/stars/plexguide/Huntarr.io?style=social)</span>
+
 # Credits
 Special thanks for inspiration go to:
 - [ThijmenGThN/swaparr](https://github.com/ThijmenGThN/swaparr)

code/Common/Configuration/General/HttpConfig.cs

@@ -1,4 +1,5 @@
-using Common.Exceptions;
+using Common.Enums;
+using Common.Exceptions;
 using Microsoft.Extensions.Configuration;
 
 namespace Common.Configuration.General;
@@ -10,6 +11,9 @@ public sealed record HttpConfig : IConfig
     
     [ConfigurationKeyName("HTTP_TIMEOUT")]
     public ushort Timeout { get; init; } = 100;
+    
+    [ConfigurationKeyName("HTTP_VALIDATE_CERT")]
+    public CertificateValidationType CertificateValidation { get; init; } = CertificateValidationType.Enabled;
 
     public void Validate()
     {

code/Common/Enums/CertificateValidationType.cs

@@ -0,0 +1,8 @@
+namespace Common.Enums;
+
+public enum CertificateValidationType
+{
+    Enabled = 0,
+    DisabledForLocalAddresses = 1,
+    Disabled = 2
+}

code/Executable/DependencyInjection/MainDI.cs

@@ -1,10 +1,12 @@
 using System.Net;
 using Common.Configuration.General;
 using Common.Helpers;
+using Infrastructure.Services;
 using Infrastructure.Verticals.DownloadClient.Deluge;
 using Infrastructure.Verticals.Notifications.Consumers;
 using Infrastructure.Verticals.Notifications.Models;
 using MassTransit;
+using Microsoft.Extensions.Options;
 using Polly;
 using Polly.Extensions.Http;
 
@@ -62,6 +64,15 @@ public static class MainDI
             {
                 x.Timeout = TimeSpan.FromSeconds(config.Timeout);
             })
+            .ConfigurePrimaryHttpMessageHandler(provider =>
+            {
+                CertificateValidationService service = provider.GetRequiredService<CertificateValidationService>();
+                
+                return new HttpClientHandler
+                {
+                    ServerCertificateCustomValidationCallback = service.ShouldByPassValidationError
+                };
+            })
             .AddRetryPolicyHandler(config);
 
         // add Deluge HttpClient

code/Executable/DependencyInjection/ServicesDI.cs

@@ -3,6 +3,7 @@ using Common.Configuration.DownloadCleaner;
 using Common.Configuration.QueueCleaner;
 using Infrastructure.Interceptors;
 using Infrastructure.Providers;
+using Infrastructure.Services;
 using Infrastructure.Verticals.Arr;
 using Infrastructure.Verticals.ContentBlocker;
 using Infrastructure.Verticals.DownloadCleaner;
@@ -21,6 +22,7 @@ public static class ServicesDI
     public static IServiceCollection AddServices(this IServiceCollection services) =>
         services
             .AddTransient<IDryRunInterceptor, DryRunInterceptor>()
+            .AddTransient<CertificateValidationService>()
             .AddTransient<SonarrClient>()
             .AddTransient<RadarrClient>()
             .AddTransient<LidarrClient>()

code/Executable/appsettings.Development.json

@@ -1,7 +1,8 @@
 {
   "DRY_RUN": true,
   "HTTP_MAX_RETRIES": 0,
-  "HTTP_TIMEOUT": 10,
+  "HTTP_TIMEOUT": 100,
+  "HTTP_VALIDATE_CERT": "enabled",
   "Logging": {
     "LogLevel": "Verbose",
     "Enhanced": true,

code/Executable/appsettings.json

@@ -2,6 +2,7 @@
   "DRY_RUN": false,
   "HTTP_MAX_RETRIES": 0,
   "HTTP_TIMEOUT": 100,
+  "HTTP_VALIDATE_CERT": "enabled",
   "Logging": {
     "LogLevel": "Information",
     "Enhanced": true,
@@ -21,7 +22,7 @@
     "IGNORED_DOWNLOADS_PATH": ""
   },
   "QueueCleaner": {
-    "Enabled": true,
+    "Enabled": false,
     "RunSequentially": true,
     "IGNORED_DOWNLOADS_PATH": "",
     "IMPORT_FAILED_MAX_STRIKES": 0,
@@ -32,7 +33,14 @@
     "STALLED_RESET_STRIKES_ON_PROGRESS": false,
     "STALLED_IGNORE_PRIVATE": false,
     "STALLED_DELETE_PRIVATE": false,
-    "DOWNLOADING_METADATA_MAX_STRIKES": 0
+    "DOWNLOADING_METADATA_MAX_STRIKES": 0,
+    "SLOW_MAX_STRIKES": 0,
+    "SLOW_RESET_STRIKES_ON_PROGRESS": true,
+    "SLOW_IGNORE_PRIVATE": false,
+    "SLOW_DELETE_PRIVATE": false,
+    "SLOW_MIN_SPEED": "",
+    "SLOW_MAX_TIME": 0,
+    "SLOW_IGNORE_ABOVE_SIZE": ""
   },
   "DownloadCleaner": {
     "Enabled": false,

code/Infrastructure/Extensions/IpAddressExtensions.cs

@@ -0,0 +1,55 @@
+using System.Net;
+using System.Net.Sockets;
+
+namespace Infrastructure.Extensions;
+
+public static class IpAddressExtensions
+{
+    public static bool IsLocalAddress(this IPAddress ipAddress)
+    {
+        // Map back to IPv4 if mapped to IPv6, for example "::ffff:1.2.3.4" to "1.2.3.4".
+        if (ipAddress.IsIPv4MappedToIPv6)
+        {
+            ipAddress = ipAddress.MapToIPv4();
+        }
+
+        // Checks loopback ranges for both IPv4 and IPv6.
+        if (IPAddress.IsLoopback(ipAddress))
+        {
+            return true;
+        }
+
+        // IPv4
+        if (ipAddress.AddressFamily == AddressFamily.InterNetwork)
+        {
+            return IsLocalIPv4(ipAddress.GetAddressBytes());
+        }
+
+        // IPv6
+        if (ipAddress.AddressFamily == AddressFamily.InterNetworkV6)
+        {
+            return ipAddress.IsIPv6LinkLocal ||
+                   ipAddress.IsIPv6UniqueLocal ||
+                   ipAddress.IsIPv6SiteLocal;
+        }
+
+        return false;
+    }
+
+    private static bool IsLocalIPv4(byte[] ipv4Bytes)
+    {
+        // Link local (no IP assigned by DHCP): 169.254.0.0 to 169.254.255.255 (169.254.0.0/16)
+        bool IsLinkLocal() => ipv4Bytes[0] == 169 && ipv4Bytes[1] == 254;
+
+        // Class A private range: 10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
+        bool IsClassA() => ipv4Bytes[0] == 10;
+
+        // Class B private range: 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
+        bool IsClassB() => ipv4Bytes[0] == 172 && ipv4Bytes[1] >= 16 && ipv4Bytes[1] <= 31;
+
+        // Class C private range: 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)
+        bool IsClassC() => ipv4Bytes[0] == 192 && ipv4Bytes[1] == 168;
+
+        return IsLinkLocal() || IsClassA() || IsClassC() || IsClassB();
+    }
+}

code/Infrastructure/Services/CertificateValidationService.cs

@@ -0,0 +1,86 @@
+using System.Net;
+using System.Net.Security;
+using System.Security.Cryptography.X509Certificates;
+using Common.Configuration.General;
+using Common.Enums;
+using Infrastructure.Extensions;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace Infrastructure.Services;
+
+public class CertificateValidationService
+{
+    private readonly ILogger<CertificateValidationService> _logger;
+    private readonly HttpConfig _config;
+
+    public CertificateValidationService(ILogger<CertificateValidationService> logger, IOptions<HttpConfig> config)
+    {
+        _logger = logger;
+        _config = config.Value;
+    }
+
+    public bool ShouldByPassValidationError(object sender, X509Certificate? certificate, X509Chain? chain, SslPolicyErrors sslPolicyErrors)
+    {
+        var targetHostName = string.Empty;
+
+        if (sender is not SslStream && sender is not string)
+        {
+            return true;
+        }
+
+        if (sender is SslStream request)
+        {
+            targetHostName = request.TargetHostName;
+        }
+
+        // Mailkit passes host in sender as string
+        if (sender is string stringHost)
+        {
+            targetHostName = stringHost;
+        }
+
+        if (certificate is X509Certificate2 cert2 && cert2.SignatureAlgorithm.FriendlyName == "md5RSA")
+        {
+            _logger.LogError(
+                $"https://{targetHostName} uses the obsolete md5 hash in its https certificate, if that is your certificate, please (re)create certificate with better algorithm as soon as possible.");
+        }
+
+        if (sslPolicyErrors == SslPolicyErrors.None)
+        {
+            return true;
+        }
+
+        if (targetHostName is "localhost" or "127.0.0.1")
+        {
+            return true;
+        }
+
+        var ipAddresses = GetIpAddresses(targetHostName);
+
+        if (_config.CertificateValidation == CertificateValidationType.Disabled)
+        {
+            return true;
+        }
+
+        if (_config.CertificateValidation == CertificateValidationType.DisabledForLocalAddresses &&
+            ipAddresses.All(i => i.IsLocalAddress()))
+        {
+            return true;
+        }
+
+        _logger.LogError($"certificate validation for {targetHostName} failed. {sslPolicyErrors}");
+
+        return false;
+    }
+
+    private static IPAddress[] GetIpAddresses(string host)
+    {
+        if (IPAddress.TryParse(host, out var ipAddress))
+        {
+            return [ipAddress];
+        }
+
+        return Dns.GetHostEntry(host).AddressList;
+    }
+}

docs/docs/configuration/download-cleaner/3_hardlinks.mdx

@@ -3,7 +3,7 @@ sidebar_position: 3
 ---
 
 import DownloadCleanerHardlinksSettings from '@site/src/components/configuration/download-cleaner/DownloadCleanerHardlinksSettings';
-import { Important } from '@site/src/components/Admonition';
+import { Important, Warning } from '@site/src/components/Admonition';
 
 # Hardlinks Settings
 
@@ -16,4 +16,8 @@ The Download Cleaner will change the category of a download that has no hardlink
     If your download client's download directory is `/downloads`, it should be the same for Cleanuperr.
 </Important>
 
+<Warning>
+    While it is not needed to configure the arrs for this feature, it is recommended you do. If the arrs are not configured, downloads that are waiting to be imported might be affected by it.
+</Warning>
+
 <DownloadCleanerHardlinksSettings/>

docs/docs/installation/1_quick-start.mdx

@@ -4,10 +4,13 @@ import { Note } from '@site/src/components/Admonition';
 
 1. **Docker (Recommended)**  
     Pull the Docker image from `ghcr.io/flmorg/cleanuperr:latest`.
+    [Configuration example here.](/docs/configuration/examples/docker)
 2. **Unraid (for Unraid users)**  
     Use the Unraid Community App.
+    [Configuration example here.](/docs/configuration/examples/docker)
 3. **Manual Installation (if you're not using Docker)**  
     Go to [Windows](/docs/installation/windows), [Linux](/docs/installation/linux) or [MacOS](/docs/installation/macos).
+    [Configuration example here.](/docs/configuration/examples/config-file)
 
 <Note>
     Refer to the [Configuration](/docs/category/configuration) section for detailed configuration instructions.

docs/src/components/configuration/GeneralSettings.tsx

@@ -81,6 +81,17 @@ const settings: EnvVarProps[] = [
     type: "positive integer number",
     defaultValue: "100",
     required: false,
+  },
+  {
+    name: "HTTP_VALIDATE_CERT",
+    description: [
+      "Controls whether to validate SSL certificates for HTTPS connections.",
+      "Set to `Disabled` to ignore SSL certificate errors."
+    ],
+    type: "text",
+    defaultValue: "Enabled",
+    required: false,
+    acceptedValues: ["Enabled", "DisabledForLocalAddresses", "Disabled"],
   }
 ];
 

docs/src/components/configuration/queue-cleaner/QueueCleanerImportFailedSettings.tsx

@@ -11,8 +11,8 @@ const settings: EnvVarProps[] = [
     type: "positive integer number",
     defaultValue: "0",
     required: false,
-    examples: ["0", "3", "10"],
     notes: [
+      "`0` means to never remove failed imports.",
       "If not set to `0`, the minimum value is `3`."
     ]
   },

docs/src/components/configuration/queue-cleaner/QueueCleanerStalledSettings.tsx

@@ -11,8 +11,8 @@ const settings: EnvVarProps[] = [
     type: "positive integer number",
     defaultValue: "0",
     required: false,
-    examples: ["0", "3", "10"],
     notes: [
+      "`0` means to never remove stalled downloads.",
       "If not set to 0, the minimum value is `3`."
     ]
   },
@@ -59,6 +59,7 @@ const settings: EnvVarProps[] = [
     defaultValue: "0",
     required: false,
     notes: [
+      "`0` means to never remove downloads stuck while downloading metadata.",
       "If not set to `0`, the minimum value is `3`."
     ]
   }