Make WebUI and Restful API SSL compliant #3340

.gitignore

@@ -71,3 +71,6 @@ uv.lock
 # Test
 .coverage
 tests-data/issues/*/config/
+
+# Local SSL certificates
+glances.local*.pem

Makefile

@@ -336,6 +336,9 @@ run-docker-ubuntu-minimal: ## Start Glances Ubuntu Docker minimal in console mod
 run-docker-ubuntu-full: ## Start Glances Ubuntu Docker full in console mode
 run-docker-ubuntu-dev: ## Start Glances Ubuntu Docker dev in console mode
 
+generate-ssl: ## Generate local and sel signed SSL certificates for dev (nned mkcert)
+	mkcert glances.local localhost 120.0.0.1 0.0.0.0
+
 run-webserver: ## Start Glances in Web server mode
 	$(UV_RUN) run python -m glances -C $(CONF) -w
 

conf/glances.conf

@@ -64,6 +64,10 @@ history_size=1200
 # Comma separated list of HTTP request headers that should be supported for cross-origin requests.
 # Default is *
 #cors_headers=*
+# Define SSL files (keyfile_password is optional)
+#ssl_keyfile_password=kfp
+ssl_keyfile=./glances.local+3-key.pem
+ssl_certfile=./glances.local+3.pem
 
 ##############################################################################
 # Plugins

docs/config.rst

@@ -95,6 +95,10 @@ than a second one concerning the user interface:
     # Comma separated list of HTTP request headers that should be supported for cross-origin requests.
     # Default is *
     #cors_headers=*
+    # Define SSL files (keyfile_password is optional)
+    #ssl_keyfile=./glances.local+3-key.pem
+    #ssl_keyfile_password=kfp
+    #ssl_certfile=./glances.local+3.pem
 
 Each plugin, export module, and application monitoring process (AMP) can
 have a section. Below is an example for the CPU plugin:

docs/man/glances.1

@@ -687,6 +687,10 @@ max_processes_display=25
 # Comma separated list of HTTP request headers that should be supported for cross\-origin requests.
 # Default is *
 #cors_headers=*
+# Define SSL files (keyfile_password is optional)
+#ssl_keyfile=./glances.local+3\-key.pem
+#ssl_keyfile_password=kfp
+#ssl_certfile=./glances.local+3.pem
 .EE
 .UNINDENT
 .UNINDENT

glances/outputs/glances_restful_api.py

@@ -119,7 +119,7 @@ class GlancesRestfulApi:
         self.load_config(config)
 
         # Set the bind URL
-        self.bind_url = urljoin(f'http://{self.args.bind_address}:{self.args.port}/', self.url_prefix)
+        self.bind_url = urljoin(f'{self.protocol}://{self.args.bind_address}:{self.args.port}/', self.url_prefix)
 
         # FastAPI Init
         if self.args.password:
@@ -181,6 +181,16 @@ class GlancesRestfulApi:
             if self.url_prefix != '':
                 self.url_prefix = self.url_prefix.rstrip('/')
             logger.debug(f'URL prefix: {self.url_prefix}')
+            # SSL
+            self.ssl_keyfile = config.get_value('outputs', 'ssl_keyfile', default=None)
+            self.ssl_keyfile_password = config.get_value('outputs', 'ssl_keyfile_password', default=None)
+            self.ssl_certfile = config.get_value('outputs', 'ssl_certfile', default=None)
+            self.protocol = 'https' if self.is_ssl() else 'http'
+            logger.debug(f"Protocol for Resful API and WebUI: {self.protocol}")
+
+    def is_ssl(self):
+        """Return true if the Glances server use SSL."""
+        return self.ssl_keyfile is not None and self.ssl_certfile is not None
 
     def __update_stats(self, plugins_list_to_update=None):
         # Never update more than 1 time per cached_time
@@ -336,7 +346,12 @@ class GlancesRestfulApi:
     def _start_uvicorn(self):
         # Run the Uvicorn Web server
         uvicorn_config = uvicorn.Config(
-            self._app, host=self.args.bind_address, port=self.args.port, access_log=self.args.debug
+            self._app,
+            host=self.args.bind_address,
+            port=self.args.port,
+            access_log=self.args.debug,
+            ssl_keyfile=self.ssl_keyfile,
+            ssl_certfile=self.ssl_certfile,
         )
         try:
             self.uvicorn_server = GlancesUvicornServer(config=uvicorn_config)