Add option to disable TLS

Can be used to disable TLS when the ocis-proxy is behind an TLS-Terminating reverse proxy. env PROXY_TLS=false or cli --tls=false
2026-01-25 14:30:28 -05:00 · 2020-07-15 16:29:59 +02:00
parent 0dcc8373bc
commit 06f4e2d296
4 changed files with 39 additions and 16 deletions
--- a/changelog/unreleased/add-disable-tls.md
+++ b/changelog/unreleased/add-disable-tls.md
@@ -0,0 +1,8 @@
+Enhancement: Add option to disable TLS
+
+Can be used to disable TLS when the ocis-proxy is behind an
+TLS-Terminating reverse proxy.
+
+env PROXY_TLS=false or --tls=false
+
+https://github.com/owncloud/ocis-proxy/issues/71
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -22,6 +22,7 @@ type HTTP struct {
 	Root      string
 	TLSCert   string
 	TLSKey    string
+	TLS       bool
 }

 // Tracing defines the available tracing configuration.
--- a/pkg/flagset/flagset.go
+++ b/pkg/flagset/flagset.go
@@ -157,6 +157,13 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"PROXY_TRANSPORT_TLS_KEY"},
 			Destination: &cfg.HTTP.TLSKey,
 		},
+		&cli.BoolFlag{
+			Name:        "tls",
+			Usage:       "Use TLS (disable only if proxy is behind a TLS-terminating reverse-proxy).",
+			EnvVars:     []string{"PROXY_TLS"},
+			Value:       true,
+			Destination: &cfg.HTTP.TLS,
+		},
 		&cli.StringFlag{
 			Name:        "jwt-secret",
 			Value:       "Pive-Fumkiu4",
--- a/pkg/server/http/server.go
+++ b/pkg/server/http/server.go
@@ -18,26 +18,33 @@ func Server(opts ...Option) (svc.Service, error) {
 	var cer tls.Certificate
 	var certErr error

-	if httpCfg.TLSCert == "" || httpCfg.TLSKey == "" {
-		l.Warn().Msgf("No tls certificate provided, using a generated one")
+	var tlsConfig *tls.Config
+	if options.Config.HTTP.TLS {
+		if httpCfg.TLSCert == "" || httpCfg.TLSKey == "" {
+			l.Warn().Msgf("No tls certificate provided, using a generated one")
+			_, certErr := os.Stat("./server.crt")
+			_, keyErr := os.Stat("./server.key")

-		// GenCert has side effects as it writes 2 files to the binary running location
-		if err := crypto.GenCert(l); err != nil {
-			l.Fatal().Err(err).Msgf("Could not generate test-certificate")
+			if os.IsNotExist(certErr) || os.IsNotExist(keyErr) {
+				// GenCert has side effects as it writes 2 files to the binary running location
+				if err := crypto.GenCert(l); err != nil {
+					l.Fatal().Err(err).Msgf("Could not generate test-certificate")
+					os.Exit(1)
+				}
+			}
+
+			httpCfg.TLSCert = "server.crt"
+			httpCfg.TLSKey = "server.key"
 		}

-		httpCfg.TLSCert = "server.crt"
-		httpCfg.TLSKey = "server.key"
+		cer, certErr = tls.LoadX509KeyPair(httpCfg.TLSCert, httpCfg.TLSKey)
+		if certErr != nil {
+			options.Logger.Fatal().Err(certErr).Msg("Could not setup TLS")
+			os.Exit(1)
+		}
+
+		tlsConfig = &tls.Config{Certificates: []tls.Certificate{cer}}
 	}
-
-	cer, certErr = tls.LoadX509KeyPair(httpCfg.TLSCert, httpCfg.TLSKey)
-
-	if certErr != nil {
-		options.Logger.Fatal().Err(certErr).Msg("Could not setup TLS")
-		os.Exit(1)
-	}
-
-	tlsConfig := &tls.Config{Certificates: []tls.Certificate{cer}}
 	chain := options.Middlewares.Then(options.Handler)

 	service := svc.NewService(