diff --git a/proxy.conf.in b/proxy.conf.in index 54d6694..c011f77 100644 --- a/proxy.conf.in +++ b/proxy.conf.in @@ -31,6 +31,11 @@ tokentype = static # streams. #token_key = privkey.pem +# If set to "true", certificate validation of remote stream requests will be +# skipped. This should only be enabled during development, e.g. to work with +# self-signed certificates. +#skipverify = false + [tokens] # For token type "static": Mapping of = of signaling # servers allowed to connect. diff --git a/proxy/proxy_remote.go b/proxy/proxy_remote.go index 70ea21f..3ca6439 100644 --- a/proxy/proxy_remote.go +++ b/proxy/proxy_remote.go @@ -51,8 +51,9 @@ type RemoteConnection struct { url *url.URL conn *websocket.Conn - tokenId string - tokenKey *rsa.PrivateKey + tokenId string + tokenKey *rsa.PrivateKey + tlsConfig *tls.Config msgId atomic.Int64 helloMsgId string @@ -61,7 +62,7 @@ type RemoteConnection struct { messageCallbacks map[string]chan *signaling.ProxyServerMessage } -func NewRemoteConnection(proxyUrl string, tokenId string, tokenKey *rsa.PrivateKey) (*RemoteConnection, error) { +func NewRemoteConnection(proxyUrl string, tokenId string, tokenKey *rsa.PrivateKey, tlsConfig *tls.Config) (*RemoteConnection, error) { u, err := url.Parse(proxyUrl) if err != nil { return nil, err @@ -70,8 +71,9 @@ func NewRemoteConnection(proxyUrl string, tokenId string, tokenKey *rsa.PrivateK result := &RemoteConnection{ url: u, - tokenId: tokenId, - tokenKey: tokenKey, + tokenId: tokenId, + tokenKey: tokenKey, + tlsConfig: tlsConfig, messageCallbacks: make(map[string]chan *signaling.ProxyServerMessage), } @@ -101,11 +103,8 @@ func (c *RemoteConnection) Connect(ctx context.Context) error { } dialer := websocket.Dialer{ - Proxy: http.ProxyFromEnvironment, - TLSClientConfig: &tls.Config{ - // TODO: Make this configurable. - InsecureSkipVerify: true, - }, + Proxy: http.ProxyFromEnvironment, + TLSClientConfig: c.tlsConfig, } conn, _, err := dialer.DialContext(ctx, u.String(), nil) diff --git a/proxy/proxy_server.go b/proxy/proxy_server.go index 5e8f0b8..2e8d061 100644 --- a/proxy/proxy_server.go +++ b/proxy/proxy_server.go @@ -25,6 +25,7 @@ import ( "context" "crypto/rand" "crypto/rsa" + "crypto/tls" "encoding/json" "errors" "fmt" @@ -117,6 +118,7 @@ type ProxyServer struct { tokenId string tokenKey *rsa.PrivateKey + remoteTlsConfig *tls.Config remoteHostname string remoteConnections map[string]*RemoteConnection remoteConnectionsLock sync.Mutex @@ -223,6 +225,7 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile) (* tokenId, _ := config.GetString("app", "token_id") var tokenKey *rsa.PrivateKey var remoteHostname string + var remoteTlsConfig *tls.Config if tokenId != "" { tokenKeyFilename, _ := config.GetString("app", "token_key") if tokenKeyFilename == "" { @@ -250,6 +253,14 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile) (* } else { log.Printf("Using \"%s\" as hostname for remote streams", remoteHostname) } + + skipverify, _ := config.GetBool("backend", "skipverify") + if skipverify { + log.Println("WARNING: Remote stream requests verification is disabled!") + remoteTlsConfig = &tls.Config{ + InsecureSkipVerify: skipverify, + } + } } else { log.Printf("No token id configured, remote streams will be disabled") } @@ -278,6 +289,7 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile) (* tokenId: tokenId, tokenKey: tokenKey, + remoteTlsConfig: remoteTlsConfig, remoteHostname: remoteHostname, remoteConnections: make(map[string]*RemoteConnection), } @@ -1285,7 +1297,7 @@ func (s *ProxyServer) getRemoteConnection(ctx context.Context, url string) (*Rem return conn, nil } - conn, err := NewRemoteConnection(url, s.tokenId, s.tokenKey) + conn, err := NewRemoteConnection(url, s.tokenId, s.tokenKey, s.remoteTlsConfig) if err != nil { return nil, err }