add TLS

99percentpeople · Oct 28, 2024 · 4c522d2 · 4c522d2
1 parent c37fa29
commit 4c522d2
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 0 deletions.
diff --git a/readme.md b/readme.md
@@ -5,3 +5,9 @@
 This is a WebSocket signaling server for the Weblink chat application, designed to replace Firebase. It utilizes the Bun runtime for high-performance server-side JavaScript execution. This server facilitates the exchange of signaling data required to establish peer-to-peer connections between clients.
 
 Redis URLs can be set to enable a distributed architecture that prioritizes locally and collaborates across instances.
+
+### TLS Setup
+
+TLS is optional and can be enabled by setting the `TLS_CERT_FILE` and `TLS_KEY_FILE` environment variables or set in the .env file.
+
+Optionally, a list of CA files can be set in the `TLS_CA_FILES` environment variable or .env file to enable mutual TLS.
diff --git a/src/index.ts b/src/index.ts
@@ -8,6 +8,10 @@ import {
   REDIS_URL,
   ALLOWED_ORIGINS,
   HOSTNAME,
+  TLS_CA_FILES,
+  TLS_KEY_FILE,
+  TLS_CERT_FILE,
+  TLS_ENABLED,
 } from "./var";
 import os from "os";
 import Redis from "ioredis";
@@ -119,6 +123,13 @@ redisSub?.on("message", (channel, message) => {
 const server = Bun.serve<ServerWebSocketData>({
   port: PORT,
   hostname: HOSTNAME,
+  tls: TLS_ENABLED
+    ? {
+        cert: Bun.file(TLS_CERT_FILE!),
+        key: Bun.file(TLS_KEY_FILE!),
+        ca: TLS_CA_FILES?.map((ca) => Bun.file(ca)) ?? [],
+      }
+    : undefined,
   fetch(req, server) {
     const url = new URL(req.url);
     const roomId = url.searchParams.get("room") || "";

diff --git a/src/var.ts b/src/var.ts
@@ -6,3 +6,9 @@ export const PONG_TIMEOUT = parseInt(process.env["PONG_TIMEOUT"] || "60000", 10)
 export const DISCONNECT_TIMEOUT = parseInt(process.env["DISCONNECT_TIMEOUT"] || "90000", 10);
 export const REDIS_URL = process.env["REDIS_URL"] || null;
 export const ALLOWED_ORIGINS = process.env["ALLOWED_ORIGINS"]?.split(",") || [];
+export const TLS_CERT_FILE = process.env["TLS_CERT_FILE"] || null;
+export const TLS_KEY_FILE = process.env["TLS_KEY_FILE"] || null;
+// comma separated list of CA files
+export const TLS_CA_FILES = process.env["TLS_CA_FILES"]?.split(",") || null;
+export const TLS_ENABLED = TLS_CERT_FILE !== null && TLS_KEY_FILE !== null;
+