feat: Allow skipping Wave server TLS verification #1547

h2oai · Jul 25, 2022 · dff1285 · dff1285
1 parent f50283f
commit dff1285
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/cmd/wave/main.go b/cmd/wave/main.go
@@ -17,6 +17,7 @@ package main
 import (
 	"bufio"
 	"bytes"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"math"
@@ -75,6 +76,7 @@ func main() {
 		httpHeadersFile      string
 		createAccessKey      bool
 		listAccessKeys       bool
+		verifyTLS            bool
 		removeAccessKeyID    string
 		rawAuthScopes        string
 		rawAuthURLParams     string
@@ -120,6 +122,7 @@ func main() {
 	stringVar(&rawAuthScopes, "oidc-scopes", "", "OIDC scopes, comma-separated (default \"openid,profile\")")
 	stringVar(&rawAuthURLParams, "oidc-auth-url-params", "", "additional URL parameters to pass during OIDC authorization, in the format \"key:value\", comma-separated, e.g. \"foo:bar,qux:42\"")
 	boolVar(&auth.SkipLogin, "oidc-skip-login", false, "do not display the login form during OIDC authorization")
+	boolVar(&verifyTLS, "verify-tls", true, "do not verify TLS certificates during external communication - DO NOT USE IN PRODUCTION")
 
 	flag.Parse()
 
@@ -251,6 +254,10 @@ func main() {
 		conf.Proxy = true // IDE won't function without proxy
 	}
 
+	if !verifyTLS {
+		http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
+
 	wave.Run(conf)
 }
 

diff --git a/website/docs/configuration.md b/website/docs/configuration.md
@@ -87,6 +87,8 @@ Usage of ./waved:
         print version and exit
   -web-dir string
         directory to serve web assets from (default "./www")
+  -verify-tls
+        do not verify TLS certificates during external communication - DO NOT USE IN PRODUCTION
 ```
 
 Supported size units (case insensitive):
@@ -139,13 +141,22 @@ H2O_WAVE_PRIVATE_DIR [2]
 H2O_WAVE_TLS_CERT_FILE
 H2O_WAVE_TLS_KEY_FILE
 H2O_WAVE_WEB_DIR
+H2O_WAVE_VERIFY_TLS
 ```
 
 Notes:
 
 - [1] `1`, `t`, `true` to enable; `0`, `f`, `false` to disable (case insensitive).
 - [2] Use OS-specific path list separator to specify multiple arguments - `:` for Linux/OSX and `;` for Windows. For example, `H2O_WAVE_PUBLIC_DIR=/images/@./files/images:/downloads/@./files/downloads`.
 
+### TLS verification
+
+During development, you might want to test out TLS encryption, e.g. communication between Wave server and Keycloak. The easiest thing to do is to generate a self-signed certificate. However, Wave server verifies certificates for all communication by default, thus would throw an error for a self-signed one. ***FOR DEVELOPMENT PURPOSES ONLY***, it's possible to turn off the check using either `H2O_WAVE_VERIFY_TLS` environment variable or `verify-tls` parameter.
+
+:::warning
+Make sure the TLS verification is not turned off in production environments as it's a huge security hole.
+:::
+
 ## Configuring your app
 
 Your Wave application is an ASGI server. When you run your app during development, the app server runs at <http://127.0.0.1:8000/> by default (localhost, port 8000), and assumes that your Wave server is running at <http://127.0.0.1:10101/> (localhost, port 10101). The `wave run` command automatically picks another available port if `8000` is not available.