Apply insecure proxy option to websockets

Author: Mathias Chunnoo

Cargo.lock

@@ -45,6 +45,7 @@ lol_html = "1.2.1"
 mime_guess = "2.0.4"
 minify-html = "0.15.0"
 minify-js = "0.5.6" # stick with 0.5.x as 0.6 seems to create broken JS
+native-tls = { version = "0.2", default-features = false, optional = true }
 notify = "8"
 notify-debouncer-full = "0.5"
 once_cell = "1"
@@ -54,6 +55,7 @@ rand = "0.9.0"
 regex = "1"
 remove_dir_all = "1"
 reqwest = { version = "0.12", default-features = false, features = ["stream", "trust-dns"] }
+rustls = { version = "0.23", default-features = false, optional = true }
 schemars = { version = "0.8", features = ["derive"] }
 seahash = { version = "4", features = ["use_std"] }
 semver = "1"
@@ -103,6 +105,7 @@ rustls = [
     "reqwest/rustls-tls-native-roots",
     "tokio-tungstenite/rustls",
     "tokio-tungstenite/rustls-tls-native-roots",
+    "dep:rustls",
 ]
 
 rustls-aws-lc = [
@@ -120,10 +123,11 @@ native-tls = [
     "axum-server/tls-openssl",
     "reqwest/native-tls",
     "tokio-tungstenite/native-tls",
+    "dep:native-tls",
 ]
 
 # enable the update check on startup
 update_check = ["crates_io_api"]
 
 # enable vendoring on crates supporting that
-vendored = ["openssl?/vendored"]
+vendored = ["openssl?/vendored", "native-tls?/vendored"]

Cargo.toml

@@ -15,8 +15,9 @@ use futures_util::{sink::SinkExt, stream::StreamExt, TryStreamExt};
 use http::{header::HOST, HeaderMap};
 use std::sync::Arc;
 use tokio_tungstenite::{
-    connect_async,
+    connect_async, connect_async_tls_with_config,
     tungstenite::{protocol::CloseFrame, Message as MsgTng},
+    Connector,
 };
 use tower_http::trace::TraceLayer;
 
@@ -144,6 +145,84 @@ fn make_outbound_request(
     Ok(request)
 }
 
+fn make_insecure_connector() -> Option<Connector> {
+    #[cfg(feature = "native-tls")]
+    {
+        match native_tls::TlsConnector::builder()
+            .danger_accept_invalid_certs(true)
+            .build()
+        {
+            Ok(connector) => Some(Connector::NativeTls(connector)),
+            Err(err) => {
+                tracing::error!(error = ?err, "error building native TLS connector");
+                None
+            }
+        }
+    }
+    #[cfg(feature = "rustls")]
+    {
+        use rustls::{
+            client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
+            pki_types::{CertificateDer, ServerName, UnixTime},
+            ClientConfig, DigitallySignedStruct, SignatureScheme,
+        };
+
+        #[derive(Debug)]
+        struct NoCertVerification;
+
+        impl ServerCertVerifier for NoCertVerification {
+            fn verify_server_cert(
+                &self,
+                _: &CertificateDer<'_>,
+                _: &[CertificateDer<'_>],
+                _: &ServerName<'_>,
+                _: &[u8],
+                _: UnixTime,
+            ) -> Result<ServerCertVerified, rustls::Error> {
+                Ok(ServerCertVerified::assertion())
+            }
+
+            fn verify_tls12_signature(
+                &self,
+                _: &[u8],
+                _: &CertificateDer<'_>,
+                _: &DigitallySignedStruct,
+            ) -> Result<HandshakeSignatureValid, rustls::Error> {
+                Ok(HandshakeSignatureValid::assertion())
+            }
+
+            fn verify_tls13_signature(
+                &self,
+                _: &[u8],
+                _: &CertificateDer<'_>,
+                _: &DigitallySignedStruct,
+            ) -> Result<HandshakeSignatureValid, rustls::Error> {
+                Ok(HandshakeSignatureValid::assertion())
+            }
+
+            fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+                vec![
+                    SignatureScheme::ED25519,
+                    SignatureScheme::ECDSA_NISTP256_SHA256,
+                    SignatureScheme::ECDSA_NISTP384_SHA384,
+                    SignatureScheme::ECDSA_NISTP521_SHA512,
+                    SignatureScheme::RSA_PSS_SHA256,
+                    SignatureScheme::RSA_PSS_SHA384,
+                    SignatureScheme::RSA_PSS_SHA512,
+                    SignatureScheme::ED448,
+                ]
+            }
+        }
+
+        Some(Connector::Rustls(std::sync::Arc::new(
+            ClientConfig::builder()
+                .dangerous()
+                .with_custom_certificate_verifier(Arc::new(NoCertVerification {}))
+                .with_no_client_auth(),
+        )))
+    }
+}
+
 impl ProxyHandlerHttp {
     /// Construct a new instance.
     pub fn new(
@@ -243,6 +322,8 @@ pub struct ProxyHandlerWebSocket {
     rewrite: Option<String>,
     /// The headers to inject with the request
     request_headers: HeaderMap,
+    /// Allow insecure TLS websocket connections.
+    insecure: bool,
 }
 
 impl ProxyHandlerWebSocket {
@@ -252,12 +333,14 @@ impl ProxyHandlerWebSocket {
         backend: Uri,
         headers: HeaderMap,
         rewrite: Option<String>,
+        insecure: bool,
     ) -> Arc<Self> {
         Arc::new(Self {
             proto,
             backend,
             rewrite,
             request_headers: headers,
+            insecure,
         })
     }
 
@@ -337,8 +420,15 @@ impl ProxyHandlerWebSocket {
             }
         };
 
+        let connect_result = if self.insecure {
+            connect_async_tls_with_config(outbound_request, None, false, make_insecure_connector())
+                .await
+        } else {
+            connect_async(outbound_request).await
+        };
+
         // Establish WS connection to backend.
-        let (backend, _res) = match connect_async(outbound_request).await {
+        let (backend, _res) = match connect_result {
             Ok(backend) => backend,
             Err(err) => {
                 tracing::error!(error = ?err, "error establishing WebSocket connection to backend {:?} for proxy", &outbound_uri);

src/proxy.rs

@@ -45,17 +45,24 @@ impl ProxyBuilder {
         .to_string();
 
         if ws {
+            let insecure = opts.insecure;
             let handler = ProxyHandlerWebSocket::new(
                 proto,
                 backend.clone(),
                 request_headers.clone(),
                 rewrite,
+                insecure,
             );
             tracing::info!(
-                "{}proxying websocket {} -> {}",
+                "{}proxying websocket {} -> {} {}",
                 SERVER,
                 handler.path(),
-                &backend
+                &backend,
+                if insecure {
+                    format!("; {DANGER}️ insecure TLS")
+                } else {
+                    Default::default()
+                }
             );
             self.router = handler.register(self.router);
             Ok(self)