TLS: Optionally use TLS if you set non-empty CERT_FILE and KEY_FILE

Whilst we do want to go TLS-less in the actual EDDN code, for ease of setting up automated end to end functional testing, leave the possibility of running with TLS termination as well.
2025-04-25 20:52:13 +03:00 · 2022-03-13 13:46:37 +00:00 · 2022-03-13 13:46:37 +00:00 · 128dab965c
commit 128dab965c
parent 83e2b548ad
4 changed files with 23 additions and 3 deletions
--- a/contrib/apache-eddn.conf
+++ b/contrib/apache-eddn.conf
@ -151,12 +151,19 @@
 		</LimitExcept>
 	</LocationMatch>
 	<IfModule mod_proxy.c>
+        ####################################
+        # Only uncomment the following if you are setting non-empty
+        # CERT_FILE, and KEY_FILE in the main EDDN config.json
+        ####################################
+        # SSLProxyEngine On
+        # SSLProxyVerify none
+        ####################################
 		ProxyPreserveHost On
 		ProxyRequests Off

        <Location "/">
-                # Yes, plain HTTP, as the Gateway process knows nothing of
-                # TLS.
+                # Plain http if setting **empty** CERT_FILE and KEY_FILE in
+                # the EDDN config.json, else https.
                ProxyPass "http://127.0.0.1:8081/"
        </Location>
 	</IfModule>
--- a/docs/Running-this-software.md
+++ b/docs/Running-this-software.md
@ -523,7 +523,9 @@ proxying:

  Internet -> existing server -> VM -> nginx -> EDDN scripts

-If using Apache on a Debian server then you need some ProxyPass directives:
+If using Apache on a Debian server then you need some ProxyPass directives.
+These assume you using an empty CERT_FILE and KEY_FILE in the override
+config.json.  See `contrib/apache-eddn.conf` for how to use TLS instead:

        <IfModule mod_proxy.c>
                ProxyPreserveHost On
--- a/src/eddn/Gateway.py
+++ b/src/eddn/Gateway.py
@ -410,6 +410,11 @@ def main() -> None:
        'handler_class': EDDNWSGIHandler,
    }

+    # Empty CERT_FILE or KEY_FILE means don't put them in
+    if Settings.CERT_FILE != "" and Settings.KEY_FILE != "":
+        argsd["certfile"] = Settings.CERT_FILE
+        argsd["keyfile"] = Settings.KEY_FILE
+
    app.run(
        **argsd
    )
--- a/src/eddn/conf/Settings.py
+++ b/src/eddn/conf/Settings.py
@ -15,6 +15,12 @@ class _Settings(object):
    ###############################################################################
    # Local installation settings
    ###############################################################################
+    # If these are set to non-empty strings then you reverse proxt setup
+    # **MUST** pass TLS through properly, including to a https URL, not a
+    # plain http one.
+    CERT_FILE                               = "/etc/letsencrypt/live/eddn.edcd.io/fullchain.pem"  # noqa: E221
+    KEY_FILE                                = "/etc/letsencrypt/live/eddn.edcd.io/privkey.pem"  # noqa: E221
+

    ###############################################################################
    # Relay settings