Merge pull request #39 from frebib/listen-tls

2025-03-10 13:37:11 +00:00 · 2023-03-29 12:34:15 +01:00 · 2023-03-29 12:34:15 +01:00 · 2c91fcb34b
commit 2c91fcb34b
parent a91c5a18af c76c04128e
3 changed files with 31 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -40,6 +40,7 @@ Using a Docker image:
 ```
 docker run --rm -e "SYNCV3_SERVER=https://matrix-client.matrix.org" -e "SYNCV3_SECRET=$(cat .secret)" -e "SYNCV3_BINDADDR=:8008" -e "SYNCV3_DB=user=$(whoami) dbname=syncv3 sslmode=disable host=host.docker.internal" -p 8008:8008 ghcr.io/matrix-org/sliding-sync:v0.98.0
 ```
+Optionally also set `SYNCV3_TLS_CERT=path/to/cert.pem` and `SYNCV3_TLS_KEY=path/to/key.pem` to listen on HTTPS instead of HTTP.

 Regular users may now log in with their sliding-sync compatible Matrix client. If developing sliding-sync, a simple client is provided (although it is not included in the Docker image).

--- a/cmd/syncv3/main.go
+++ b/cmd/syncv3/main.go
@ -26,6 +26,8 @@ const (

 	// Optional fields
 	EnvBindAddr   = "SYNCV3_BINDADDR"
+	EnvTLSCert    = "SYNCV3_TLS_CERT"
+	EnvTLSKey     = "SYNCV3_TLS_KEY"
 	EnvPPROF      = "SYNCV3_PPROF"
 	EnvPrometheus = "SYNCV3_PROM"
 	EnvDebug      = "SYNCV3_DEBUG"
@ -34,14 +36,16 @@ const (

 var helpMsg = fmt.Sprintf(`
 Environment var
-%s   Required. The destination homeserver to talk to (CS API HTTPS URL) e.g 'https://matrix-client.matrix.org'
-%s       Required. The postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING 
-%s (Default: 0.0.0.0:8008) The interface and port to listen on.
-%s   Required. A secret to use to encrypt access tokens. Must remain the same for the lifetime of the database.
-%s   Defualt: unset. The bind addr for pprof debugging e.g ':6060'. If not set, does not listen.
-%s   Default: unset. The bind addr for Prometheus metrics, which will be accessible at /metrics at this address.
-%s   Default: unset. The Jaeger URL to send spans to e.g http://localhost:14268/api/traces - if unset does not send OTLP traces.
-`, EnvServer, EnvDB, EnvBindAddr, EnvSecret, EnvPPROF, EnvPrometheus, EnvJaeger)
+%s     Required. The destination homeserver to talk to (CS API HTTPS URL) e.g 'https://matrix-client.matrix.org'
+%s         Required. The postgres connection string: https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+%s     Required. A secret to use to encrypt access tokens. Must remain the same for the lifetime of the database.
+%s   Default: 0.0.0.0:8008.  The interface and port to listen on.
+%s   Default: unset. Path to a certificate file to serve to HTTPS clients. Specifying this enables TLS on the bound address.
+%s    Default: unset. Path to a key file for the certificate. Must be provided along with the certificate file.
+%s      Default: unset. The bind addr for pprof debugging e.g ':6060'. If not set, does not listen.
+%s       Default: unset. The bind addr for Prometheus metrics, which will be accessible at /metrics at this address.
+%s Default: unset. The Jaeger URL to send spans to e.g http://localhost:14268/api/traces - if unset does not send OTLP traces.
+`, EnvServer, EnvDB, EnvSecret, EnvBindAddr, EnvTLSCert, EnvTLSKey, EnvPPROF, EnvPrometheus, EnvJaeger)

 func defaulting(in, dft string) string {
 	if in == "" {
@ -59,6 +63,8 @@ func main() {
 		EnvDB:         os.Getenv(EnvDB),
 		EnvSecret:     os.Getenv(EnvSecret),
 		EnvBindAddr:   defaulting(os.Getenv(EnvBindAddr), "0.0.0.0:8008"),
+		EnvTLSCert:    os.Getenv(EnvTLSCert),
+		EnvTLSKey:     os.Getenv(EnvTLSKey),
 		EnvPPROF:      os.Getenv(EnvPPROF),
 		EnvPrometheus: os.Getenv(EnvPrometheus),
 		EnvDebug:      os.Getenv(EnvDebug),
@ -73,6 +79,11 @@ func main() {
 			os.Exit(1)
 		}
 	}
+	if (args[EnvTLSCert] != "" || args[EnvTLSKey] != "") && (args[EnvTLSCert] == "" || args[EnvTLSKey] == "") {
+		fmt.Print(helpMsg)
+		fmt.Printf("\nboth %s and %s must be set together\n", EnvTLSCert, EnvTLSKey)
+		os.Exit(1)
+	}
 	// pprof
 	if args[EnvPPROF] != "" {
 		go func() {
@ -106,6 +117,6 @@ func main() {
 	if args[EnvJaeger] != "" {
 		h3 = otelhttp.NewHandler(h3, "Sync")
 	}
-	syncv3.RunSyncV3Server(h3, args[EnvBindAddr], args[EnvServer])
+	syncv3.RunSyncV3Server(h3, args[EnvBindAddr], args[EnvServer], args[EnvTLSCert], args[EnvTLSKey])
 	select {} // block forever
 }
--- a/v3.go
+++ b/v3.go
@ -108,7 +108,7 @@ func Setup(destHomeserver, postgresURI, secret string, opts Opts) (*handler2.Han
 }

 // RunSyncV3Server is the main entry point to the server
-func RunSyncV3Server(h http.Handler, bindAddr, destV2Server string) {
+func RunSyncV3Server(h http.Handler, bindAddr, destV2Server, tlsCert, tlsKey string) {
 	// HTTP path routing
 	r := mux.NewRouter()
 	r.Handle("/_matrix/client/v3/sync", allowCORS(h))
@ -159,8 +159,15 @@ func RunSyncV3Server(h http.Handler, bindAddr, destV2Server string) {
 	}

 	// Block forever
-	logger.Info().Msgf("listening on %s", bindAddr)
-	if err := http.ListenAndServe(bindAddr, srv); err != nil {
+	var err error
+	if tlsCert != "" && tlsKey != "" {
+		logger.Info().Msgf("listening TLS on %s", bindAddr)
+		err = http.ListenAndServeTLS(bindAddr, tlsCert, tlsKey, srv)
+	} else {
+		logger.Info().Msgf("listening on %s", bindAddr)
+		err = http.ListenAndServe(bindAddr, srv)
+	}
+	if err != nil {
 		logger.Fatal().Err(err).Msg("failed to listen and serve")
 	}
 }