From 8bdfdfa4ec8005976438e029bcee238947ca140b Mon Sep 17 00:00:00 2001
From: Luna <git@l4.pm>
Date: Sat, 9 Oct 2021 12:59:48 -0300
Subject: [PATCH] enable raw tls on websocket

---
 config.example.py |  5 +++++
 run.py            | 11 ++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/config.example.py b/config.example.py
index f5c2b8a..3bd5a35 100644
--- a/config.example.py
+++ b/config.example.py
@@ -48,6 +48,11 @@ class Config:
     # e.g 'gateway.example.com' for reverse proxies.
     WEBSOCKET_URL = "localhost:5001"
 
+    # Set these to file paths if you want to enable raw TLS support on
+    # the websocket (without NGINX)
+    WEBSOCKET_TLS_CERT_PATH = None
+    WEBSOCKET_TLS_KEY_PATH = None
+
     #: Where to host the websocket?
     #  (a local address the server will bind to)
     WS_HOST = "0.0.0.0"
diff --git a/run.py b/run.py
index ff232e5..eac5ce4 100644
--- a/run.py
+++ b/run.py
@@ -18,6 +18,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 
 import asyncio
+import ssl
 import sys
 
 import asyncpg
@@ -367,7 +368,15 @@ def start_websocket(host, port, ws_handler) -> asyncio.Future:
         # so we can pass quart's app object.
         await ws_handler(app, ws, url)
 
-    return websockets.serve(_wrapper, host, port)
+    kwargs = {"ws_handler": _wrapper, "host": host, "port": port}
+    tls_cert_path = getattr(app.config, "WEBSOCKET_TLS_CERT_PATH", None)
+    tls_key_path = getattr(app.config, "WEBSOCKET_TLS_CERT_PATH", None)
+    if tls_cert_path:
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+        context.load_cert_chain(tls_cert_path, tls_key_path)
+        kwargs["ssl"] = context
+
+    return websockets.serve(**kwargs)
 
 
 @app.before_serving