enable raw tls on websocket

2021-10-09 12:59:48 -03:00 · 2021-10-09 12:59:48 -03:00 · 8bdfdfa4ec
parent 2ba7a09796
commit 8bdfdfa4ec
2 changed files with 15 additions and 1 deletions
--- a/config.example.py
+++ b/config.example.py
@ -48,6 +48,11 @@ class Config:
    # e.g 'gateway.example.com' for reverse proxies.
    WEBSOCKET_URL = "localhost:5001"

+    # Set these to file paths if you want to enable raw TLS support on
+    # the websocket (without NGINX)
+    WEBSOCKET_TLS_CERT_PATH = None
+    WEBSOCKET_TLS_KEY_PATH = None
+
    #: Where to host the websocket?
    #  (a local address the server will bind to)
    WS_HOST = "0.0.0.0"
--- a/run.py
+++ b/run.py
@ -18,6 +18,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """

 import asyncio
+import ssl
 import sys

 import asyncpg
@ -367,7 +368,15 @@ def start_websocket(host, port, ws_handler) -> asyncio.Future:
        # so we can pass quart's app object.
        await ws_handler(app, ws, url)

-    return websockets.serve(_wrapper, host, port)
+    kwargs = {"ws_handler": _wrapper, "host": host, "port": port}
+    tls_cert_path = getattr(app.config, "WEBSOCKET_TLS_CERT_PATH", None)
+    tls_key_path = getattr(app.config, "WEBSOCKET_TLS_CERT_PATH", None)
+    if tls_cert_path:
+        context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+        context.load_cert_chain(tls_cert_path, tls_key_path)
+        kwargs["ssl"] = context
+
+    return websockets.serve(**kwargs)


@app.before_serving