Skip to content

Add configurable TLS certificate verification and fix port handling#238

Open
aram356 wants to merge 2 commits intomainfrom
feature/cert-verification-port-handling
Open

Add configurable TLS certificate verification and fix port handling#238
aram356 wants to merge 2 commits intomainfrom
feature/cert-verification-port-handling

Conversation

@aram356
Copy link
Collaborator

@aram356 aram356 commented Feb 5, 2026
edited
Loading

Summary

  • Adds Proxy.certificate_check setting to control TLS certificate verification (defaults to true for secure production use, set to false for local development with self-signed certs)
  • Adds compute_host_header() function to properly format Host header with non-standard ports, fixing an issue where backends behind reverse proxies would generate URLs without the port
  • Extends ensure_origin_backend() API with certificate_check parameter
  • Includes cert setting in backend name to avoid reusing backends with different TLS settings

Test plan

  • Verify cargo check passes
  • Verify cargo test -p trusted-server-common passes
  • Test proxy requests to origins with non-standard ports (e.g., :9443) preserve the port in signed URLs
  • Test HTML rewriting preserves non-standard ports in sub-resource URLs
  • Test with certificate_check = false in local dev with self-signed certs

Closes #246
Related to #179

@aram356
Add configurable TLS certificate verification and fix port handling
4631ffe 
- Add `Proxy.certificate_check` setting (defaults to true for secure production)
- Add `compute_host_header()` to properly format Host header with non-standard ports
- Extend `ensure_origin_backend()` with certificate_check parameter
- Include cert setting in backend name to avoid reusing backends with different settings
- Add comprehensive tests for port preservation in proxy signing and HTML rewriting
- Update all call sites to pass certificate_check=true (secure default)

This fixes an issue where backends behind reverse proxies would generate URLs
without the port when the Host header didn't include it.
@aram356 aram356 self-assigned this Feb 5, 2026
@aram356 aram356 mentioned this pull request Feb 5, 2026
Draft
4 tasks
@aram356 aram356 marked this pull request as draft February 5, 2026 18:04
This was referenced Feb 5, 2026
Draft
Open
@aram356 aram356 added enhancement New feature or request and removed enhancement New feature or request labels Feb 5, 2026
@aram356
Fixed port handling for certificate verification in the backend and p…
d9cffe4 
…roxy components. Updated related settings and documentation.
@aram356 aram356 marked this pull request as ready for review February 5, 2026 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChristianPavilonis ChristianPavilonis Awaiting requested review from ChristianPavilonis

@prk-Jr prk-Jr Awaiting requested review from prk-Jr

At least 1 approving review is required to merge this pull request.

Assignees

@aram356 aram356

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add configurable TLS certificate verification and fix port handling

1 participant

@aram356