From f369fdf6f20ad35b63a5d188e129e3d4d8cae0e6 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Sun, 3 May 2020 11:37:50 +0200 Subject: [PATCH] httpclient: add a configuration parameter to skip TLS certificate validation In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing. --- config/config.go | 1 + docs/full-configuration.md | 1 + httpclient/httpclient.go | 8 +++++++- sftpgo.json | 3 ++- vfs/vfs.go | 2 +- 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/config/config.go b/config/config.go index 72aa5295..f92b2eb8 100644 --- a/config/config.go +++ b/config/config.go @@ -103,6 +103,7 @@ func init() { HTTPConfig: httpclient.Config{ Timeout: 20, CACertificates: nil, + SkipTLSVerify: false, }, } diff --git a/docs/full-configuration.md b/docs/full-configuration.md index c3827210..cc71cd98 100644 --- a/docs/full-configuration.md +++ b/docs/full-configuration.md @@ -111,6 +111,7 @@ The configuration file contains the following sections: - **"http"**, the configuration for HTTP clients. HTTP clients are used for executing hooks such as the ones used for custom actions, external authentication and pre-login user modifications - `timeout`, integer. Timeout specifies a time limit, in seconds, for requests. - `ca_certificates`, list of strings. List of paths to extra CA certificates to trust. The paths can be absolute or relative to the config dir. Adding trusted CA certificates is a convenient way to use self-signed certificates without defeating the purpose of using TLS. + - `skip_tls_verify`, boolean. if enabled the HTTP client accepts any TLS certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to man-in-the-middle attacks. This should be used only for testing. A full example showing the default config (in JSON format) can be found [here](../sftpgo.json). diff --git a/httpclient/httpclient.go b/httpclient/httpclient.go index b7abcad6..2f84bf5d 100644 --- a/httpclient/httpclient.go +++ b/httpclient/httpclient.go @@ -22,7 +22,12 @@ type Config struct { // The paths can be absolute or relative to the config dir. // Adding trusted CA certificates is a convenient way to use self-signed // certificates without defeating the purpose of using TLS - CACertificates []string `json:"ca_certificates" mapstructure:"ca_certificates"` + CACertificates []string `json:"ca_certificates" mapstructure:"ca_certificates"` + // if enabled the HTTP client accepts any TLS certificate presented by + // the server and any host name in that certificate. + // In this mode, TLS is susceptible to man-in-the-middle attacks. + // This should be used only for testing. + SkipTLSVerify bool `json:"skip_tls_verify" mapstructure:"skip_tls_verify"` customTransport *http.Transport } @@ -42,6 +47,7 @@ func (c Config) Initialize(configDir string) { RootCAs: rootCAs, } } + customTransport.TLSClientConfig.InsecureSkipVerify = c.SkipTLSVerify httpConfig.customTransport = customTransport } diff --git a/sftpgo.json b/sftpgo.json index 45f9e272..fc31c36b 100644 --- a/sftpgo.json +++ b/sftpgo.json @@ -68,6 +68,7 @@ }, "http": { "timeout": 20, - "ca_certificates": [] + "ca_certificates": [], + "skip_tls_verify": false } } diff --git a/vfs/vfs.go b/vfs/vfs.go index 5e8b948b..8a81d3f6 100644 --- a/vfs/vfs.go +++ b/vfs/vfs.go @@ -52,7 +52,7 @@ type Fs interface { type VirtualFolder struct { VirtualPath string `json:"virtual_path"` MappedPath string `json:"mapped_path"` - // This folder will be excluded from user quota + // Enable to exclude this folder from the user quota ExcludeFromQuota bool `json:"exclude_from_quota"` }