enable notls on admin server

decred · Apr 23, 2024 · b8ba5f8 · b8ba5f8
1 parent c76870a
commit b8ba5f8
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 9 deletions.
diff --git a/server/admin/server.go b/server/admin/server.go
@@ -13,6 +13,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"sync"
 	"time"
@@ -89,6 +90,7 @@ type SrvConfig struct {
 	Core            SvrCore
 	Addr, Cert, Key string
 	AuthSHA         [32]byte
+	NoTLS           bool
 }
 
 // UseLogger sets the logger for the admin package.
@@ -103,15 +105,18 @@ func NewServer(cfg *SrvConfig) (*Server, error) {
 		return nil, fmt.Errorf("missing certificates")
 	}
 
-	keypair, err := tls.LoadX509KeyPair(cfg.Cert, cfg.Key)
-	if err != nil {
-		return nil, err
-	}
+	var tlsConfig *tls.Config
+	if !cfg.NoTLS {
+		keypair, err := tls.LoadX509KeyPair(cfg.Cert, cfg.Key)
+		if err != nil {
+			return nil, err
+		}
 
-	// Prepare the TLS configuration.
-	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{keypair},
-		MinVersion:   tls.VersionTLS12,
+		// Prepare the TLS configuration.
+		tlsConfig = &tls.Config{
+			Certificates: []tls.Certificate{keypair},
+			MinVersion:   tls.VersionTLS12,
+		}
 	}
 
 	// Create an HTTP router.
@@ -172,7 +177,13 @@ func NewServer(cfg *SrvConfig) (*Server, error) {
 // Run starts the server.
 func (s *Server) Run(ctx context.Context) {
 	// Create listener.
-	listener, err := tls.Listen("tcp", s.addr, s.tlsConfig)
+	var listener net.Listener
+	var err error
+	if s.tlsConfig != nil {
+		listener, err = tls.Listen("tcp", s.addr, s.tlsConfig)
+	} else {
+		listener, err = net.Listen("tcp", s.addr)
+	}
 	if err != nil {
 		log.Errorf("can't listen on %s. admin server quitting: %v", s.addr, err)
 		return

diff --git a/server/cmd/dcrdex/config.go b/server/cmd/dcrdex/config.go
@@ -95,6 +95,7 @@ type dexConf struct {
 	AdminSrvOn       bool
 	AdminSrvAddr     string
 	AdminSrvPW       []byte
+	AdminSrvNoTLS    bool
 	NoResumeSwaps    bool
 	DisableDataAPI   bool
 	NodeRelayAddr    string
@@ -144,6 +145,7 @@ type flagsData struct {
 	AdminSrvOn         bool   `long:"adminsrvon" description:"Turn on the admin server."`
 	AdminSrvAddr       string `long:"adminsrvaddr" description:"Administration HTTPS server address (default: 127.0.0.1:6542)."`
 	AdminSrvPassword   string `long:"adminsrvpass" description:"Admin server password. INSECURE. Do not set unless absolutely necessary."`
+	AdminSrvNoTLS      bool   `long:"adminsrvnotls" description:"Run admin server without TLS. Only use this option if you are using a securely configured reverse proxy."`
 
 	NoResumeSwaps bool `long:"noresumeswaps" description:"Do not attempt to resume swaps that are active in the DB."`
 
@@ -555,6 +557,7 @@ func loadConfig() (*dexConf, *procOpts, error) {
 		AdminSrvAddr:     adminSrvAddr,
 		AdminSrvOn:       cfg.AdminSrvOn,
 		AdminSrvPW:       []byte(cfg.AdminSrvPassword),
+		AdminSrvNoTLS:    cfg.AdminSrvNoTLS,
 		NoResumeSwaps:    cfg.NoResumeSwaps,
 		DisableDataAPI:   cfg.DisableDataAPI,
 		NodeRelayAddr:    cfg.NodeRelayAddr,

diff --git a/server/cmd/dcrdex/main.go b/server/cmd/dcrdex/main.go
@@ -161,6 +161,7 @@ func mainCore(ctx context.Context) error {
 			AuthSHA: adminSrvAuthSHA,
 			Cert:    cfg.RPCCert,
 			Key:     cfg.RPCKey,
+			NoTLS:   cfg.AdminSrvNoTLS,
 		}
 		adminServer, err := admin.NewServer(srvCFG)
 		if err != nil {