feat(node): add support for native HTTPS configuration (#376)

Author: CorentinTh

packages/app-server/src/index.node.ts

@@ -1,4 +1,5 @@
 import { readFile } from 'node:fs/promises';
+import { createServer as createHttpsServer } from 'node:https';
 import process, { env } from 'node:process';
 import { safelySync } from '@corentinth/chisels';
 import { serve } from '@hono/node-server';
@@ -69,10 +70,14 @@ const server = serve(
   {
     fetch: app.fetch,
     port: config.server.port,
+    ...(config.server.useHttps
+      ? {
+          createServer: createHttpsServer,
+          serverOptions: config.server.https,
+        }
+      : {}),
   },
-  ({ port }) => {
-    logger.info({ port }, 'Server started');
-  },
+  ({ port }) => logger.info({ port }, 'Server started'),
 );
 
 process.on('SIGINT', async () => {

packages/app-server/src/modules/app/config/config.ts

@@ -31,6 +31,49 @@ export const configDefinition = {
       default: [],
       env: 'SERVER_CORS_ORIGINS',
     },
+    useHttps: {
+      doc: 'Whether to enable HTTPS for the server (only in node env)',
+      schema: z
+        .string()
+        .trim()
+        .toLowerCase()
+        .transform(x => x === 'true')
+        .pipe(z.boolean()),
+      default: 'false',
+      env: 'SERVER_USE_HTTPS',
+    },
+    https: {
+      key: {
+        doc: 'The key for HTTPS (only in node env)',
+        schema: z.string().optional(),
+        default: undefined,
+        env: 'SERVER_HTTPS_KEY',
+      },
+      cert: {
+        doc: 'The cert for HTTPS (only in node env)',
+        schema: z.string().optional(),
+        default: undefined,
+        env: 'SERVER_HTTPS_CERT',
+      },
+      ca: {
+        doc: 'The CA for HTTPS (only in node env)',
+        schema: z.string().optional(),
+        default: undefined,
+        env: 'SERVER_HTTPS_CA',
+      },
+      pfx: {
+        doc: 'The pfx for HTTPS (only in node env)',
+        schema: z.string().optional(),
+        default: undefined,
+        env: 'SERVER_HTTPS_PFX',
+      },
+      passphrase: {
+        doc: 'The passphrase of the PFX cert (only in node env)',
+        schema: z.string().optional(),
+        default: undefined,
+        env: 'SERVER_HTTPS_PASSPHRASE',
+      },
+    },
   },
   notes: {
     maxEncryptedPayloadLength: {

packages/docs/src/self-hosting/configuration.md

@@ -12,6 +12,24 @@ Enclosed is configured primarily through environment variables. Below is a list
 
 <div v-html="data" />
 
+## Optional: Native HTTPS Configuration
+
+If you want to use HTTPS without a reverse proxy, you can set the `SERVER_USE_HTTPS` environment variable to `true` and provide the necessary certificate and key files.
+
+You can either use a single PFX file or separate key and certificate files. If you use separate files, you can provide the `SERVER_HTTPS_KEY`, `SERVER_HTTPS_CERT`, and `SERVER_HTTPS_CA` environment variables. If you use a PFX file, you can provide the `SERVER_HTTPS_PFX` and `SERVER_HTTPS_PASSPHRASE` environment variables.
+
+To generate the necessary key and certificate files, you can use the following command:
+
+```bash
+openssl req -x509 -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -keyout private-key.pem -out certificate.pem
+```
+
+And if you want to generate a PFX file, you can use the following command:
+
+```bash
+openssl pkcs12 -certpbe AES-256-CBC -export -out test_cert.pfx -inkey private-key.pem -in certificate.pem -passout pass:sample
+```
+
 ## Applying Configuration Changes
 
 To apply your configuration changes, ensure that you have exported the environment variables in your shell or included them in your environment configuration file. Then, restart your Enclosed instance to apply the changes.