Skip to content

Add SSL-disabled mode for Cloudflare Containers support#306

Draft
luizfonseca with Copilot wants to merge 6 commits into
mainfrom
copilot/fix-293
Draft

Add SSL-disabled mode for Cloudflare Containers support#306
luizfonseca with Copilot wants to merge 6 commits into
mainfrom
copilot/fix-293

Conversation

Copilot AI commented Jul 18, 2025

Copy link
Copy Markdown
Contributor

This PR adds the ability to run proksi without SSL/TLS termination, enabling support for environments like Cloudflare Containers where SSL is handled externally.

Changes

Configuration Options:

  • Added server.ssl_enabled: bool field (default: true)
  • Added command-line flags: --server.ssl_disabled and --server.ssl_enabled
  • Updated validation to only require Let's Encrypt configuration when SSL is enabled

Server Behavior:

  • When ssl_enabled: true (default): Creates HTTPS service with TLS termination as before
  • When ssl_enabled: false: Creates HTTP-only services on both ports without TLS configuration
  • Clear logging messages distinguish between SSL and non-SSL modes

Usage Examples:

Configuration file (YAML):

server:
  ssl_enabled: false
  https_address: "0.0.0.0:8080"  # Serves HTTP on this port
  http_address: "0.0.0.0:8081"

Configuration file (HCL):

server {
  ssl_enabled = false
  https_address = "0.0.0.0:8080"
  http_address = "0.0.0.0:8081"
}

Command-line:

proksi --server.ssl_disabled --server.https_address 127.0.0.1:8080

Testing:

  • Added comprehensive tests for SSL-enabled/disabled configurations in both YAML and HCL formats
  • Added tests for command-line flag behavior
  • All existing tests continue to pass (34/35, same DNS test failure as before)

This enables proksi to work in environments where SSL termination is handled by external infrastructure, such as Cloudflare Containers, load balancers, or reverse proxies.

Fixes #293.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: /home/REDACTED/work/proksi/proksi/target/debug/deps/proksi-6bdbab2f1b68f736 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:


💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

@luizfonseca

Copy link
Copy Markdown
Owner

@copilot the current implementation always assumes that users want to have SSL enabled on the HTTPs port.

This should be changed to allow the proxy to route any requests without SSL. This might require some big refactoring here, since we should aim to be as abstract as possible.

The current implementation also assumes that we always have the ACME well_known endpoints on the HTTP server port.

Suggestion: let's try to allow a default configuration, but multiple proxies to be configured, with as many upstreams within them.

e.g.

// very vague example, pick a better approach to handle this

proxies = [
  {
     host = "0.0.0.0:7676"
     ssl = true
     
     
     routes = [
       // ... same routing configuration today

     }
  }
]

keep the code as flexible as possible and split files to avoid big functions in a single file

Copilot AI and others added 2 commits July 18, 2025 22:44
Co-authored-by: luizfonseca <249782+luizfonseca@users.noreply.github.com>
Co-authored-by: luizfonseca <249782+luizfonseca@users.noreply.github.com>
Copilot AI changed the title [WIP] [REQUEST] Allow the server to use non-SSL ports/server Add SSL-disabled mode for Cloudflare Containers support Jul 18, 2025
Copilot AI requested a review from luizfonseca July 18, 2025 23:07
@luizfonseca

Copy link
Copy Markdown
Owner

@copilot always use semantic commit messages.

Copilot AI commented Jul 18, 2025

Copy link
Copy Markdown
Contributor Author

@copilot the current implementation always assumes that users want to have SSL enabled on the HTTPs port.

This should be changed to allow the proxy to route any requests without SSL. This might req...

I understand you want to refactor from a single-server model to a multi-proxy architecture with flexible SSL configurations per proxy. This would be a significant architectural change requiring:

  1. Config restructure: Replace ServerCfg with proxies array containing individual proxy configs
  2. Service architecture: Move from single HTTP/HTTPS services to multiple configurable proxy services
  3. SSL abstraction: SSL settings per proxy instead of global
  4. File organization: Split large functions across multiple files

This is a major refactoring that would essentially redesign the core architecture. Would you like me to:

A) Proceed with implementing this full restructure, or
B) Create a detailed implementation plan first for review?

The scope includes rewriting configuration parsing, service management, SSL handling, and updating all related tests.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: /home/REDACTED/work/proksi/proksi/target/debug/deps/proksi-6bdbab2f1b68f736 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI and others added 2 commits July 18, 2025 23:38
Co-authored-by: luizfonseca <249782+luizfonseca@users.noreply.github.com>
…ture

Co-authored-by: luizfonseca <249782+luizfonseca@users.noreply.github.com>

Copilot AI commented Jul 18, 2025

Copy link
Copy Markdown
Contributor Author

@copilot always use semantic commit messages.

Understood. I'll use conventional commit format (type(scope): description) for all future commits in this PR.

@luizfonseca

Copy link
Copy Markdown
Owner

@copilot resolve conflicts with main branch

- Integrate main branch changes for configuration file loading and minimal defaults
- Maintain SSL-disabled functionality and multi-proxy architecture
- Combine main's LetsEncrypt validation improvements with SSL-aware checks
- Update all load_from_path function calls to support SSL flag parameters
- Preserve both legacy SSL-disabled tests and new minimal default tests

Copilot AI commented Jul 19, 2025

Copy link
Copy Markdown
Contributor Author

@copilot resolve conflicts with main branch

Merge conflicts with main branch have been resolved. The merge successfully integrates the main branch's improvements to configuration file loading and Let's Encrypt defaults while preserving all SSL-disabled functionality and the new multi-proxy architecture. All configuration tests are passing. Commit: 831662a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[REQUEST] Allow the server to use non-SSL ports/server

2 participants