From a7ed302c35cd066e8982089caf5a63525ab98cc9 Mon Sep 17 00:00:00 2001 From: selfhoster1312 Date: Sun, 5 Nov 2023 22:45:51 +0100 Subject: [PATCH] Add openssl_ca_certs_file and openssl_ca_certs_dir config options --- config/config.example.yml | 22 +++++++++++++++++++++ src/invidious/config.cr | 10 ++++++++++ src/invidious/yt_backend/connection_pool.cr | 17 ++++++++++++++-- 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/config/config.example.yml b/config/config.example.yml index b44fcc0e..1f5f10fb 100644 --- a/config/config.example.yml +++ b/config/config.example.yml @@ -140,6 +140,28 @@ https_only: false ## #pool_size: 100 +## +## File containing the Certificate Authorities, in the PEM format +## as expected by OpenSSL. For example, /etc/ssl1.1/certs.pem on Alpine. +## By default, Invidious by using Crystal standard library will use +## the default setting from the crystal binary it was compiled with. +## This option is incompatible with openssl_ca_certs_dir. +## +## Default: +## +#openssl_ca_certs_file: + +## +## Folder containing the Certificate Authorities, in the PEM format +## as expected by OpenSSL. For example, /etc/ssl/certs/ on Debian. +## By default, Invidious by using Crystal standard library will use +## the default setting from the crystal binary it was compiled with. +## This option is incompatible with openssl_ca_certs_file. +## +## Default: +## +#openssl_ca_certs_dir: + ## ## Additional cookies to be sent when requesting the youtube API. diff --git a/src/invidious/config.cr b/src/invidious/config.cr index 429d9246..6992313e 100644 --- a/src/invidious/config.cr +++ b/src/invidious/config.cr @@ -126,6 +126,10 @@ class Config property host_binding : String = "0.0.0.0" # Pool size for HTTP requests to youtube.com and ytimg.com (each domain has a separate pool of `pool_size`) property pool_size : Int32 = 100 + # CA certificates file for OpenSSL + property openssl_ca_certs_file : String? = nil + # CA certificates folder for OpenSSL + property openssl_ca_certs_dir : String? = nil # Use Innertube's transcripts API instead of timedtext for closed captions property use_innertube_for_captions : Bool = false @@ -232,6 +236,12 @@ class Config end end + # We can only have openssl_ca_certs_file or openssl_ca_certs_dir, not both + if !(config.openssl_ca_certs_file.nil? || config.openssl_ca_certs_dir.nil?) + puts "Config: You can't have both openssl_ca_certs_file and openssl_ca_certs_folder." + exit(1) + end + return config end end diff --git a/src/invidious/yt_backend/connection_pool.cr b/src/invidious/yt_backend/connection_pool.cr index 03ff0ee4..3afa95f0 100644 --- a/src/invidious/yt_backend/connection_pool.cr +++ b/src/invidious/yt_backend/connection_pool.cr @@ -35,7 +35,14 @@ struct YoutubeConnectionPool response = yield conn rescue ex conn.close - conn = HTTP::Client.new(url) + + tls_context = OpenSSL::SSL::Context::Client.new + if CONFIG.openssl_ca_certs_dir != nil + tls_context.ca_certificates_path = CONFIG.openssl_ca_certs_dir.not_nil! + elsif CONFIG.openssl_ca_certs_file != nil + tls_context.ca_certificates = CONFIG.openssl_ca_certs_file.not_nil! + end + conn = HTTP::Client.new(url, tls: tls_context) conn.family = CONFIG.force_resolve conn.family = Socket::Family::INET if conn.family == Socket::Family::UNSPEC @@ -51,7 +58,13 @@ struct YoutubeConnectionPool private def build_pool DB::Pool(HTTP::Client).new(initial_pool_size: 0, max_pool_size: capacity, max_idle_pool_size: capacity, checkout_timeout: timeout) do - conn = HTTP::Client.new(url) + tls_context = OpenSSL::SSL::Context::Client.new + if CONFIG.openssl_ca_certs_dir != nil + tls_context.ca_certificates_path = CONFIG.openssl_ca_certs_dir.not_nil! + elsif CONFIG.openssl_ca_certs_file != nil + tls_context.ca_certificates = CONFIG.openssl_ca_certs_file.not_nil! + end + conn = HTTP::Client.new(url, tls: tls_context) conn.family = CONFIG.force_resolve conn.family = Socket::Family::INET if conn.family == Socket::Family::UNSPEC conn.before_request { |r| add_yt_headers(r) } if url.host == "www.youtube.com"