Support custom HTTP certificate (#2287)

Co-authored-by: Jonatan Kłosko <jonatanklosko@gmail.com>
2024-12-29 19:20:46 +08:00 · 2023-10-22 11:01:15 +02:00 · 2023-10-22 11:01:15 +02:00 · 94edf9f8b9
commit 94edf9f8b9
parent ca645ea974
4 changed files with 33 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -191,7 +191,7 @@ The following environment variables can be used to configure Livebook on boot:
    are deployed on Livebook startup with the persisted settings. Password-protected
    notebooks will receive a random password, unless LIVEBOOK_APPS_PATH_PASSWORD
    is set. When deploying using Livebook's Docker image, consider using
-    `LIVEBOOK_APPS_PATH_WARMUP`.
+    LIVEBOOK_APPS_PATH_WARMUP.

  * LIVEBOOK_APPS_PATH_HUB_ID - deploy only the notebooks in
    LIVEBOOK_APPS_PATH that belong to the given Hub ID
@ -208,6 +208,10 @@ The following environment variables can be used to configure Livebook on boot:
  * LIVEBOOK_BASE_URL_PATH - sets the base url path the web application is
    served on. Useful when deploying behind a reverse proxy.

+  * LIVEBOOK_CACERTFILE - path to a local file containing CA certificates.
+    Those certificates are used during for server authentication when Livebook
+    accesses files from external sources.
+
  * LIVEBOOK_COOKIE - sets the cookie for running Livebook in a cluster.
    Defaults to a random string that is generated on boot.

--- a/lib/livebook.ex
+++ b/lib/livebook.ex
@ -177,6 +177,10 @@ defmodule Livebook do
      config :livebook, :force_ssl_host, force_ssl_host
    end

+    if cacertfile = Livebook.Config.cacertfile!("LIVEBOOK_CACERTFILE") do
+      config :livebook, :cacertfile, cacertfile
+    end
+
    config :livebook,
           :cookie,
           Livebook.Config.cookie!("LIVEBOOK_COOKIE") ||
--- a/lib/livebook/config.ex
+++ b/lib/livebook/config.ex
@ -319,6 +319,14 @@ defmodule Livebook.Config do
    Application.fetch_env!(:livebook, :force_ssl_host)
  end

+  @doc """
+  Returns the application cacertfile if any.
+  """
+  @spec cacertfile() :: String.t() | nil
+  def cacertfile() do
+    Application.get_env(:livebook, :cacertfile)
+  end
+
  @feature_flags Application.compile_env(:livebook, :feature_flags)

  @doc """
@ -513,6 +521,13 @@ defmodule Livebook.Config do
    System.get_env(env)
  end

+  @doc """
+  Parses application cacertfile from env.
+  """
+  def cacertfile!(env) do
+    System.get_env(env)
+  end
+
  @doc """
  Parses application service name from env.
  """
--- a/lib/livebook/utils/http.ex
+++ b/lib/livebook/utils/http.ex
@ -213,9 +213,17 @@ defmodule Livebook.Utils.HTTP do

  defp http_ssl_opts() do
    # Use secure options, see https://gist.github.com/jonatanklosko/5e20ca84127f6b31bbe3906498e1a1d7
+
+    cacert_opt =
+      if cacertfile = Livebook.Config.cacertfile() do
+        {:cacertfile, to_charlist(cacertfile)}
+      else
+        {:cacerts, @cacerts}
+      end
+
    [
+      cacert_opt,
      verify: :verify_peer,
-      cacerts: @cacerts,
      customize_hostname_check: [
        match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
      ]