Add option to disable TLS validation for NATS

2026-01-08 14:43:09 -06:00 · 2022-08-02 12:28:05 +02:00 · 2022-08-02 12:28:05 +02:00 · 374840fba3
parent 5aa1d7827c
commit 374840fba3
4 changed files with 21 additions and 1 deletions
--- a/dendrite-sample.monolith.yaml
+++ b/dendrite-sample.monolith.yaml
@ -113,6 +113,11 @@ global:
    addresses:
    # - localhost:4222

+    # Disable the validation of TLS certificates of NATS. This is
+    # not recommended in production since it may allow NATS traffic
+    # to be sent to an insecure endpoint.
+    disable_tls_validation: false
+
    # Persistent directory to store JetStream streams in. This directory should be
    # preserved across Dendrite restarts.
    storage_path: ./
--- a/dendrite-sample.polylith.yaml
+++ b/dendrite-sample.polylith.yaml
@ -103,6 +103,11 @@ global:
    addresses:
      - hostname:4222

+    # Disable the validation of TLS certificates of NATS. This is
+    # not recommended in production since it may allow NATS traffic
+    # to be sent to an insecure endpoint.
+    disable_tls_validation: false
+
    # The prefix to use for stream names for this homeserver - really only useful
    # if you are running more than one Dendrite server on the same NATS deployment.
    topic_prefix: Dendrite
--- a/setup/config/config_jetstream.go
+++ b/setup/config/config_jetstream.go
@ -19,6 +19,8 @@ type JetStream struct {
 	InMemory bool `yaml:"in_memory"`
 	// Disable logging. This is mostly useful for unit tests.
 	NoLog bool `yaml:"-"`
+	// Disables TLS validation. This should NOT be used in production
+	DisableTLSValidation bool `yaml:"disable_tls_validation"`
 }

 func (c *JetStream) Prefixed(name string) string {
@ -35,6 +37,7 @@ func (c *JetStream) Defaults(generate bool) {
 	if generate {
 		c.StoragePath = Path("./")
 		c.NoLog = true
+		c.DisableTLSValidation = true
 	}
 }

--- a/setup/jetstream/nats.go
+++ b/setup/jetstream/nats.go
@ -1,6 +1,7 @@
 package jetstream

 import (
+	"crypto/tls"
 	"fmt"
 	"reflect"
 	"strings"
@ -76,7 +77,13 @@ func (s *NATSInstance) Prepare(process *process.ProcessContext, cfg *config.JetS
 func setupNATS(process *process.ProcessContext, cfg *config.JetStream, nc *natsclient.Conn) (natsclient.JetStreamContext, *natsclient.Conn) {
 	if nc == nil {
 		var err error
-		nc, err = natsclient.Connect(strings.Join(cfg.Addresses, ","))
+		opts := []nats.Option{}
+		if cfg.DisableTLSValidation {
+			opts = append(opts, nats.Secure(&tls.Config{
+				InsecureSkipVerify: true,
+			}))
+		}
+		nc, err = natsclient.Connect(strings.Join(cfg.Addresses, ","), opts...)
 		if err != nil {
 			logrus.WithError(err).Panic("Unable to connect to NATS")
 			return nil, nil