Skip to content

[signal] Fix HTTP/WebSocket proxy not using custom certificates #4644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 24, 2025
Merged

[signal] Fix HTTP/WebSocket proxy not using custom certificates #4644

merged 4 commits into from
Oct 24, 2025
+24 −12

Conversation

@bcmmbaga
Copy link
Contributor

Describe your changes

When using custom certificates (--cert-file and --cert-key), the HTTP/WebSocket proxy server was running without TLS, only the gRPC server had TLS enabled.

Issue ticket number and link

Stack

Checklist

  • Is it a bug fix
  • Is a typo/documentation fix
  • Is a feature enhancement
  • It is a refactor
  • Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

  • I added/updated documentation for this change
  • Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

@Copilot Copilot AI review requested due to automatic review settings October 15, 2025 09:21
Copilot
Copilot AI reviewed Oct 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request fixes a bug where the HTTP/WebSocket proxy server was not using custom TLS certificates when provided via --cert-file and --cert-key flags. Previously, only the gRPC server had TLS enabled with custom certificates, while the HTTP/WebSocket proxy ran without TLS.

  • Modified getTLSConfigurations() to return the TLS config for use by HTTP/WebSocket proxy
  • Updated the HTTP server initialization logic to properly use custom certificates
  • Fixed condition checks to handle both Let's Encrypt and custom certificate scenarios

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

mlsmaycon
mlsmaycon previously requested changes Oct 20, 2025
View reviewed changes
Copy link
Collaborator

@mlsmaycon mlsmaycon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bcmmbaga we need to update management.json too with https

@sonarqubecloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@bcmmbaga
Copy link
Contributor Author

@bcmmbaga we need to update management.json too with https

Done

@bcmmbaga bcmmbaga requested a review from mlsmaycon October 20, 2025 13:42
@bcmmbaga bcmmbaga merged commit 709e24e into main Oct 24, 2025
40 checks passed
@bcmmbaga bcmmbaga deleted the ix/signal-custom-cert-tls branch October 24, 2025 12:40
hurricanehrndz added a commit to hurricanehrndz/netbird that referenced this pull request Oct 24, 2025
@hurricanehrndz
Merge remote-tracking branch 'upstream/main' into fix/darwin-dns
97040a4 
* upstream/main: (135 commits)
  [signal] Fix HTTP/WebSocket proxy not using custom certificates (netbirdio#4644)
  [client] Fix active profile name in debug bundle (netbirdio#4689)
  [management] Add peer disapproval reason (netbirdio#4468)
  [misc] Update tag name extraction in install.sh (netbirdio#4677)
  [client] Clean up match domain reg entries between config changes (netbirdio#4676)
  [client] Delete TURNConfig section from script (netbirdio#4639)
  [client] Security upgrade alpine from 3.22.0 to 3.22.2 netbirdio#4618
  [client] Fix status showing P2P without connection (netbirdio#4661)
  [client] Support BROWSER env for login (netbirdio#4654)
  [client] Remove rule squashing (netbirdio#4653)
  Handle the case when the service has already been down and the status recorder is not available (netbirdio#4652)
  [client] Set default wg port for new profiles (netbirdio#4651)
  [client] Add bind activity listener to bypass udp sockets (netbirdio#4646)
  [client] Fix missing flag values in profiles (netbirdio#4650)
  [management] feat: Basic PocketID IDP integration (netbirdio#4529)
  [client] Force TLS1.2 for RDP with Win11/Server2025 for CredSSP compatibility (netbirdio#4617)
  [misc] Add service definition for netbird-signal (netbirdio#4620)
  [management] pass temporary flag to validator (netbirdio#4599)
  [client] Explicitly disable DNSOverTLS for systemd-resolved (netbirdio#4579)
  [management] sync all other peers on peer add/remove (netbirdio#4614)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pascal-fischer pascal-fischer pascal-fischer approved these changes

@mlsmaycon mlsmaycon Awaiting requested review from mlsmaycon

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bcmmbaga @mlsmaycon @pascal-fischer