From ffb43da96e46d9990cdbf43300cedb60f07db5e6 Mon Sep 17 00:00:00 2001
From: Siyuan Miao <i@xswan.net>
Date: Tue, 8 Apr 2025 16:05:04 +0200
Subject: [PATCH] no longer need to reboot to start / stop tls service

---
 config.go                                     |  2 +
 jsonrpc.go                                    |  4 +-
 main.go                                       |  6 +-
 .../devices.$id.settings.access._index.tsx    | 56 +++++-------
 web_tls.go                                    | 85 ++++++++++++++++++-
 5 files changed, 112 insertions(+), 41 deletions(-)

diff --git a/config.go b/config.go
index 7c8437d..83cdb30 100644
--- a/config.go
+++ b/config.go
@@ -109,6 +109,8 @@ func SaveConfig() error {
 	configLock.Lock()
 	defer configLock.Unlock()
 
+	logger.Tracef("Saving config to %s", configPath)
+
 	file, err := os.Create(configPath)
 	if err != nil {
 		return fmt.Errorf("failed to create config file: %w", err)
diff --git a/jsonrpc.go b/jsonrpc.go
index b4dadd3..d8ffdac 100644
--- a/jsonrpc.go
+++ b/jsonrpc.go
@@ -405,8 +405,8 @@ func rpcGetTLSState() TLSState {
 	return getTLSState()
 }
 
-func rpcSetTLSState(tlsState TLSState) error {
-	err := setTLSState(tlsState)
+func rpcSetTLSState(state TLSState) error {
+	err := setTLSState(state)
 	if err != nil {
 		return fmt.Errorf("failed to set TLS state: %w", err)
 	}
diff --git a/main.go b/main.go
index d8934a8..feb1d3b 100644
--- a/main.go
+++ b/main.go
@@ -70,10 +70,12 @@ func Main() {
 	//go RunFuseServer()
 	go RunWebServer()
 
+	go RunWebSecureServer()
+	// Web secure server is started only if TLS mode is enabled
 	if config.TLSMode != "" {
-		initCertStore()
-		go RunWebSecureServer()
+		startWebSecureServer()
 	}
+
 	// As websocket client already checks if the cloud token is set, we can start it here.
 	go RunWebsocketClient()
 
diff --git a/ui/src/routes/devices.$id.settings.access._index.tsx b/ui/src/routes/devices.$id.settings.access._index.tsx
index 6d3a26d..389071e 100644
--- a/ui/src/routes/devices.$id.settings.access._index.tsx
+++ b/ui/src/routes/devices.$id.settings.access._index.tsx
@@ -161,7 +161,12 @@ export default function SettingsAccessIndexRoute() {
   };
 
   const handleTlsUpdate = useCallback(() => {
-    send("setTLSState", { state: { mode: tlsMode, certificate: tlsCert, privateKey: tlsKey } as TLSState }, resp => {
+    const state = { mode: tlsMode } as TLSState;
+    if (tlsMode !== "disabled") {
+      state.certificate = tlsCert;
+      state.privateKey = tlsKey;
+    }
+    send("setTLSState", { state }, resp => {
       if ("error" in resp) {
         notifications.error(`Failed to update TLS settings: ${resp.error.data || "Unknown error"}`);
         return;
@@ -171,17 +176,6 @@ export default function SettingsAccessIndexRoute() {
     });
   }, [send, tlsMode, tlsCert, tlsKey]);
 
-  const handleReboot = useCallback(() => {
-    send("reboot", { force: false }, resp => {
-      if ("error" in resp) {
-        notifications.error(`Failed to reboot: ${resp.error.data || "Unknown error"}`);
-        return;
-      }
-
-      notifications.success("Device will restart shortly, it might take a few seconds to boot up again.");
-    });
-  }, [send]);
-
   // Fetch device ID and cloud state on component mount
   useEffect(() => {
     getCloudState();
@@ -211,8 +205,8 @@ export default function SettingsAccessIndexRoute() {
               <SettingsItem
                 title="HTTPS/TLS Mode"
                 description={<>
-                  Select the TLS mode for your device (beta)<br />
-                  <small>changing this setting might restart the device</small>
+                  Select the TLS mode for your device <sup>experimental</sup><br />
+                  <small>The feature might not work as expected, please report any issues if you encounter any.</small>
                 </>}
               >
                 <SelectMenuBasic
@@ -227,27 +221,6 @@ export default function SettingsAccessIndexRoute() {
                 />
               </SettingsItem>
 
-              <div className="space-y-4">
-                <p className="text-xs text-slate-600 dark:text-slate-400">
-                  If TLS wasn't enabled before, you'll need to <strong>reboot</strong> the device to apply the changes.<br />
-                </p>
-
-                <div className="flex items-center gap-x-2">
-                  <Button
-                    size="SM"
-                    theme="primary"
-                    text="Update TLS Settings"
-                    onClick={handleTlsUpdate}
-                  />
-                  <Button
-                    size="SM"
-                    theme="danger"
-                    text="Reboot"
-                    onClick={handleReboot}
-                  />
-                </div>
-              </div>
-
               {tlsMode === "custom" && (
                 <div className="mt-4 space-y-4">
                   <div className="space-y-4">
@@ -282,6 +255,19 @@ export default function SettingsAccessIndexRoute() {
                   </div>
                 </div>
               )}
+
+
+              <div className="space-y-4">
+                <div className="flex items-center gap-x-2">
+                  <Button
+                    size="SM"
+                    theme="primary"
+                    text="Update TLS Settings"
+                    onClick={handleTlsUpdate}
+                  />
+                </div>
+              </div>
+
               <SettingsItem
                 title="Authentication Mode"
                 description={`Current mode: ${loaderData.authMode === "password" ? "Password protected" : "No password"}`}
diff --git a/web_tls.go b/web_tls.go
index 0d9bc09..40bc90b 100644
--- a/web_tls.go
+++ b/web_tls.go
@@ -1,10 +1,13 @@
 package kvm
 
 import (
+	"context"
 	"crypto/tls"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"net/http"
+	"sync"
 
 	"github.com/jetkvm/kvm/internal/websecure"
 )
@@ -31,6 +34,10 @@ type TLSState struct {
 }
 
 func initCertStore() {
+	if certStore != nil {
+		logger.Warnf("TLS store already initialized, it should not be initialized again")
+		return
+	}
 	certStore = websecure.NewCertStore(tlsStorePath)
 	certStore.LoadCertificates()
 
@@ -87,10 +94,18 @@ func getTLSState() TLSState {
 }
 
 func setTLSState(s TLSState) error {
+	var isChanged = false
+
 	switch s.Mode {
 	case "disabled":
+		if config.TLSMode != "" {
+			isChanged = true
+		}
 		config.TLSMode = ""
 	case "custom":
+		if config.TLSMode == "" {
+			isChanged = true
+		}
 		// parse pem to cert and key
 		err, _ := certStore.ValidateAndSaveCertificate(webSecureCustomCertificateName, s.Certificate, s.PrivateKey, true)
 		// warn doesn't matter as ... we don't know the hostname yet
@@ -99,15 +114,47 @@ func setTLSState(s TLSState) error {
 		}
 		config.TLSMode = "custom"
 	case "self-signed":
+		if config.TLSMode == "" {
+			isChanged = true
+		}
 		config.TLSMode = "self-signed"
 	default:
 		return fmt.Errorf("invalid TLS mode: %s", s.Mode)
 	}
+
+	if !isChanged {
+		logger.Tracef("TLS enabled state is not changed, not starting/stopping websecure server")
+		return nil
+	}
+
+	if config.TLSMode == "" {
+		logger.Tracef("Stopping websecure server, as TLS mode is disabled")
+		stopWebSecureServer()
+	} else {
+		logger.Tracef("Starting websecure server, as TLS mode is enabled")
+		startWebSecureServer()
+	}
+
 	return nil
 }
 
+var (
+	startTLS       = make(chan struct{})
+	stopTLS        = make(chan struct{})
+	tlsServiceLock = sync.Mutex{}
+	tlsStarted     = false
+)
+
 // RunWebSecureServer runs a web server with TLS.
-func RunWebSecureServer() {
+func runWebSecureServer() {
+	tlsServiceLock.Lock()
+	defer tlsServiceLock.Unlock()
+
+	tlsStarted = true
+	defer func() {
+		tlsStarted = false
+	}()
+
 	r := setupRouter()
 
 	server := &http.Server{
@@ -120,8 +167,42 @@ func RunWebSecureServer() {
 		},
 	}
 	logger.Infof("Starting websecure server on %s", webSecureListen)
+
+	go func() {
+		for _ = range stopTLS {
+			logger.Infof("Shutting down websecure server")
+			server.Shutdown(context.Background())
+		}
+	}()
+
 	err := server.ListenAndServeTLS("", "")
-	if err != nil {
+	if !errors.Is(err, http.ErrServerClosed) {
 		panic(err)
 	}
 }
+
+func stopWebSecureServer() {
+	if !tlsStarted {
+		logger.Warnf("Websecure server is not running, not stopping it")
+		return
+	}
+	stopTLS <- struct{}{}
+}
+
+func startWebSecureServer() {
+	if tlsStarted {
+		logger.Warnf("Websecure server is already running, not starting it again")
+		return
+	}
+	startTLS <- struct{}{}
+}
+
+func RunWebSecureServer() {
+	for _ = range startTLS {
+		logger.Tracef("Starting websecure server, as we have received a start signal")
+		if certStore == nil {
+			initCertStore()
+		}
+		go runWebSecureServer()
+	}
+}