no longer need to reboot to start / stop tls service

2025-04-08 16:05:04 +02:00 · 2025-04-08 16:05:04 +02:00 · ffb43da96e
parent 720c6f8951
commit ffb43da96e
5 changed files with 112 additions and 41 deletions
--- a/config.go
+++ b/config.go
@ -109,6 +109,8 @@ func SaveConfig() error {
 	configLock.Lock()
 	defer configLock.Unlock()
 	logger.Tracef("Saving config to %s", configPath)
 	file, err := os.Create(configPath)
 	if err != nil {
 		return fmt.Errorf("failed to create config file: %w", err)
--- a/jsonrpc.go
+++ b/jsonrpc.go
@ -405,8 +405,8 @@ func rpcGetTLSState() TLSState {
 	return getTLSState()
 }
-func rpcSetTLSState(tlsState TLSState) error {
+func rpcSetTLSState(state TLSState) error {
-	err := setTLSState(tlsState)
+	err := setTLSState(state)
 	if err != nil {
 		return fmt.Errorf("failed to set TLS state: %w", err)
 	}
--- a/main.go
+++ b/main.go
@ -70,10 +70,12 @@ func Main() {
 	//go RunFuseServer()
 	go RunWebServer()
 	go RunWebSecureServer()
 	// Web secure server is started only if TLS mode is enabled
 	if config.TLSMode != "" {
-		initCertStore()
+		startWebSecureServer()
 		go RunWebSecureServer()
 	}
 	// As websocket client already checks if the cloud token is set, we can start it here.
 	go RunWebsocketClient()
--- a/ui/src/routes/devices.$id.settings.access._index.tsx
+++ b/ui/src/routes/devices.$id.settings.access._index.tsx
@ -161,7 +161,12 @@ export default function SettingsAccessIndexRoute() {
  };
  const handleTlsUpdate = useCallback(() => {
-    send("setTLSState", { state: { mode: tlsMode, certificate: tlsCert, privateKey: tlsKey } as TLSState }, resp => {
+    const state = { mode: tlsMode } as TLSState;
    if (tlsMode !== "disabled") {
      state.certificate = tlsCert;
      state.privateKey = tlsKey;
    }
    send("setTLSState", { state }, resp => {
      if ("error" in resp) {
        notifications.error(`Failed to update TLS settings: ${resp.error.data || "Unknown error"}`);
        return;
@ -171,17 +176,6 @@ export default function SettingsAccessIndexRoute() {
    });
  }, [send, tlsMode, tlsCert, tlsKey]);
  const handleReboot = useCallback(() => {
    send("reboot", { force: false }, resp => {
      if ("error" in resp) {
        notifications.error(`Failed to reboot: ${resp.error.data || "Unknown error"}`);
        return;
      }
      notifications.success("Device will restart shortly, it might take a few seconds to boot up again.");
    });
  }, [send]);
  // Fetch device ID and cloud state on component mount
  useEffect(() => {
    getCloudState();
@ -211,8 +205,8 @@ export default function SettingsAccessIndexRoute() {
              <SettingsItem
                title="HTTPS/TLS Mode"
                description={<>
-                  Select the TLS mode for your device (beta)<br />
+                  Select the TLS mode for your device <sup>experimental</sup><br />
-                  <small>changing this setting might restart the device</small>
+                  <small>The feature might not work as expected, please report any issues if you encounter any.</small>
                </>}
              >
                <SelectMenuBasic
@ -227,27 +221,6 @@ export default function SettingsAccessIndexRoute() {
                />
              </SettingsItem>
              <div className="space-y-4">
                <p className="text-xs text-slate-600 dark:text-slate-400">
                  If TLS wasn't enabled before, you'll need to <strong>reboot</strong> the device to apply the changes.<br />
                </p>
                <div className="flex items-center gap-x-2">
                  <Button
                    size="SM"
                    theme="primary"
                    text="Update TLS Settings"
                    onClick={handleTlsUpdate}
                  />
                  <Button
                    size="SM"
                    theme="danger"
                    text="Reboot"
                    onClick={handleReboot}
                  />
                </div>
              </div>
              {tlsMode === "custom" && (
                <div className="mt-4 space-y-4">
                  <div className="space-y-4">
@ -282,6 +255,19 @@ export default function SettingsAccessIndexRoute() {
                  </div>
                </div>
              )}
              <div className="space-y-4">
                <div className="flex items-center gap-x-2">
                  <Button
                    size="SM"
                    theme="primary"
                    text="Update TLS Settings"
                    onClick={handleTlsUpdate}
                  />
                </div>
              </div>
              <SettingsItem
                title="Authentication Mode"
                description={`Current mode: ${loaderData.authMode === "password" ? "Password protected" : "No password"}`}
--- a/web_tls.go
+++ b/web_tls.go
@ -1,10 +1,13 @@
 package kvm
 import (
 	"context"
 	"crypto/tls"
 	"encoding/pem"
 	"errors"
 	"fmt"
 	"net/http"
 	"sync"
 	"github.com/jetkvm/kvm/internal/websecure"
 )
@ -31,6 +34,10 @@ type TLSState struct {
 }
 func initCertStore() {
 	if certStore != nil {
 		logger.Warnf("TLS store already initialized, it should not be initialized again")
 		return
 	}
 	certStore = websecure.NewCertStore(tlsStorePath)
 	certStore.LoadCertificates()
@ -87,10 +94,18 @@ func getTLSState() TLSState {
 }
 func setTLSState(s TLSState) error {
 	var isChanged = false
 	switch s.Mode {
 	case "disabled":
 		if config.TLSMode != "" {
 			isChanged = true
 		}
 		config.TLSMode = ""
 	case "custom":
 		if config.TLSMode == "" {
 			isChanged = true
 		}
 		// parse pem to cert and key
 		err, _ := certStore.ValidateAndSaveCertificate(webSecureCustomCertificateName, s.Certificate, s.PrivateKey, true)
 		// warn doesn't matter as ... we don't know the hostname yet
@ -99,15 +114,47 @@ func setTLSState(s TLSState) error {
 		}
 		config.TLSMode = "custom"
 	case "self-signed":
 		if config.TLSMode == "" {
 			isChanged = true
 		}
 		config.TLSMode = "self-signed"
 	default:
 		return fmt.Errorf("invalid TLS mode: %s", s.Mode)
 	}
 	if !isChanged {
 		logger.Tracef("TLS enabled state is not changed, not starting/stopping websecure server")
 		return nil
 	}
 	if config.TLSMode == "" {
 		logger.Tracef("Stopping websecure server, as TLS mode is disabled")
 		stopWebSecureServer()
 	} else {
 		logger.Tracef("Starting websecure server, as TLS mode is enabled")
 		startWebSecureServer()
 	}
 	return nil
 }
 var (
 	startTLS       = make(chan struct{})
 	stopTLS        = make(chan struct{})
 	tlsServiceLock = sync.Mutex{}
 	tlsStarted     = false
 )
 // RunWebSecureServer runs a web server with TLS.
-func RunWebSecureServer() {
+func runWebSecureServer() {
 	tlsServiceLock.Lock()
 	defer tlsServiceLock.Unlock()
 	tlsStarted = true
 	defer func() {
 		tlsStarted = false
 	}()
 	r := setupRouter()
 	server := &http.Server{
@ -120,8 +167,42 @@ func RunWebSecureServer() {
 		},
 	}
 	logger.Infof("Starting websecure server on %s", webSecureListen)
 	go func() {
 		for _ = range stopTLS {
 			logger.Infof("Shutting down websecure server")
 			server.Shutdown(context.Background())
 		}
 	}()
 	err := server.ListenAndServeTLS("", "")
-	if err != nil {
+	if !errors.Is(err, http.ErrServerClosed) {
 		panic(err)
 	}
 }
 func stopWebSecureServer() {
 	if !tlsStarted {
 		logger.Warnf("Websecure server is not running, not stopping it")
 		return
 	}
 	stopTLS <- struct{}{}
 }
 func startWebSecureServer() {
 	if tlsStarted {
 		logger.Warnf("Websecure server is already running, not starting it again")
 		return
 	}
 	startTLS <- struct{}{}
 }
 func RunWebSecureServer() {
 	for _ = range startTLS {
 		logger.Tracef("Starting websecure server, as we have received a start signal")
 		if certStore == nil {
 			initCertStore()
 		}
 		go runWebSecureServer()
 	}
 }