no longer need to reboot to start / stop tls service

2025-04-08 16:05:04 +02:00 · 2025-04-08 16:05:04 +02:00 · ffb43da96e
parent 720c6f8951
commit ffb43da96e
5 changed files with 112 additions and 41 deletions
--- a/config.go
+++ b/config.go
@ -109,6 +109,8 @@ func SaveConfig() error {
 	configLock.Lock()
 	defer configLock.Unlock()

+	logger.Tracef("Saving config to %s", configPath)
+
 	file, err := os.Create(configPath)
 	if err != nil {
 		return fmt.Errorf("failed to create config file: %w", err)
--- a/jsonrpc.go
+++ b/jsonrpc.go
@ -405,8 +405,8 @@ func rpcGetTLSState() TLSState {
 	return getTLSState()
 }

-func rpcSetTLSState(tlsState TLSState) error {
-	err := setTLSState(tlsState)
+func rpcSetTLSState(state TLSState) error {
+	err := setTLSState(state)
 	if err != nil {
 		return fmt.Errorf("failed to set TLS state: %w", err)
 	}
--- a/main.go
+++ b/main.go
@ -70,10 +70,12 @@ func Main() {
 	//go RunFuseServer()
 	go RunWebServer()

-	if config.TLSMode != "" {
-		initCertStore()
 	go RunWebSecureServer()
+	// Web secure server is started only if TLS mode is enabled
+	if config.TLSMode != "" {
+		startWebSecureServer()
 	}
+
 	// As websocket client already checks if the cloud token is set, we can start it here.
 	go RunWebsocketClient()

--- a/ui/src/routes/devices.$id.settings.access._index.tsx
+++ b/ui/src/routes/devices.$id.settings.access._index.tsx
@ -161,7 +161,12 @@ export default function SettingsAccessIndexRoute() {
  };

  const handleTlsUpdate = useCallback(() => {
-    send("setTLSState", { state: { mode: tlsMode, certificate: tlsCert, privateKey: tlsKey } as TLSState }, resp => {
+    const state = { mode: tlsMode } as TLSState;
+    if (tlsMode !== "disabled") {
+      state.certificate = tlsCert;
+      state.privateKey = tlsKey;
+    }
+    send("setTLSState", { state }, resp => {
      if ("error" in resp) {
        notifications.error(`Failed to update TLS settings: ${resp.error.data || "Unknown error"}`);
        return;
@ -171,17 +176,6 @@ export default function SettingsAccessIndexRoute() {
    });
  }, [send, tlsMode, tlsCert, tlsKey]);

-  const handleReboot = useCallback(() => {
-    send("reboot", { force: false }, resp => {
-      if ("error" in resp) {
-        notifications.error(`Failed to reboot: ${resp.error.data || "Unknown error"}`);
-        return;
-      }
-
-      notifications.success("Device will restart shortly, it might take a few seconds to boot up again.");
-    });
-  }, [send]);
-
  // Fetch device ID and cloud state on component mount
  useEffect(() => {
    getCloudState();
@ -211,8 +205,8 @@ export default function SettingsAccessIndexRoute() {
              <SettingsItem
                title="HTTPS/TLS Mode"
                description={<>
-                  Select the TLS mode for your device (beta)<br />
-                  <small>changing this setting might restart the device</small>
+                  Select the TLS mode for your device <sup>experimental</sup><br />
+                  <small>The feature might not work as expected, please report any issues if you encounter any.</small>
                </>}
              >
                <SelectMenuBasic
@ -227,27 +221,6 @@ export default function SettingsAccessIndexRoute() {
                />
              </SettingsItem>

-              <div className="space-y-4">
-                <p className="text-xs text-slate-600 dark:text-slate-400">
-                  If TLS wasn't enabled before, you'll need to <strong>reboot</strong> the device to apply the changes.<br />
-                </p>
-
-                <div className="flex items-center gap-x-2">
-                  <Button
-                    size="SM"
-                    theme="primary"
-                    text="Update TLS Settings"
-                    onClick={handleTlsUpdate}
-                  />
-                  <Button
-                    size="SM"
-                    theme="danger"
-                    text="Reboot"
-                    onClick={handleReboot}
-                  />
-                </div>
-              </div>
-
              {tlsMode === "custom" && (
                <div className="mt-4 space-y-4">
                  <div className="space-y-4">
@ -282,6 +255,19 @@ export default function SettingsAccessIndexRoute() {
                  </div>
                </div>
              )}
+
+
+              <div className="space-y-4">
+                <div className="flex items-center gap-x-2">
+                  <Button
+                    size="SM"
+                    theme="primary"
+                    text="Update TLS Settings"
+                    onClick={handleTlsUpdate}
+                  />
+                </div>
+              </div>
+
              <SettingsItem
                title="Authentication Mode"
                description={`Current mode: ${loaderData.authMode === "password" ? "Password protected" : "No password"}`}
--- a/web_tls.go
+++ b/web_tls.go
@ -1,10 +1,13 @@
 package kvm

 import (
+	"context"
 	"crypto/tls"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"net/http"
+	"sync"

 	"github.com/jetkvm/kvm/internal/websecure"
 )
@ -31,6 +34,10 @@ type TLSState struct {
 }

 func initCertStore() {
+	if certStore != nil {
+		logger.Warnf("TLS store already initialized, it should not be initialized again")
+		return
+	}
 	certStore = websecure.NewCertStore(tlsStorePath)
 	certStore.LoadCertificates()

@ -87,10 +94,18 @@ func getTLSState() TLSState {
 }

 func setTLSState(s TLSState) error {
+	var isChanged = false
+
 	switch s.Mode {
 	case "disabled":
+		if config.TLSMode != "" {
+			isChanged = true
+		}
 		config.TLSMode = ""
 	case "custom":
+		if config.TLSMode == "" {
+			isChanged = true
+		}
 		// parse pem to cert and key
 		err, _ := certStore.ValidateAndSaveCertificate(webSecureCustomCertificateName, s.Certificate, s.PrivateKey, true)
 		// warn doesn't matter as ... we don't know the hostname yet
@ -99,15 +114,47 @@ func setTLSState(s TLSState) error {
 		}
 		config.TLSMode = "custom"
 	case "self-signed":
+		if config.TLSMode == "" {
+			isChanged = true
+		}
 		config.TLSMode = "self-signed"
 	default:
 		return fmt.Errorf("invalid TLS mode: %s", s.Mode)
 	}
+
+	if !isChanged {
+		logger.Tracef("TLS enabled state is not changed, not starting/stopping websecure server")
 		return nil
 	}

+	if config.TLSMode == "" {
+		logger.Tracef("Stopping websecure server, as TLS mode is disabled")
+		stopWebSecureServer()
+	} else {
+		logger.Tracef("Starting websecure server, as TLS mode is enabled")
+		startWebSecureServer()
+	}
+
+	return nil
+}
+
+var (
+	startTLS       = make(chan struct{})
+	stopTLS        = make(chan struct{})
+	tlsServiceLock = sync.Mutex{}
+	tlsStarted     = false
+)
+
 // RunWebSecureServer runs a web server with TLS.
-func RunWebSecureServer() {
+func runWebSecureServer() {
+	tlsServiceLock.Lock()
+	defer tlsServiceLock.Unlock()
+
+	tlsStarted = true
+	defer func() {
+		tlsStarted = false
+	}()
+
 	r := setupRouter()

 	server := &http.Server{
@ -120,8 +167,42 @@ func RunWebSecureServer() {
 		},
 	}
 	logger.Infof("Starting websecure server on %s", webSecureListen)
+
+	go func() {
+		for _ = range stopTLS {
+			logger.Infof("Shutting down websecure server")
+			server.Shutdown(context.Background())
+		}
+	}()
+
 	err := server.ListenAndServeTLS("", "")
-	if err != nil {
+	if !errors.Is(err, http.ErrServerClosed) {
 		panic(err)
 	}
 }
+
+func stopWebSecureServer() {
+	if !tlsStarted {
+		logger.Warnf("Websecure server is not running, not stopping it")
+		return
+	}
+	stopTLS <- struct{}{}
+}
+
+func startWebSecureServer() {
+	if tlsStarted {
+		logger.Warnf("Websecure server is already running, not starting it again")
+		return
+	}
+	startTLS <- struct{}{}
+}
+
+func RunWebSecureServer() {
+	for _ = range startTLS {
+		logger.Tracef("Starting websecure server, as we have received a start signal")
+		if certStore == nil {
+			initCertStore()
+		}
+		go runWebSecureServer()
+	}
+}