Support custom SSL certificates and completely disabling cert validat…

…ion (#1882) * Use Node TLS options in workerd outboundService * Changesets * Pass cert content to workerd * Providing certs is already supported by Miniflare * Cleanup
Shopify · Mar 28, 2024 · 788d86b · 788d86b
1 parent a5511cd
commit 788d86b
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 0 deletions.
diff --git a/.changeset/old-hounds-live.md b/.changeset/old-hounds-live.md
@@ -0,0 +1,15 @@
+---
+'@shopify/cli-hydrogen': patch
+---
+
+Support Node's `NODE_TLS_REJECT_UNAUTHORIZED` and `NODE_EXTRA_CA_CERTS` [environment variables](https://nodejs.org/api/cli.html#environment-variables) in the worker environment.
+
+Use this at your own risk to disable certificate validation or provide additional CA certificates when making HTTPS requests from the worker:
+
+```sh
+# Disable certificate validation
+NODE_TLS_REJECT_UNAUTHORIZED=0 npm run dev
+
+# Provide additional CA certificates
+NODE_EXTRA_CA_CERTS=/usr/.../ca-certificates/my-file.crt npm run dev
+```
diff --git a/packages/cli/src/lib/mini-oxygen/workerd.ts b/packages/cli/src/lib/mini-oxygen/workerd.ts
@@ -136,6 +136,7 @@ export async function startWorkerdServer({
               transformLocation: () => absoluteBundlePath,
             }),
           },
+          ...conditionalUnsafeOutboundService(),
         },
       ],
     } satisfies MiniflareOptions);
@@ -315,3 +316,20 @@ async function logRequest(request: Request): Promise<Response> {
 
   return new Response('ok');
 }
+
+export function conditionalUnsafeOutboundService() {
+  if (process.env.NODE_TLS_REJECT_UNAUTHORIZED === '0') {
+    // Opt-out of TLS validation in the worker environment,
+    // and run network requests in Node environment.
+    // https://nodejs.org/api/cli.html#node_tls_reject_unauthorizedvalue
+    return {
+      async outboundService(request: Request) {
+        const response = await fetch(request.url, request);
+        // Remove brotli encoding:
+        // https://github.com/cloudflare/workers-sdk/issues/5345
+        response.headers.delete('Content-Encoding');
+        return response;
+      },
+    };
+  }
+}
diff --git a/packages/cli/src/lib/vite/mini-oxygen.ts b/packages/cli/src/lib/vite/mini-oxygen.ts
@@ -6,6 +6,7 @@ import {OXYGEN_HEADERS_MAP, logRequestLine} from '../mini-oxygen/common.js';
 import {
   PRIVATE_WORKERD_INSPECTOR_PORT,
   OXYGEN_WORKERD_COMPAT_PARAMS,
+  conditionalUnsafeOutboundService,
 } from '../mini-oxygen/workerd.js';
 import {findPort} from '../find-port.js';
 import {createInspectorConnector} from '../mini-oxygen/workerd-inspector.js';
@@ -88,6 +89,7 @@ export async function startMiniOxygenRuntime({
         wrappedBindings: {
           __VITE_SETUP_ENV: 'setup-environment',
         },
+        ...conditionalUnsafeOutboundService(),
       },
       {
         name: 'setup-environment',