qwen-code/docs
pomelo bb7b4d8d57
feat(serve): support HTTPS/TLS via --tls-cert and --tls-key flags (#6032)
* feat(serve): support HTTPS/TLS via --tls-cert and --tls-key

Serve `qwen serve` over HTTPS when both `--tls-cert` and `--tls-key`
point at PEM files, instead of plain HTTP. The motivation is mobile /
cross-device access: a LAN IP (`192.168.x.x`) is not a browser secure
context over `http://`, so `getUserMedia` (voice input), WebRTC, and
other secure-context-only APIs are blocked on phones/tablets. Bringing
your own cert (e.g. via mkcert) unlocks them.

Implementation wraps the existing Express app in `https.createServer`
when TLS is configured; `https.Server extends http.Server`, so the
connection cap, address lookup, ACP attach, and graceful-close paths are
unchanged. The plain-HTTP path stays bit-for-bit identical when no certs
are given. The startup banner and loopback same-origin set now reflect
the active scheme.

Scope is TLS termination only — no auto-generation, no ACME. TLS is
orthogonal to the bearer-token gate: non-loopback binds still require a
token. Boot fails loudly if only one of the two flags is given, or if a
cert/key file can't be read, rather than silently downgrading to HTTP.

Closes #6001

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

* fix(serve): add HTTPS loopback origins to self-origin and ACP checks

* fix(serve): accept port-less Origin header on default ports 80/443

Per RFC 7230 §5.4, browsers omit the port in the Origin header when it
matches the scheme default (http→80, https→443). The origin checks in
self-origin.ts and acp-http/index.ts always included the port suffix,
so a browser on port 443 sending 'Origin: https://localhost' (no :443)
would fail the loopback origin match.

Add port-less origin entries when the server listens on port 80 or 443,
mirroring the pattern already used in auth.ts hostAllowlist.

* fix(serve): add port-less origins to installSameOriginOriginStrip for RFC 7230 compliance

* fix(serve): validate TLS cert expiry and parse errors at boot

https.createServer starts cleanly with an expired certificate, then every
client handshake is rejected (NET::ERR_CERT_DATE_INVALID) while /health stays
green — a silent outage that's hard to diagnose. Parse the cert with
X509Certificate at boot and fail loud with an actionable message when it's
expired or unparseable. Also wrap createServer so a cert/key mismatch surfaces
a framed error instead of a raw OpenSSL string.

Add tests for the expired-cert guard and the previously-uncovered --tls-key
read error path.

Co-Authored-By: Qwen-Coder <noreply@qwen.ai>

* fix(serve): close TLS validation gaps from review

- Reject not-yet-valid certs (notBefore > now) at boot, symmetric to the
  existing expiry guard — same silent NET::ERR_CERT_DATE_INVALID outage.
- Add port-less host entries (default 80/443) to the WS upgrade Host
  allowlist, mirroring the REST allowlist (auth.ts) and the Origin checks;
  without it every WS upgrade is 403'd when TLS runs on port 443.
- Cover the previously-untested X509 parse-error and cert/key-mismatch
  boot branches.
- Docs: include localhost/127.0.0.1 in the mkcert TLS example so the URL
  --open rewrites to (127.0.0.1) isn't rejected with CN mismatch.

Co-Authored-By: Qwen-Coder <noreply@qwen.ai>

---------

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
Co-authored-by: Qwen-Coder <noreply@qwen.ai>
Co-authored-by: qwen-code-dev-bot <qwen-code-dev-bot@users.noreply.github.com>
2026-07-01 19:33:50 +00:00
..
design feat(daemon,sdk): resumable /acp session stream (Last-Event-ID) + opt-in SDK transports export (#5852) 2026-06-30 02:07:48 +00:00
developers feat(cli): Harden daemon-managed channel worker (#6098) 2026-07-01 13:26:38 +00:00
e2e-tests feat(worktree): Phase D — startup --worktree flag + symlinkDirectories + PR refs (#4381) 2026-05-27 17:04:51 +08:00
plans feat(core)!: redesign auto-compaction thresholds with three-tier ladder (#4345) 2026-05-25 21:11:08 +08:00
superpowers feat(channel): add channel loop support (#6073) 2026-07-01 05:07:21 +00:00
users feat(serve): support HTTPS/TLS via --tls-cert and --tls-key flags (#6032) 2026-07-01 19:33:50 +00:00
verification/abort-controller-refactor fix(core): stop AbortSignal listener leak in long sessions (MaxListenersExceededWarning) (#4366) 2026-05-26 14:21:49 +08:00
_meta.ts feat: refactor docs 2025-12-05 10:51:57 +08:00
declarative-agents-port.md feat(core): port declarative-agent mcpServers + hooks (CC 2.1.168 parity follow-up) (#4996) 2026-06-12 14:15:51 +08:00
index.md fix: lint issues 2025-12-19 15:52:11 +08:00
yaml-parser-replacement.md feat(core): port declarative-agent mcpServers + hooks (CC 2.1.168 parity follow-up) (#4996) 2026-06-12 14:15:51 +08:00