mirror of
https://github.com/QwenLM/qwen-code.git
synced 2026-07-09 17:19:02 +00:00
* feat(serve): support HTTPS/TLS via --tls-cert and --tls-key Serve `qwen serve` over HTTPS when both `--tls-cert` and `--tls-key` point at PEM files, instead of plain HTTP. The motivation is mobile / cross-device access: a LAN IP (`192.168.x.x`) is not a browser secure context over `http://`, so `getUserMedia` (voice input), WebRTC, and other secure-context-only APIs are blocked on phones/tablets. Bringing your own cert (e.g. via mkcert) unlocks them. Implementation wraps the existing Express app in `https.createServer` when TLS is configured; `https.Server extends http.Server`, so the connection cap, address lookup, ACP attach, and graceful-close paths are unchanged. The plain-HTTP path stays bit-for-bit identical when no certs are given. The startup banner and loopback same-origin set now reflect the active scheme. Scope is TLS termination only — no auto-generation, no ACME. TLS is orthogonal to the bearer-token gate: non-loopback binds still require a token. Boot fails loudly if only one of the two flags is given, or if a cert/key file can't be read, rather than silently downgrading to HTTP. Closes #6001 Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> * fix(serve): add HTTPS loopback origins to self-origin and ACP checks * fix(serve): accept port-less Origin header on default ports 80/443 Per RFC 7230 §5.4, browsers omit the port in the Origin header when it matches the scheme default (http→80, https→443). The origin checks in self-origin.ts and acp-http/index.ts always included the port suffix, so a browser on port 443 sending 'Origin: https://localhost' (no :443) would fail the loopback origin match. Add port-less origin entries when the server listens on port 80 or 443, mirroring the pattern already used in auth.ts hostAllowlist. * fix(serve): add port-less origins to installSameOriginOriginStrip for RFC 7230 compliance * fix(serve): validate TLS cert expiry and parse errors at boot https.createServer starts cleanly with an expired certificate, then every client handshake is rejected (NET::ERR_CERT_DATE_INVALID) while /health stays green — a silent outage that's hard to diagnose. Parse the cert with X509Certificate at boot and fail loud with an actionable message when it's expired or unparseable. Also wrap createServer so a cert/key mismatch surfaces a framed error instead of a raw OpenSSL string. Add tests for the expired-cert guard and the previously-uncovered --tls-key read error path. Co-Authored-By: Qwen-Coder <noreply@qwen.ai> * fix(serve): close TLS validation gaps from review - Reject not-yet-valid certs (notBefore > now) at boot, symmetric to the existing expiry guard — same silent NET::ERR_CERT_DATE_INVALID outage. - Add port-less host entries (default 80/443) to the WS upgrade Host allowlist, mirroring the REST allowlist (auth.ts) and the Origin checks; without it every WS upgrade is 403'd when TLS runs on port 443. - Cover the previously-untested X509 parse-error and cert/key-mismatch boot branches. - Docs: include localhost/127.0.0.1 in the mkcert TLS example so the URL --open rewrites to (127.0.0.1) isn't rejected with CN mismatch. Co-Authored-By: Qwen-Coder <noreply@qwen.ai> --------- Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com> Co-authored-by: Qwen-Coder <noreply@qwen.ai> Co-authored-by: qwen-code-dev-bot <qwen-code-dev-bot@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| design | ||
| developers | ||
| e2e-tests | ||
| plans | ||
| superpowers | ||
| users | ||
| verification/abort-controller-refactor | ||
| _meta.ts | ||
| declarative-agents-port.md | ||
| index.md | ||
| yaml-parser-replacement.md | ||