feat(web): new env var VERIFY_TLS (default: 1)

Fixes Rongronggg9#498 Signed-off-by: Rongrong <i@rong.moe>
xlmm · Aug 5, 2024 · 8eaf7e3 · 8eaf7e3
1 parent 88fdb2c
commit 8eaf7e3
Show file tree

Hide file tree

Showing 8 changed files with 18 additions and 6 deletions.
diff --git a/.env.sample b/.env.sample
@@ -27,6 +27,7 @@ TELEGRAPH_TOKEN="
 #IMAGES_WESERV_NL=https://t0.nl/  # default: https://wsrv.nl/
 #USER_AGENT=Mozilla/5.0 (Android 12; Mobile; rv:68.0) Gecko/68.0 Firefox/96.0  # default: RSStT/2.x RSS Reader
 #IPV6_PRIOR=1  # default: 0
+#VERIFY_TLS=0  # default: 1
 #T_PROXY=socks5://172.17.0.1:1080  # Proxy used to connect to the Telegram API
 #R_PROXY=socks5://172.17.0.1:1080  # Proxy used to fetch feeds
 #PROXY_BYPASS_PRIVATE=1  # default: 0

diff --git a/docker-compose.yml.sample b/docker-compose.yml.sample
@@ -37,6 +37,7 @@ services:
       #- IMAGES_WESERV_NL=https://t0.nl/  # default: https://wsrv.nl/
       #- USER_AGENT=Mozilla/5.0 (Android 12; Mobile; rv:68.0) Gecko/68.0 Firefox/96.0  # default: RSStT/2.x RSS Reader
       #- IPV6_PRIOR=1  # default: 0
+      #- VERIFY_TLS=0  # default: 1
       #- T_PROXY=socks5://172.17.0.1:1080  # Proxy used to connect to the Telegram API
       #- R_PROXY=socks5://172.17.0.1:1080  # Proxy used to fetch feeds
       #- PROXY_BYPASS_PRIVATE=1  # default: 0

diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
@@ -2,6 +2,10 @@
 
 ## Unreleased
 
+### Addition
+
+- **Disable TLS certificate verification**: The environment variable `VERIFY_TLS` has been added to disable (when set to `0`) or enable (when set to `1`, default) TLS certificate verification. This is useful when subscribing to feeds with their TLS misconfigured. Note: Disabling TLS certificate verification is not recommended and should only be used as a last resort.
+
 ### Enhancements
 
 - **Sanitize post title and author**: The title and author of a post (RSS item or Atom entry) are now sanitized to prevent unexpected formatting issues. In particular, unexpected whitespaces and linebreaks are removed, and any HTML elements are stripped. This helps display them correctly in Telegram messages as well as Telegraph posts.

diff --git a/docs/CHANGELOG.zh.md b/docs/CHANGELOG.zh.md
@@ -2,6 +2,10 @@
 
 ## 未发布
 
+### 新增功能
+
+- **关闭 TLS 证书验证**: 环境变量 `VERIFY_TLS` 已被添加以禁用 (设置为 `0` 时) 或启用 (设置为 `1` 时，默认) TLS 证书验证。当订阅 TLS 被错误配置的 feed 时，这很有用。注意：不建议禁用 TLS 证书验证，只应用作最后手段。
+
 ### 增强
 
 - **净化文章标题和作者**: 文章 (RSS item 或 Atom entry) 的标题和作者现在被净化以防止意外的格式问题。特别是，预期外的空格和换行符被移除，任何 HTML 元素都被剥离。这有助于在 Telegram 消息以及 Telegraph 文章中正确显示它们。

diff --git a/docs/advanced-settings.md b/docs/advanced-settings.md
@@ -35,6 +35,7 @@
 | `PROXY_BYPASS_DOMAINS`      | Bypass proxy for listed domains                       | `example.com;example.net` [^1] |                             |
 | `USER_AGENT`                | User-Agent                                            | `Mozilla/5.0`                  | `RSStT/$VERSION RSS Reader` |
 | `IPV6_PRIOR`                | Enforce fetching feeds over IPv6 firstly or not? [^4] | `1`                            | `0`                         |
+| `VERIFY_TLS`                | Verify TLS certificate or not?                        | `0`                            | `1`                         |
 | `TRAFFIC_SAVING`            | Enable network traffic saving mode or not? [^5]       | `1`                            | `0`                         |
 | `LAZY_MEDIA_VALIDATION`     | Let Telegram DC to validate media or not? [^6]        | `1`                            | `0`                         |
 | `HTTP_TIMEOUT`              | HTTP request timeout in seconds                       | `60`                           | `12`                        |

diff --git a/src/compat.py b/src/compat.py
@@ -80,9 +80,6 @@ async def __aexit__(self, exc_type, exc_value, traceback):
             self.transport.abort()
 
 
-# Reuse SSLContext as aiohttp does:
-# https://github.com/aio-libs/aiohttp/blob/b51610b93b2ae15c4062e3a1680a536ba5f4c5c4/aiohttp/connector.py#L906
-@functools.lru_cache(None)
 def ssl_create_default_context():
     """
     Python 3.10+ disabled some legacy cipher, while some websites still use them.

diff --git a/src/env.py b/src/env.py
@@ -292,6 +292,7 @@ def __get_version():
 PROXY_BYPASS_DOMAINS: Final = __list_parser(os.environ.get('PROXY_BYPASS_DOMAINS'))
 USER_AGENT: Final = os.environ.get('USER_AGENT') or f'RSStT/{__version__} RSS Reader'
 IPV6_PRIOR: Final = __bool_parser(os.environ.get('IPV6_PRIOR'))
+VERIFY_TLS: Final = __bool_parser(os.environ.get('VERIFY_TLS'), default_value=True)
 
 HTTP_TIMEOUT: Final = int(os.environ.get('HTTP_TIMEOUT') or 12)
 HTTP_CONCURRENCY: Final = int(os.environ.get('HTTP_CONCURRENCY') or 1024)

diff --git a/src/web/req.py b/src/web/req.py
@@ -40,6 +40,10 @@
 from ..errors_collection import RetryInIpv4
 from .utils import YummyCookieJar, WebResponse, proxy_filter, logger, sentinel
 
+# Reuse SSLContext as aiohttp does:
+# https://github.com/aio-libs/aiohttp/blob/f1e4213fb06634584f8d7a1eb90f5397736a18cc/aiohttp/connector.py#L959
+__SSL_CONTEXT: Final = ssl_create_default_context() if env.VERIFY_TLS else False
+
 DEFAULT_READ_BUFFER_SIZE: Final = 2 ** 16
 
 PROXY: Final = env.R_PROXY.replace('socks5h', 'socks5').replace('sock4a', 'socks4') if env.R_PROXY else None
@@ -209,11 +213,10 @@ async def _fetch():
 
         if retry_in_v4_flag or tries > MAX_TRIES:
             socket_family = AF_INET
-        ssl_context = ssl_create_default_context()
         proxy_connector = (
-            ProxyConnector.from_url(PROXY, family=socket_family, ssl=ssl_context)
+            ProxyConnector.from_url(PROXY, family=socket_family, ssl=__SSL_CONTEXT)
             if (PROXY and proxy_filter(host, parse=False))
-            else aiohttp.TCPConnector(family=socket_family, ssl=ssl_context)
+            else aiohttp.TCPConnector(family=socket_family, ssl=__SSL_CONTEXT)
         )
 
         try: