feat: TLS support for Unix socket listeners

This change enables Miniflux to serve TLS over Unix domain sockets. If `CERT_FILE` and `KEY_FILE` are configured, Unix socket listeners specified via `LISTEN_ADDR` will now automatically start with TLS enabled, using the provided certificates. This uses the existing `http.Server.ServeTLS` method. If no certificates are provided, Unix socket listeners will continue to operate as plain, non-TLS sockets.
2025-06-27 16:36:00 +00:00 · 2025-06-24 16:15:36 +02:00 · 2025-06-24 16:15:36 +02:00 · f7a6b02b5f
commit f7a6b02b5f
parent 95eb6c1230
1 changed files with 22 additions and 3 deletions
--- a/internal/http/server/httpd.go
+++ b/internal/http/server/httpd.go
@ -139,14 +139,33 @@ func startUnixSocketServer(server *http.Server, socketFile string) {
 	}
 	go func() {
 		certFile := config.Opts.CertFile()
 		keyFile := config.Opts.CertKeyFile()
 		if certFile != "" && keyFile != "" {
 			slog.Info("Starting TLS server using a Unix socket",
 				slog.String("socket", socketFile),
 				slog.String("cert_file", certFile),
 				slog.String("key_file", keyFile),
 			)
 			// Ensure HTTPS is marked as true if any listener uses TLS
 			config.Opts.HTTPS = true
 			if err := server.ServeTLS(listener, certFile, keyFile); err != http.ErrServerClosed {
 				printErrorAndExit("TLS Unix socket server failed to start on %s: %v", socketFile, err)
 			}
 		} else {
 			slog.Info("Starting server using a Unix socket", slog.String("socket", socketFile))
 			if err := server.Serve(listener); err != http.ErrServerClosed {
 				printErrorAndExit("Unix socket server failed to start on %s: %v", socketFile, err)
 			}
 		}
 	}()
 }
 func startAutoCertTLSServer(server *http.Server, autoTLSConfig *tls.Config) {
 	if server.TLSConfig == nil {
 		server.TLSConfig = &tls.Config{}
 	}
 	server.TLSConfig.GetCertificate = autoTLSConfig.GetCertificate
 	server.TLSConfig.NextProtos = autoTLSConfig.NextProtos