🎨 Support HTTPS network serving (#16930)

* Add use TLS for network serving configuration option * kernel: Implement TLS certificate generation * kernel: server: Use https for fixed port proxy when needed * Allow exporting the CA Certificate file * Implement import and export of CA Certs * kernel: fixedport: Use the same port for HTTP and HTTPS
2026-02-08 08:14:21 +01:00 · 2026-01-29 02:41:39 +01:00 · 2026-01-29 02:41:39 +01:00 · cff12611c0
commit cff12611c0
parent d23d9d61ca
13 changed files with 805 additions and 11 deletions
--- a/kernel/server/proxy/fixedport.go
+++ b/kernel/server/proxy/fixedport.go
@ -17,25 +17,80 @@
 package proxy

 import (
+	"crypto/tls"
+	"net"
 	"net/http"
 	"net/http/httputil"

 	"github.com/siyuan-note/logging"
 	"github.com/siyuan-note/siyuan/kernel/util"
+	"github.com/soheilhy/cmux"
 )

-func InitFixedPortService(host string) {
+func InitFixedPortService(host string, useTLS bool, certPath, keyPath string) {
 	if util.FixedPort != util.ServerPort {
 		if util.IsPortOpen(util.FixedPort) {
 			return
 		}

+		addr := host + ":" + util.FixedPort
+
 		// 启动一个固定 6806 端口的反向代理服务器，这样浏览器扩展才能直接使用 127.0.0.1:6806，不用配置端口
 		proxy := httputil.NewSingleHostReverseProxy(util.ServerURL)
-		logging.LogInfof("fixed port service [%s:%s] is running", host, util.FixedPort)
-		if proxyErr := http.ListenAndServe(host+":"+util.FixedPort, proxy); nil != proxyErr {
-			logging.LogWarnf("boot fixed port service [%s] failed: %s", util.ServerURL, proxyErr)
+
+		if useTLS {
+			proxy.Transport = &http.Transport{
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			}
+
+			logging.LogInfof("fixed port service [%s] is running (HTTP/HTTPS dual mode)", addr)
+
+			ln, err := net.Listen("tcp", addr)
+			if err != nil {
+				logging.LogWarnf("boot fixed port service [%s] failed: %s", addr, err)
+				return
+			}
+
+			m := cmux.New(ln)
+
+			// Match TLS connections (first byte 0x16 indicates TLS handshake)
+			tlsL := m.Match(cmux.TLS())
+			// Match HTTP (anything else)
+			httpL := m.Match(cmux.Any())
+
+			cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+			if err != nil {
+				logging.LogWarnf("failed to load TLS cert for fixed port service: %s", err)
+				ln.Close()
+				return
+			}
+			tlsConfig := &tls.Config{Certificates: []tls.Certificate{cert}}
+
+			tlsListener := tls.NewListener(tlsL, tlsConfig)
+
+			go func() {
+				httpServer := &http.Server{Handler: proxy}
+				if err := httpServer.Serve(httpL); err != nil && err != cmux.ErrListenerClosed {
+					logging.LogWarnf("fixed port HTTP server error: %s", err)
+				}
+			}()
+
+			go func() {
+				httpsServer := &http.Server{Handler: proxy}
+				if err := httpsServer.Serve(tlsListener); err != nil && err != cmux.ErrListenerClosed {
+					logging.LogWarnf("fixed port HTTPS server error: %s", err)
+				}
+			}()
+
+			if err := m.Serve(); err != nil && err != cmux.ErrListenerClosed {
+				logging.LogWarnf("fixed port cmux serve error: %s", err)
+			}
+		} else {
+			logging.LogInfof("fixed port service [%s] is running", addr)
+			if proxyErr := http.ListenAndServe(addr, proxy); nil != proxyErr {
+				logging.LogWarnf("boot fixed port service [%s] failed: %s", util.ServerURL, proxyErr)
+			}
 		}
-		logging.LogInfof("fixed port service [%s:%s] is stopped", host, util.FixedPort)
+		logging.LogInfof("fixed port service [%s] is stopped", addr)
 	}
 }