add verify_upstream_tls support

Author: bobzilladev

.github/workflows/ci.yml

@@ -280,6 +280,9 @@ jobs:
         run: ls -R .
         shell: bash
       - name: Test bindings
+        run: docker run -e NGROK_AUTHTOKEN=${{ secrets.NGROK_AUTHTOKEN }} --mount type=bind,src=/etc/ssl,dst=/etc/ssl --rm -v $(pwd):/build -w /build node:${{ matrix.node }}-slim yarn test -m smoke
+      - name: Full Test Suite
+        if: matrix.node == '18'
         # run full suite of online tests
         run: docker run -e NGROK_AUTHTOKEN=${{ secrets.NGROK_AUTHTOKEN }} --mount type=bind,src=/etc/ssl,dst=/etc/ssl --rm -v $(pwd):/build -w /build node:${{ matrix.node }}-slim yarn test
   test-linux-x64-musl-binding:

Cargo.toml

@@ -7,7 +7,6 @@ version = "1.1.1"
 crate-type = ["cdylib"]
 
 [dependencies]
-async-rustls = { version = "0.3.0" }
 async-trait = "0.1.59"
 bytes = "1.3.0"
 futures = "0.3.26"
@@ -18,10 +17,11 @@ mio = { version = "=0.8.6" }
 # Default enable napi4 feature, see https://nodejs.org/api/n-api.html#node-api-version-matrix
 napi = { version = "2.12.1", default-features = false, features = ["napi4", "tokio_rt"] }
 napi-derive = "2.12.1"
-ngrok = { version = "0.14.0-pre.11" }
+ngrok = { version = "0.14.0-pre.12" }
 parking_lot = "0.12.1"
 regex = "1.9.5"
-rustls-pemfile = "1.0.1"
+rustls = "0.22.2"
+rustls-pemfile = "2.0.0"
 tokio = { version = "1.23.0", features = ["sync"] }
 tracing = "0.1.37"
 tracing-subscriber = { version = "0.3.16", features = ["env-filter"] }

__test__/connect.spec.mjs

@@ -99,6 +99,27 @@ test("forward http2", async (t) => {
   t.assert(res.data.includes(expected));
 });
 
+test("forward http2 no cert validation", async (t) => {
+  const httpServer = await makeHttp({useHttp2: true});
+  const listener = await ngrok.forward({
+    // numeric port
+    addr: parseInt(httpServer.listenTo.split(":")[1], 10),
+    // authtoken from env
+    authtoken: process.env["NGROK_AUTHTOKEN"],
+    // The L7 app_protocol
+    app_protocol: "http2",
+    // No upstream cert validation
+    verify_upstream_tls: false,
+  });
+
+  const url = listener.url();
+  t.truthy(url.startsWith("https://"), url);
+  const res = await validateShutdown(t, httpServer, url);
+
+  t.assert(res.status === 200);
+  t.assert(res.data.includes(expected));
+});
+
 test("connect number", async (t) => {
   const httpServer = await makeHttp();
   ngrok.authtoken(process.env["NGROK_AUTHTOKEN"]);

__test__/online.spec.mjs

@@ -141,6 +141,22 @@ test("tls backend", async (t) => {
   await listener.close();
 });
 
+test("unverified tls backend", async (t) => {
+  const session = await makeSession();
+  const listener = await session.httpEndpoint().verifyUpstreamTls(false)
+    .listenAndForward("https://dashboard.ngrok.com");
+
+  const error = await t.throwsAsync(
+    async () => {
+      await axios.get(listener.url());
+    },
+    { instanceOf: AxiosError }
+  );
+  t.is(421, error.response.status);
+  t.truthy(error.response.headers["ngrok-trace-id"]);
+  await listener.close();
+});
+
 test("http headers", async (t) => {
   const httpServer = http.createServer(function (req, res) {
     const { headers } = req;

index.d.ts

@@ -269,6 +269,9 @@ pub struct Config {
     /// Unused, will warn and be ignored
     #[napi(js_name = "terminate_at")]
     pub terminate_at: Option<String>,
+    /// Whether to disable certificate verification for this listener
+    #[napi(js_name = "verify_upstream_tls")]
+    pub verify_upstream_tls: Option<bool>,
     /// WebhookVerification configuration, the provider to use.
     /// See [Webhook Verification] in the ngrok docs for additional details.
     ///

src/config.rs

@@ -92,6 +92,7 @@ macro_rules! config_common {
         plumb_vec!($builder, $config, deny_cidr);
         plumb!($builder, $config, proxy_proto);
         plumb!($builder, $config, forwards_to);
+        plumb!($builder, $config, verify_upstream_tls);
 
         // returns a Result, so we can't use the macro
         if let Some(ref v) = $config.policy {
@@ -283,6 +284,7 @@ async fn labeled_listener(session: &Session, cfg: &Config) -> Result<String> {
     let mut bld = session.labeled_listener();
     plumb!(bld, cfg, metadata);
     plumb!(bld, cfg, app_protocol);
+    plumb!(bld, cfg, verify_upstream_tls);
     plumb_vec!(bld, cfg, label, labels, ":");
     Ok(bld.listen(None).await?.id())
 }

src/connect.rs

@@ -60,6 +60,14 @@ macro_rules! make_listener_builder {
                 self
             }
 
+            /// Whether to disable certificate verification for this listener.
+            #[napi]
+            pub fn verify_upstream_tls(&mut self, verify_upstream_tls: bool) -> &Self {
+                let mut builder = self.listener_builder.lock();
+                builder.verify_upstream_tls(verify_upstream_tls);
+                self
+            }
+
             /// Begin listening for new connections on this listener.
             #[napi]
             pub async fn listen(&self, _bind: Option<bool>) -> Result<Listener> {

src/listener_builder.rs

@@ -4,7 +4,6 @@ use std::{
     time::Duration,
 };
 
-use async_rustls::rustls::ClientConfig;
 use bytes::Bytes;
 use lazy_static::lazy_static;
 use napi::{
@@ -28,6 +27,7 @@ use ngrok::{
     Session as NgrokSession,
 };
 use parking_lot::Mutex as SyncMutex;
+use rustls::ClientConfig;
 use tokio::sync::Mutex;
 use tracing::{
     debug,