From bc005ff69813786ac4d19f11fb5c23fcdf89adc3 Mon Sep 17 00:00:00 2001
From: virtualzone <heiner.beck@outlook.com>
Date: Tue, 18 Jun 2024 22:13:47 +0200
Subject: [PATCH 1/3] Added ability to disable mTLS

---
 cmd/main.go      |  3 +++
 config/config.go | 10 +++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/cmd/main.go b/cmd/main.go
index e465daa..485db4c 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -71,5 +71,8 @@ func startServer(config *config.Config, airbrakeNotifier *gobrake.Notifier, logg
 	if server.TLSConfig, err = config.ExtractServiceTLSConfig(logger); err != nil {
 		return err
 	}
+	if config.DisableTLS {
+		return server.ListenAndServe()
+	}
 	return server.ListenAndServeTLS(config.TLS.ServerCert, config.TLS.ServerKey)
 }
diff --git a/config/config.go b/config/config.go
index 473c5b5..a804057 100644
--- a/config/config.go
+++ b/config/config.go
@@ -47,6 +47,10 @@ type Config struct {
 	// TLS contains certificates & CA info for the webserver
 	TLS *TLS `json:"tls,omitempty"`
 
+	// DisableTLS disables mTLS
+	// Only set to true if there's a reverse proxy in front taking care of mTLS handling
+	DisableTLS bool `json:"disable_tls,omitempty"`
+
 	// UseDefaultEngCA overrides default CA to eng
 	UseDefaultEngCA bool `json:"use_default_eng_ca"`
 
@@ -183,10 +187,14 @@ func (c *Config) AirbrakeTlsConfig() (*tls.Config, error) {
 
 // ExtractServiceTLSConfig return the TLS config needed for stating the mTLS Server
 func (c *Config) ExtractServiceTLSConfig(logger *logrus.Logger) (*tls.Config, error) {
-	if c.TLS == nil {
+	if c.TLS == nil && !c.DisableTLS {
 		return nil, errors.New("tls config is empty - telemetry server is mTLS only, make sure to provide certificates in the config")
 	}
 
+	if c.DisableTLS {
+		return nil, nil
+	}
+
 	var caFileBytes []byte
 	var caEnv string
 	if c.UseDefaultEngCA {

From be1430b84709673ce9d82bbaa79810d858c614c6 Mon Sep 17 00:00:00 2001
From: virtualzone <heiner.beck@outlook.com>
Date: Tue, 18 Jun 2024 22:30:30 +0200
Subject: [PATCH 2/3] Doc improvements

---
 README.md                                |  1 +
 examples/server_config_disable_mtls.json | 30 ++++++++++++++++++++++++
 server/streaming/server.go               | 10 +++++---
 3 files changed, 38 insertions(+), 3 deletions(-)
 create mode 100644 examples/server_config_disable_mtls.json

diff --git a/README.md b/README.md
index 6f0ea2c..d506a8d 100644
--- a/README.md
+++ b/README.md
@@ -272,3 +272,4 @@ Moreover, the following application-specific considerations apply:
   the frequency they need.
 * Providers agree to take full responsibility for privacy risks, as soon as data
   leave the devices (for more info read our privacy policies).
+* If (and only if!) your're running your Fleet Telemetry instance behind a reverse proxy which takes care of mTLS handling, set ```"disable_tls"``` to ```true``` in the config.
diff --git a/examples/server_config_disable_mtls.json b/examples/server_config_disable_mtls.json
new file mode 100644
index 0000000..a942d1e
--- /dev/null
+++ b/examples/server_config_disable_mtls.json
@@ -0,0 +1,30 @@
+{
+  "host": "0.0.0.0",
+  "port": 80,
+  "log_level": "info",
+  "json_log_enable": true,
+  "namespace": "tesla_telemetry",
+  "reliable_ack": false,
+  "monitoring": {
+      "prometheus_metrics_port": 9090,
+      "profiler_port": 4269,
+      "profiling_path": "/tmp/trace.out"
+  },
+  "rate_limit": {
+      "enabled": true,
+      "message_interval_time": 30,
+      "message_limit": 1000
+  },
+  "records": {
+      "alerts": [
+          "logger"
+      ],
+      "errors": [
+          "logger"
+      ],
+      "V": [
+          "logger"
+      ]
+  },
+  "disable_tls": true
+}
diff --git a/server/streaming/server.go b/server/streaming/server.go
index d4cad62..0a6a9db 100644
--- a/server/streaming/server.go
+++ b/server/streaming/server.go
@@ -72,7 +72,7 @@ func InitServer(c *config.Config, airbrakeHandler *airbrake.AirbrakeHandler, pro
 
 	mux := http.NewServeMux()
 	mux.HandleFunc("/", socketServer.ServeBinaryWs(c))
-	mux.Handle("/status", socketServer.airbrakeHandler.WithReporting(http.HandlerFunc(socketServer.Status())))
+	mux.Handle("/status", socketServer.airbrakeHandler.WithReporting(http.HandlerFunc(socketServer.Status(c))))
 
 	server := &http.Server{Addr: fmt.Sprintf("%v:%v", c.Host, c.Port), Handler: serveHTTPWithLogs(mux, logger)}
 	go socketServer.handleAcks()
@@ -111,9 +111,13 @@ func serveHTTPWithLogs(h http.Handler, logger *logrus.Logger) http.Handler {
 }
 
 // Status API shows server with mtls config is up
-func (s *Server) Status() func(w http.ResponseWriter, r *http.Request) {
+func (s *Server) Status(config *config.Config) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
-		fmt.Fprint(w, "mtls ok")
+		if config.DisableTLS {
+			fmt.Fprint(w, "mtls disabled")
+		} else {
+			fmt.Fprint(w, "mtls ok")
+		}
 	}
 }
 

From dd86750c14d680ec8d614c3cf3489147e704fe14 Mon Sep 17 00:00:00 2001
From: virtualzone <heiner.beck@outlook.com>
Date: Wed, 19 Jun 2024 06:08:37 +0200
Subject: [PATCH 3/3] Test cases

---
 README.md                  |  2 +-
 config/config_test.go      | 13 +++++++++++++
 server/streaming/server.go |  2 +-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index d506a8d..ba320b9 100644
--- a/README.md
+++ b/README.md
@@ -272,4 +272,4 @@ Moreover, the following application-specific considerations apply:
   the frequency they need.
 * Providers agree to take full responsibility for privacy risks, as soon as data
   leave the devices (for more info read our privacy policies).
-* If (and only if!) your're running your Fleet Telemetry instance behind a reverse proxy which takes care of mTLS handling, set ```"disable_tls"``` to ```true``` in the config.
+* If (and only if!) your're running your Fleet Telemetry instance behind a trusted proxy which takes care of mTLS handling, set ```"disable_tls"``` to ```true``` in the config.
diff --git a/config/config_test.go b/config/config_test.go
index e2cc34b..fe6f677 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -68,6 +68,13 @@ var _ = Describe("Test full application config", func() {
 			Expect(err).To(MatchError("tls config is empty - telemetry server is mTLS only, make sure to provide certificates in the config"))
 		})
 
+		It("does not fail when TLS is nil but DisableTLS is true ", func() {
+			config = &Config{}
+			config.DisableTLS = true
+			_, err := config.ExtractServiceTLSConfig(log)
+			Expect(err).To(BeNil())
+		})
+
 		It("fails when files are missing", func() {
 			_, err := config.ExtractServiceTLSConfig(log)
 			Expect(err).To(MatchError("open tesla.ca: no such file or directory"))
@@ -115,6 +122,12 @@ var _ = Describe("Test full application config", func() {
 			Expect(config.StatusPort).To(BeEquivalentTo(8080))
 		})
 
+		It("not disable TLS", func() {
+			config, err := loadTestApplicationConfig(TestSmallConfig)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(config.DisableTLS).To(BeFalse())
+		})
+
 		It("transmitrecords disabled by default", func() {
 			config, err := loadTestApplicationConfig(TestSmallConfig)
 			Expect(err).NotTo(HaveOccurred())
diff --git a/server/streaming/server.go b/server/streaming/server.go
index 0a6a9db..89ebea3 100644
--- a/server/streaming/server.go
+++ b/server/streaming/server.go
@@ -114,7 +114,7 @@ func serveHTTPWithLogs(h http.Handler, logger *logrus.Logger) http.Handler {
 func (s *Server) Status(config *config.Config) func(w http.ResponseWriter, r *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if config.DisableTLS {
-			fmt.Fprint(w, "mtls disabled")
+			fmt.Fprint(w, "ok")
 		} else {
 			fmt.Fprint(w, "mtls ok")
 		}