Fix DNS resolution with host aliases + Fix TLS Verifiy on default transport (#92)

* Fix DNS resolution with host aliases * Disable TLS on the default transport if required

Author: gaelgatelement

Dockerfile

@@ -13,11 +13,15 @@ COPY *.go ./
 
 ARG TARGETOS TARGETARCH
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o lk-jwt-service
+# set up nsswitch.conf for Go's "netgo" implementation
+# - https://github.com/golang/go/blob/go1.24.0/src/net/conf.go#L343
+RUN echo 'hosts: files dns' > /etc/nsswitch.conf
 
 FROM scratch
 
 COPY --from=builder /proj/lk-jwt-service /lk-jwt-service
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /etc/nsswitch.conf /etc/nsswitch.conf
 
 EXPOSE 8080
 

main.go

@@ -23,6 +23,7 @@ import (
 "log"
 "net/http"
 "os"
+"crypto/tls"
 
 "time"
 
@@ -64,6 +65,8 @@ func exchangeOIDCToken(
 
 if skipVerifyTLS {
 log.Printf("!!! WARNING !!! Skipping TLS verification for matrix client connection to %s", token.MatrixServerName)
+// Disable TLS verification on the default HTTP Transport for the well-known lookup
+http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{ InsecureSkipVerify: true }
 }
 client := fclient.NewClient(fclient.WithWellKnownSRVLookups(true), fclient.WithSkipVerify(skipVerifyTLS))