whyvl
diff --git a/‎README.md‎
Lines changed: 4 additions & 0 deletions b/‎README.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎config.go‎
Lines changed: 8 additions & 0 deletions b/‎config.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎http.go‎
Lines changed: 16 additions & 1 deletion b/‎http.go‎
Lines changed: 16 additions & 1 deletion
diff --git a/‎routine.go‎
Lines changed: 4 additions & 0 deletions b/‎routine.go‎
Lines changed: 4 additions & 0 deletions
@@ -131,6 +131,10 @@ BindAddress = 127.0.0.1:25345
 #Username = ...
 # Avoid using spaces in the password field
 #Password = ...
+
+# Specifying certificate and key enables HTTPS
+#CertFile = ...
+#KeyFile = ...
 ```
 
 Alternatively, if you already have a wireguard config, you can import it in the
 
@@ -57,6 +57,8 @@ type HTTPConfig struct {
 BindAddress string
 Username string
 Password string
+CertFile string
+KeyFile string
 }
 
 type Configuration struct {
@@ -431,6 +433,12 @@ func parseHTTPConfig(section *ini.Section) (RoutineSpawner, error) {
 password, _ := parseString(section, "Password")
 config.Password = password
 
+certFile, _ := parseString(section, "CertFile")
+config.CertFile = certFile
+
+keyFile, _ := parseString(section, "KeyFile")
+config.KeyFile = keyFile
+
 return config, nil
 }
 
 
@@ -3,6 +3,7 @@ package wireproxy
 import (
 "bufio"
 "bytes"
+"crypto/tls"
 "encoding/base64"
 "fmt"
 "io"
@@ -23,6 +24,7 @@ type HTTPServer struct {
 dial func(network, address string) (net.Conn, error)
 
 authRequired bool
+tlsRequired bool
 }
 
 func (s *HTTPServer) authenticate(req *http.Request) (int, error) {
@@ -141,9 +143,22 @@ func (s *HTTPServer) serve(conn net.Conn) {
 }()
 }
 
+func (s *HTTPServer) listen(network, addr string) (net.Listener, error) {
+if s.tlsRequired {
+cert, err := tls.LoadX509KeyPair(s.config.CertFile, s.config.KeyFile)
+if err != nil {
+return nil, err
+}
+
+return tls.Listen(network, addr, &tls.Config{Certificates: []tls.Certificate{cert}})
+}
+
+return net.Listen(network, addr)
+}
+
 // ListenAndServe is used to create a listener and serve on it
 func (s *HTTPServer) ListenAndServe(network, addr string) error {
-server, err := net.Listen(network, addr)
+server, err := s.listen(network, addr)
 if err != nil {
 return fmt.Errorf("listen tcp failed: %w", err)
 }
 
@@ -173,6 +173,10 @@ func (config *HTTPConfig) SpawnRoutine(vt *VirtualTun) {
 server.authRequired = true
 }
 
+if config.CertFile != "" && config.KeyFile != "" {
+server.tlsRequired = true
+}
+
 if err := server.ListenAndServe("tcp", config.BindAddress); err != nil {
 log.Fatal(err)
 }
Original file line number	Diff line number	Diff line change
`@@ -173,6 +173,10 @@ func (config HTTPConfig) SpawnRoutine(vt VirtualTun) {`
`173`	`173`	`server.authRequired = true`
`174`	`174`	`}`
`175`	`175`
	`176`	`+if config.CertFile != "" && config.KeyFile != "" {`
	`177`	`+server.tlsRequired = true`
	`178`	`+}`
	`179`	`+`
`176`	`180`	`if err := server.ListenAndServe("tcp", config.BindAddress); err != nil {`
`177`	`181`	`log.Fatal(err)`
`178`	`182`	`}`