Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 Bug Report — allow_custom_ports is not working #2955

Closed
ceddybi opened this issue Oct 18, 2024 · 12 comments · Fixed by cloudflare/workers-sdk#7038 or cloudflare/workers-sdk#7261

Comments

@ceddybi
Copy link

ceddybi commented Oct 18, 2024

According to allow-specifying-a-custom-port-when-making-a-subrequest-with-the-fetch-api

it says that setting the flag allow_custom_ports or a compatibility date greater than 2024-09-02, should allow fetch to work with custom ports for HTTPS, however settings this has no effect, you still get the warning and the api errors out

known issue with fetch() requests to custom HTTPS ports in published Workers: the custom port will be ignored when the Worker is published using the "wrangler deploy" command.

@ceddybi
Copy link
Author

ceddybi commented Oct 18, 2024

@danlapid

@danlapid
Copy link
Collaborator

Is the problem you’re having just the error message or is the functionality not working as intended in a deployed worker?

@ceddybi
Copy link
Author

ceddybi commented Oct 18, 2024

@danlapid i haven't deployed it yet, i'm trying in dev using --remote, and the fetch request don't work, it gets stuck shows an error, looks like maybe the port is removed

@danlapid
Copy link
Collaborator

Seems like we might’ve missed that then, it should work in local dev without the —remote flag and in a deployed worker

@ceddybi
Copy link
Author

ceddybi commented Oct 18, 2024

@danlapid it's actually working, i logged the request

the real issue is i'm getting 526 (invalid certificate), my app wasn't checking for this status code, that's why it was stuck

but i had set process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' to allow invalid certifications, looks like it's not working, how do you disable the invalid certificates in cloudflare fetch?

@ceddybi
Copy link
Author

ceddybi commented Oct 18, 2024

Seems like we might’ve missed that then, it should work in local dev without the —remote flag and in a deployed worker

Looks like without --remote i don't even get the 526, it fails entirely, but when i add the flag i get status 526

petebacondarwin added a commit to cloudflare/workers-sdk that referenced this issue Oct 21, 2024
Now that we have the `allow_custom_ports` compatibility flag, we only need to show the fetch warnings when that flag is not enabled.

Fixes cloudflare/workerd#2955
petebacondarwin added a commit to cloudflare/workers-sdk that referenced this issue Oct 21, 2024
Now that we have the `allow_custom_ports` compatibility flag, we only need to show the fetch warnings when that flag is not enabled.

Fixes cloudflare/workerd#2955
petebacondarwin added a commit to cloudflare/workers-sdk that referenced this issue Oct 21, 2024
Now that we have the `allow_custom_ports` compatibility flag, we only need to show the fetch warnings when that flag is not enabled.

Fixes cloudflare/workerd#2955
petebacondarwin added a commit to cloudflare/workers-sdk that referenced this issue Oct 21, 2024
Now that we have the `allow_custom_ports` compatibility flag, we only need to show the fetch warnings when that flag is not enabled.

Fixes cloudflare/workerd#2955
@petebacondarwin
Copy link
Contributor

how do you disable the invalid certificates in cloudflare fetch?

In wrangler dev you can teach it about local certificates using the --https-key-path and --https-cert-path command line args. But I am testing this and it is still blowing up when I try to make outbound HTTPS fetches with a custom port. I need to ascertain if this is a Miniflare issue or a workerd issue.

@ceddybi
Copy link
Author

ceddybi commented Oct 22, 2024

In wrangler dev you can teach it about local certificates using the --https-key-path and --https-cert-path command line args.

What happens in prod, do we need to provide the certs too? or prod can ignore 526's

Woulda been nice if fetch was passed an agent parameter like in node-fetch/undici or just an option with rejectUnauthorized: false

@petebacondarwin
Copy link
Contributor

petebacondarwin commented Oct 22, 2024

OK so I did some digging and I think I have an understanding of all this now.

In production:
Since 2024-09-02 (compat date), the default for Workers is that custom outbound HTTPS ports are allowed. So you should just be able to do things like fetch("https://some-domain:5000") and it will work.

In wrangler dev:
Outbound fetches to HTTPS ports, where the server is using proper CA signed certificates should just work (even though you currently get a warning telling you it will fail in production). cloudflare/workers-sdk#7038 should resove that unwanted warning.

Outbound fetches to HTTPS ports that are hosted on local servers using self-signed certificates will fail because workerd will fail to make the TLS connection giving errors about the certificates not being trusted. The solution to this is to tell workerd about your local Certificate Authority certificates, which you use to sign the certificates that the local HTTPS server is using. You do this by setting NODE_EXTRA_CA_CERTS environment variable to point to the file holding the local CA certificates. Wrangler will pick up these certificates and pass them through Miniflare to configure workerd to know about this CA and therefore trust your local server's certificates.

See https://gist.github.com/petebacondarwin/804f390138570eb99e34c974c0c68585

@ceddybi
Copy link
Author

ceddybi commented Oct 22, 2024

@petebacondarwin what about in production when you make outbound fetches to custom HTTPS ports that are hosted on remote servers using self-signed certificates?

@petebacondarwin
Copy link
Contributor

I don't believe we have any way to support self-signed certificates in production.

@petebacondarwin
Copy link
Contributor

It is quite easy, and free, to set up domains with Cloudflare to have fully trusted certificates, so I would recommend doing that even for test servers if they are exposed on the public Internet.

petebacondarwin added a commit to cloudflare/workers-sdk that referenced this issue Nov 7, 2024
Now that we have the `allow_custom_ports` compatibility flag, we only need to show the fetch warnings when that flag is not enabled.

Fixes cloudflare/workerd#2955
petebacondarwin added a commit to cloudflare/workers-sdk that referenced this issue Nov 7, 2024
Now that we have the `allow_custom_ports` compatibility flag, we only need to show the fetch warnings when that flag is not enabled.

Fixes cloudflare/workerd#2955
CarmenPopoviciu pushed a commit to cloudflare/workers-sdk that referenced this issue Nov 8, 2024
Now that we have the `allow_custom_ports` compatibility flag, we only need to show the fetch warnings when that flag is not enabled.

Fixes cloudflare/workerd#2955
CarmenPopoviciu pushed a commit to cloudflare/workers-sdk that referenced this issue Nov 8, 2024
Now that we have the `allow_custom_ports` compatibility flag, we only need to show the fetch warnings when that flag is not enabled.

Fixes cloudflare/workerd#2955
andyjessop pushed a commit to cloudflare/workers-sdk that referenced this issue Nov 12, 2024
Now that we have the `allow_custom_ports` compatibility flag, we only need to show the fetch warnings when that flag is not enabled.

Fixes cloudflare/workerd#2955
andyjessop pushed a commit to cloudflare/workers-sdk that referenced this issue Nov 18, 2024
* fix: only show fetch warning if on old compatibility_date

Now that we have the `allow_custom_ports` compatibility flag, we only need to show the fetch warnings when that flag is not enabled.

Fixes cloudflare/workerd#2955

* fix: typo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants