Add option to enforce TLS by redirecting HTTP requests to HTTPS (#1092) #1093

DigitalDJ · 2025-12-23T11:46:23Z

Closes #1092

Summary

An option to redirect all HTTP requests to HTTPS when HTTPS mode is enabled.
When enabled, the HTTP router always responds with a redirect to HTTPS.
A HSTS header is included to force future connections to TLS.
Exposes an "Enforce TLS" option in the Access options UI to enable
The default is disabled.

Checklist

[ X ] Ran make test_e2e locally and passed
[ X ] Linked to issue(s) above by issue number (e.g. Closes #<issue-number>)
[ X ] One problem per PR (no unrelated changes)
[ X ] Lints pass; CI green
[ X ] Tricky parts are commented in code

…vm#1092)

ui/src/routes/devices.$id.settings.access._index.tsx

web.go

web_tls.go

web.go

web_tls.go

IDisposable

This looks really great! Thanks!

Just a couple concerns about defensively protecting against accidental lockout.

web.go

…m#1092)

… AND apply button. (jetkvm#1092)

…LS channel.

… directly. (jetkvm#1092)

…ebRTC setting changes. (jetkvm#1092)

…tring to identify disabled. Default to disabled. (jetkvm#1092)

…bled before enforcing. (jetkvm#1092)

DigitalDJ · 2025-12-24T13:23:37Z

I've tried to address all the issues here. If there are any more please let me know. I've tried to focus on enforce TLS not being enabled unless everything is working okay.... and making the user jump through some hoops to make it happen.

DigitalDJ · 2025-12-24T13:43:49Z

I should note explicitly there are two other semi-related problems fixed here. That need attention (maybe). I don't really know Go (or TS for that matter).

[7fbd475] Fixes the TLS server not fully shutting down when going from disabled -> enabled -> disabled. The stopTLS channel seems to block server.ListenAndServeTLS from returning when server.Shutdown is called? Not sure about the inner-workings of this, but closing stopTLS when we stop the server and remaking it for next start resolves the issue.
getTLSState confuses the JSON RPC schema with the config schema. It compares config.TLSMode to "disabled" to check the state of TLS, but the config schema uses an empty string to indicate TLS disabled. I fixed this in [2cef0ea]

ui/localization/messages/en.json

config.go

web.go

web_tls.go

…orce TLS to Enforce HTTP (TLS).

… HTTPS server to start. (jetkvm#1092)

IDisposable

Looks good to me

adamshiervani

"Enforce HTTPS (TLS)" doesn't work for me. It gets checked in the UI, but after a refresh of the page, it's unchecked, and I can access it through HTTP.

Could you please also add a E2E test for this? AI can be very helpful writing the E2E tests.

DigitalDJ · 2026-01-05T15:10:53Z

I just pushed a change that should fix what you're seeing in "self-signed" mode. The button should now appear, to apply TLS settings, when "self-signed" mode is used. The intent is for the user to agree to the popup AND click the apply button to enforce TLS.

As for E2E tests, I'll probably pass on that sorry. If someone wants to take that up, they are more than welcome. If that means this sits here, that's fine. I'll maintain my own fork rebasing against release versions for those that want the feature, for as long as I own a JetKVM.

Unfortunately, the complete lack of response from JetKVM's support channels has made me re-think the investment here. Sorry about that.

Add option to enforce TLS by redirecting HTTP requests to HTTPS (jetk…

8199c46

…vm#1092)