diff --git a/src/http.c b/src/http.c index b9f620e6a..da65e9295 100644 --- a/src/http.c +++ b/src/http.c @@ -97,6 +97,13 @@ int callback_http(struct lws *wsi, enum lws_callback_reasons reason, void *user, bool done = false; switch (reason) { + case LWS_CALLBACK_HTTP_CONFIRM_UPGRADE: + if (server->ssl && !lws_is_ssl(wsi)) { + lwsl_warn("refuse HTTP upgrade over non-SSL connection while SSL is enabled.\n"); + return -1; + } + break; + case LWS_CALLBACK_HTTP: access_log(wsi, (const char *)in); snprintf(pss->path, sizeof(pss->path), "%s", (const char *)in); diff --git a/src/server.c b/src/server.c index 183fa3ac4..068ec1ddc 100644 --- a/src/server.c +++ b/src/server.c @@ -563,6 +563,7 @@ int main(int argc, char **argv) { #if defined(LWS_OPENSSL_SUPPORT) || defined(LWS_WITH_TLS) if (ssl) { + server->ssl = true; info.ssl_cert_filepath = cert_path; info.ssl_private_key_filepath = key_path; #ifndef LWS_WITH_MBEDTLS diff --git a/src/server.h b/src/server.h index e13d63271..196631012 100644 --- a/src/server.h +++ b/src/server.h @@ -76,6 +76,7 @@ struct server { bool url_arg; // allow client to send cli arguments in URL bool writable; // whether clients to write to the TTY bool check_origin; // whether allow websocket connection from different origin + bool ssl; // whether SSL is enabled int max_clients; // maximum clients to support bool once; // whether accept only one client and exit on disconnection bool exit_no_conn; // whether exit on all clients disconnection