feat(cliproxy): add --allow-self-signed flag for HTTPS connections (#227)

Previously, allowSelfSigned was hardcoded to true for all HTTPS protocol
connections, forcing use of the native https module which has issues with
Cloudflare-proxied connections causing timeouts.

This change:
- Adds --allow-self-signed CLI flag (default: false)
- Adds CCS_ALLOW_SELF_SIGNED environment variable
- Uses standard fetch API by default for HTTPS (works with valid certs)
- Only uses native https module when --allow-self-signed is specified

Usage:
- For production HTTPS proxies with valid certs: no flag needed
- For dev proxies with self-signed certs: use --allow-self-signed

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Shun Kakinoki
2025-12-31 16:33:02 -08:00
committed by GitHub
co-authored by Claude Opus 4.5
parent f21fb0391e
commit 709976e897
4 changed files with 30 additions and 2 deletions
+1 -1
View File
@@ -200,7 +200,7 @@ export async function execClaudeWithCLIProxy(
protocol: proxyConfig.protocol,
authToken: proxyConfig.authToken,
timeout: proxyConfig.timeout ?? 2000,
allowSelfSigned: proxyConfig.protocol === 'https',
allowSelfSigned: proxyConfig.allowSelfSigned ?? false,
});
if (status.reachable) {
+25 -1
View File
@@ -19,6 +19,7 @@ export const PROXY_CLI_FLAGS = [
'--proxy-timeout',
'--local-proxy',
'--remote-only',
'--allow-self-signed',
] as const;
/** Environment variable names for proxy configuration */
@@ -29,6 +30,7 @@ export const PROXY_ENV_VARS = {
authToken: 'CCS_PROXY_AUTH_TOKEN',
timeout: 'CCS_PROXY_TIMEOUT',
fallbackEnabled: 'CCS_PROXY_FALLBACK_ENABLED',
allowSelfSigned: 'CCS_ALLOW_SELF_SIGNED',
} as const;
/** Parsed CLI proxy flags */
@@ -40,6 +42,7 @@ interface ParsedProxyFlags {
timeout?: number;
localProxy: boolean;
remoteOnly: boolean;
allowSelfSigned?: boolean;
}
/** Proxy config from environment variables */
@@ -50,6 +53,7 @@ interface EnvProxyConfig {
authToken?: string;
timeout?: number;
fallbackEnabled?: boolean;
allowSelfSigned?: boolean;
}
/**
@@ -121,6 +125,12 @@ export function parseProxyFlags(args: string[]): {
continue;
}
if (arg === '--allow-self-signed') {
flags.allowSelfSigned = true;
i += 1;
continue;
}
// Not a proxy flag - keep in remaining args
remainingArgs.push(arg);
i += 1;
@@ -180,6 +190,16 @@ export function getProxyEnvVars(): EnvProxyConfig {
}
}
const allowSelfSigned = process.env[PROXY_ENV_VARS.allowSelfSigned];
if (allowSelfSigned !== undefined) {
const lower = allowSelfSigned.toLowerCase();
if (lower === '1' || lower === 'true' || lower === 'yes') {
config.allowSelfSigned = true;
} else if (lower === '0' || lower === 'false' || lower === 'no') {
config.allowSelfSigned = false;
}
}
return config;
}
@@ -272,6 +292,9 @@ export function resolveProxyConfig(
// Merge timeout: CLI > ENV > config.yaml > default (2000ms in executor)
resolved.timeout = cliFlags.timeout ?? envConfig.timeout ?? yamlConfig.remote?.timeout;
// Merge allowSelfSigned: CLI > ENV > default (true for backwards compatibility)
resolved.allowSelfSigned = cliFlags.allowSelfSigned ?? envConfig.allowSelfSigned ?? true;
// Merge fallback enabled: ENV > config.yaml > default
resolved.fallbackEnabled =
envConfig.fallbackEnabled ?? yamlConfig.remote?.fallback_enabled ?? true;
@@ -303,6 +326,7 @@ export function hasProxyFlags(args: string[]): boolean {
arg === '--proxy-auth-token' ||
arg === '--proxy-timeout' ||
arg === '--local-proxy' ||
arg === '--remote-only'
arg === '--remote-only' ||
arg === '--allow-self-signed'
);
}
+2
View File
@@ -215,4 +215,6 @@ export interface ResolvedProxyConfig {
forceLocal: boolean;
/** Remote proxy connection timeout in ms (default: 2000) */
timeout?: number;
/** Allow self-signed certificates for HTTPS connections (default: true) */
allowSelfSigned?: boolean;
}
+2
View File
@@ -269,6 +269,7 @@ Run ${color('ccs config', 'command')} for web dashboard`.trim();
['--proxy-timeout <ms>', 'Connection timeout in ms (default: 2000)'],
['--local-proxy', 'Force local mode, ignore remote config'],
['--remote-only', 'Fail if remote unreachable (no fallback)'],
['--allow-self-signed', 'Allow self-signed certs (for dev proxies)'],
]);
// CLI Proxy env vars
@@ -279,6 +280,7 @@ Run ${color('ccs config', 'command')} for web dashboard`.trim();
['CCS_PROXY_AUTH_TOKEN', 'Auth token'],
['CCS_PROXY_TIMEOUT', 'Connection timeout in ms'],
['CCS_PROXY_FALLBACK_ENABLED', 'Enable local fallback (1/0)'],
['CCS_ALLOW_SELF_SIGNED', 'Allow self-signed certs (1/0)'],
]);
// CLI Proxy paths