Fixed port handling for certificate verification in the backend and proxy components. Updated related settings and documentation.

Author: aram356

.env.dev

@@ -4,3 +4,7 @@ TRUSTED_SERVER__PUBLISHER__ORIGIN_URL=http://localhost:9090
 # [synthetic]
 TRUSTED_SERVER__SYNTHETIC__COUNTER_STORE=counter_store
 TRUSTED_SERVER__SYNTHETIC__OPID_STORE=opid_store
+
+# [proxy]
+# Disable TLS certificate verification for local dev with self-signed certs
+# TRUSTED_SERVER__PROXY__CERTIFICATE_CHECK=false

crates/common/src/backend.rs

@@ -6,6 +6,16 @@ use url::Url;
 
 use crate::error::TrustedServerError;
 
+/// Returns the default port for the given scheme (443 for HTTPS, 80 for HTTP).
+#[inline]
+fn default_port_for_scheme(scheme: &str) -> u16 {
+    if scheme.eq_ignore_ascii_case("https") {
+        443
+    } else {
+        80
+    }
+}
+
 /// Compute the Host header value for a backend request.
 ///
 /// For standard ports (443 for HTTPS, 80 for HTTP), returns just the hostname.
@@ -16,9 +26,7 @@ use crate::error::TrustedServerError;
 /// would generate URLs without the port when the Host header didn't include it.
 #[inline]
 fn compute_host_header(scheme: &str, host: &str, port: u16) -> String {
-    let is_https = scheme.eq_ignore_ascii_case("https");
-    let default_port = if is_https { 443 } else { 80 };
-    if port != default_port {
+    if port != default_port_for_scheme(scheme) {
         format!("{}:{}", host, port)
     } else {
         host.to_string()
@@ -37,6 +45,11 @@ fn compute_host_header(scheme: &str, host: &str, port: u16) -> String {
 /// * `host` - The hostname
 /// * `port` - Optional port number
 /// * `certificate_check` - If true, enables TLS certificate verification (default for production)
+///
+/// # Errors
+///
+/// Returns an error if the host is empty or if backend creation fails
+/// (except for `NameInUse` which reuses the existing backend).
 pub fn ensure_origin_backend(
     scheme: &str,
     host: &str,
@@ -49,12 +62,7 @@ pub fn ensure_origin_backend(
         }));
     }
 
-    let is_https = scheme.eq_ignore_ascii_case("https");
-    let target_port = match (port, is_https) {
-        (Some(p), _) => p,
-        (None, true) => 443,
-        (None, false) => 80,
-    };
+    let target_port = port.unwrap_or_else(|| default_port_for_scheme(scheme));
 
     let host_with_port = format!("{}:{}", host, target_port);
 
@@ -115,6 +123,13 @@ pub fn ensure_origin_backend(
     }
 }
 
+/// Ensures a dynamic backend exists for the given origin URL.
+///
+/// Parses the URL and delegates to [`ensure_origin_backend`] to create or reuse a backend.
+///
+/// # Errors
+///
+/// Returns an error if the URL cannot be parsed or lacks a host, or if backend creation fails.
 pub fn ensure_backend_from_url(
     origin_url: &str,
     certificate_check: bool,
@@ -141,83 +156,97 @@ mod tests {
     // Tests for compute_host_header - the fix for port preservation in Host header
     #[test]
     fn host_header_includes_port_for_non_standard_https() {
-        // Non-standard port 9443 should be included in Host header
         assert_eq!(
             compute_host_header("https", "cdn.example.com", 9443),
-            "cdn.example.com:9443"
+            "cdn.example.com:9443",
+            "should include non-standard HTTPS port 9443 in Host header"
         );
         assert_eq!(
             compute_host_header("https", "cdn.example.com", 8443),
-            "cdn.example.com:8443"
+            "cdn.example.com:8443",
+            "should include non-standard HTTPS port 8443 in Host header"
         );
     }
 
     #[test]
     fn host_header_excludes_port_for_standard_https() {
-        // Standard port 443 should NOT be included
         assert_eq!(
             compute_host_header("https", "cdn.example.com", 443),
-            "cdn.example.com"
+            "cdn.example.com",
+            "should omit standard HTTPS port 443 from Host header"
         );
     }
 
     #[test]
     fn host_header_includes_port_for_non_standard_http() {
-        // Non-standard port 8080 should be included
         assert_eq!(
             compute_host_header("http", "cdn.example.com", 8080),
-            "cdn.example.com:8080"
+            "cdn.example.com:8080",
+            "should include non-standard HTTP port 8080 in Host header"
         );
     }
 
     #[test]
     fn host_header_excludes_port_for_standard_http() {
-        // Standard port 80 should NOT be included
         assert_eq!(
             compute_host_header("http", "cdn.example.com", 80),
-            "cdn.example.com"
+            "cdn.example.com",
+            "should omit standard HTTP port 80 from Host header"
         );
     }
 
     #[test]
     fn returns_name_for_https_with_cert_check() {
-        let name = ensure_origin_backend("https", "origin.example.com", None, true).unwrap();
+        let name = ensure_origin_backend("https", "origin.example.com", None, true)
+            .expect("should create backend for valid HTTPS origin");
         assert_eq!(name, "backend_https_origin_example_com_443");
     }
 
     #[test]
     fn returns_name_for_https_without_cert_check() {
-        let name = ensure_origin_backend("https", "origin.example.com", None, false).unwrap();
+        let name = ensure_origin_backend("https", "origin.example.com", None, false)
+            .expect("should create backend with cert check disabled");
         assert_eq!(name, "backend_https_origin_example_com_443_nocert");
     }
 
     #[test]
     fn returns_name_for_http_with_port_and_sanitizes() {
-        let name = ensure_origin_backend("http", "api.test-site.org", Some(8080), true).unwrap();
+        let name = ensure_origin_backend("http", "api.test-site.org", Some(8080), true)
+            .expect("should create backend for HTTP origin with explicit port");
         assert_eq!(name, "backend_http_api_test-site_org_8080");
-        // Explicitly check that ':' was replaced with '_'
-        assert!(name.ends_with("_8080"));
+        assert!(
+            name.ends_with("_8080"),
+            "should sanitize ':' to '_' in backend name"
+        );
     }
 
     #[test]
     fn returns_name_for_http_without_port_defaults_to_80() {
-        let name = ensure_origin_backend("http", "example.org", None, true).unwrap();
+        let name = ensure_origin_backend("http", "example.org", None, true)
+            .expect("should create backend defaulting to port 80 for HTTP");
         assert_eq!(name, "backend_http_example_org_80");
     }
 
     #[test]
     fn error_on_missing_host() {
-        let err = ensure_origin_backend("https", "", None, true)
-            .err()
-            .unwrap();
+        let err =
+            ensure_origin_backend("https", "", None, true).expect_err("should reject empty host");
         let msg = err.to_string();
-        assert!(msg.contains("missing host"));
+        assert!(
+            msg.contains("missing host"),
+            "should report missing host in error message"
+        );
     }
 
     #[test]
     fn second_call_reuses_existing_backend() {
-        let first = ensure_origin_backend("https", "reuse.example.com", None, true).unwrap();
-        let second = ensure_origin_backend("https", "reuse.example.com", None, true).unwrap();
-        assert_eq!(first, second);
+        let first = ensure_origin_backend("https", "reuse.example.com", None, true)
+            .expect("should create backend on first call");
+        let second = ensure_origin_backend("https", "reuse.example.com", None, true)
+            .expect("should reuse backend on second call");
+        assert_eq!(
+            first, second,
+            "should return same backend name on repeat call"
+        );
     }
 }

crates/common/src/creative.rs

@@ -332,9 +332,7 @@ pub fn rewrite_creative_html(settings: &Settings, markup: &str) -> String {
                 // Image src + data-src
                 element!("img", |el| {
                     if let Some(src) = el.get_attribute("src") {
-                        log::debug!("creative rewrite: img src input = {}", src);
                         if let Some(p) = proxy_if_abs(settings, &src) {
-                            log::debug!("creative rewrite: img src output = {}", p);
                             let _ = el.set_attribute("src", &p);
                         }
                     }
@@ -645,14 +643,15 @@ mod tests {
     #[test]
     fn to_abs_preserves_port_in_protocol_relative() {
         let settings = crate::test_support::tests::create_test_settings();
-        // Protocol-relative URL with explicit port should preserve the port
         assert_eq!(
             to_abs(&settings, "//cdn.example.com:8080/asset.js"),
-            Some("https://cdn.example.com:8080/asset.js".to_string())
+            Some("https://cdn.example.com:8080/asset.js".to_string()),
+            "should preserve port 8080 in protocol-relative URL"
         );
         assert_eq!(
             to_abs(&settings, "//cdn.example.com:9443/img.png"),
-            Some("https://cdn.example.com:9443/img.png".to_string())
+            Some("https://cdn.example.com:9443/img.png".to_string()),
+            "should preserve port 9443 in protocol-relative URL"
         );
     }
 

crates/common/src/proxy.rs

@@ -1183,16 +1183,19 @@ mod tests {
     #[tokio::test]
     async fn proxy_sign_preserves_non_standard_port() {
         let settings = create_test_settings();
-        // Test with non-standard port (e.g., 9443)
         let body = serde_json::json!({
             "url": "https://cdn.example.com:9443/img/300x250.svg",
         });
         let mut req = Request::new(Method::POST, "https://edge.example/first-party/sign");
         req.set_body(body.to_string());
         let mut resp = handle_first_party_proxy_sign(&settings, req)
             .await
-            .expect("sign ok");
-        assert_eq!(resp.get_status(), StatusCode::OK);
+            .expect("should sign URL with non-standard port");
+        assert_eq!(
+            resp.get_status(),
+            StatusCode::OK,
+            "should return 200 for valid sign request"
+        );
         let json = resp.take_body_str();
         // Port 9443 should be preserved (URL-encoded as %3A9443)
         assert!(
@@ -1607,7 +1610,7 @@ mod tests {
             "https://cdn.example.com:9443/creatives/300x250.html",
             beresp,
         )
-        .expect("finalize should succeed");
+        .expect("should finalize HTML response with non-standard port URL");
 
         let body = out.take_body_str();
 

crates/common/src/publisher.rs

@@ -216,7 +216,10 @@ pub fn handle_publisher_request(
         has_synthetic_cookie
     );
 
-    let backend_name = ensure_backend_from_url(&settings.publisher.origin_url, true)?;
+    let backend_name = ensure_backend_from_url(
+        &settings.publisher.origin_url,
+        settings.proxy.certificate_check,
+    )?;
     let origin_host = settings.publisher.origin_host();
 
     log::debug!(

crates/common/src/settings.rs

@@ -348,6 +348,10 @@ impl Settings {
             return Err(Report::new(TrustedServerError::InsecureSecretKey));
         }
 
+        if !settings.proxy.certificate_check {
+            log::warn!("INSECURE: proxy.certificate_check is disabled — TLS certificates will NOT be verified");
+        }
+
         Ok(settings)
     }
 

trusted-server.toml

@@ -84,6 +84,12 @@ rewrite_sdk = true
 # ]
 
 
+# Proxy configuration
+# [proxy]
+# Enable TLS certificate verification when proxying to HTTPS origins.
+# Defaults to true. Set to false only for local development with self-signed certificates.
+# certificate_check = true
+
 [auction]
 enabled = true
 providers = ["prebid"]