Add TLS_ACCEPT_TOS configuration option

hrntknr · hrntknr · commit 7ded4890b20e · 2025-08-17T15:26:47.000Z
- Add getEnvBoolWithDefault helper function to parse boolean environment variables
- Add tlsAcceptTOS flag and TLS_ACCEPT_TOS environment variable
- Update autocert.Manager to use configurable TOS acceptance instead of automatic acceptance
- Allows users to explicitly control whether to accept ACME terms of service
diff --git a/main.go b/main.go
@@ -15,11 +15,22 @@ func getEnvWithDefault(key, defaultValue string) string {
 	return defaultValue
 }
 
+func getEnvBoolWithDefault(key string, defaultValue bool) bool {
+	if value := os.Getenv(key); value != "" {
+		if strings.ToLower(value) == "true" || value == "1" {
+			return true
+		}
+		return false
+	}
+	return defaultValue
+}
+
 func main() {
 	var listen string
 	var listenTLS string
 	var tlsHost string
 	var tlsDirectoryURL string
+	var tlsAcceptTOS bool
 	var dataPath string
 	var externalURL string
 	var proxyURL string
@@ -57,6 +68,7 @@ func main() {
 				listenTLS,
 				tlsHost,
 				tlsDirectoryURL,
+				tlsAcceptTOS,
 				dataPath,
 				externalURL,
 				proxyURL,
@@ -75,10 +87,11 @@ func main() {
 		},
 	}
 
-	rootCmd.Flags().StringVarP(&listen, "listen", "l", getEnvWithDefault("LISTEN", ":80"), "Address to listen on")
-	rootCmd.Flags().StringVarP(&listenTLS, "listen-tls", "t", getEnvWithDefault("TLS_LISTEN", ":443"), "Address to listen on for TLS")
+	rootCmd.Flags().StringVar(&listen, "listen", getEnvWithDefault("LISTEN", ":80"), "Address to listen on")
+	rootCmd.Flags().StringVar(&listenTLS, "listen-tls", getEnvWithDefault("TLS_LISTEN", ":443"), "Address to listen on for TLS")
 	rootCmd.Flags().StringVarP(&tlsHost, "tls-host", "H", getEnvWithDefault("TLS_HOST", ""), "Host name for TLS")
-	rootCmd.Flags().StringVarP(&tlsDirectoryURL, "tls-directory-url", "D", getEnvWithDefault("TLS_DIRECTORY_URL", "https://acme-v02.api.letsencrypt.org/directory"), "ACME directory URL for TLS certificates")
+	rootCmd.Flags().StringVar(&tlsDirectoryURL, "tls-directory-url", getEnvWithDefault("TLS_DIRECTORY_URL", "https://acme-v02.api.letsencrypt.org/directory"), "ACME directory URL for TLS certificates")
+	rootCmd.Flags().BoolVar(&tlsAcceptTOS, "tls-accept-tos", getEnvBoolWithDefault("TLS_ACCEPT_TOS", false), "Accept TLS terms of service")
 	rootCmd.Flags().StringVarP(&dataPath, "data", "d", getEnvWithDefault("DATA_PATH", "./data"), "Path to the data directory")
 	rootCmd.Flags().StringVarP(&externalURL, "external-url", "e", getEnvWithDefault("EXTERNAL_URL", "http://localhost"), "External URL for the proxy")
 	rootCmd.Flags().StringVarP(&proxyURL, "proxy-url", "p", getEnvWithDefault("PROXY_URL", "http://localhost:8080"), "Proxy URL for the proxy")
diff --git a/pkg/mcp-proxy/main.go b/pkg/mcp-proxy/main.go
@@ -30,6 +30,7 @@ func Run(
 	listenTLS string,
 	tlsHost string,
 	tlsDirectoryURL string,
+	tlsAcceptTOS bool,
 	dataPath string,
 	externalURL string,
 	proxyURL string,
@@ -141,7 +142,9 @@ func Run(
 
 	if tlsHost != "" {
 		m := autocert.Manager{
-			Prompt:     autocert.AcceptTOS,
+			Prompt: func(tosURL string) bool {
+				return tlsAcceptTOS
+			},
 			HostPolicy: autocert.HostWhitelist(tlsHost),
 			Cache:      autocert.DirCache(path.Join(dataPath, "certs")),
 			Client: &acme.Client{
