Skip to content

fix: respect ExternalSSLInsecure config in Langfuse client TLS#132

Merged
asdek merged 2 commits intovxcontrol:feature/project_improvementsfrom
mason5052:fix/langfuse-tls-respect-config
Feb 23, 2026
Merged

fix: respect ExternalSSLInsecure config in Langfuse client TLS#132
asdek merged 2 commits intovxcontrol:feature/project_improvementsfrom
mason5052:fix/langfuse-tls-respect-config

Conversation

@mason5052
Copy link
Contributor

@mason5052 mason5052 commented Feb 23, 2026

Description of the Change

Problem

NewLangfuseClient receives *config.Config which provides two environment-variable-controlled fields for external TLS behavior:

  • ExternalSSLInsecure (EXTERNAL_SSL_INSECURE, default false) - disables TLS verification
  • ExternalSSLCAPath (EXTERNAL_SSL_CA_PATH, default empty) - path to a custom CA certificate bundle

The previous implementation hardcoded InsecureSkipVerify: true, ignoring both config fields entirely. As a result:

  1. TLS certificate verification was always disabled for Langfuse connections, even when EXTERNAL_SSL_INSECURE was not set (its secure default is false).
  2. Custom CA certificates configured via EXTERNAL_SSL_CA_PATH were never applied to Langfuse HTTP connections, making them ineffective for private Langfuse deployments with self-signed certificates.

The same pattern was already correctly implemented in backend/pkg/system/utils.go for LLM provider HTTP clients.

Solution

Mirror the existing pattern from backend/pkg/system/utils.go:

  1. Set InsecureSkipVerify from cfg.ExternalSSLInsecure (secure by default: false)
  2. When cfg.ExternalSSLCAPath is set, read the PEM file, parse it into an x509.CertPool, and set it as RootCAs on the TLS config

Users who have EXTERNAL_SSL_INSECURE=true in their environment retain the previous behavior.

Ref: #101

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • Security update

Areas Affected

  • Analytics Platform (Langfuse)

Testing and Verification

Test Steps

  1. With EXTERNAL_SSL_INSECURE=false (default): Langfuse TLS certificate is now verified
  2. With EXTERNAL_SSL_INSECURE=true: existing behavior preserved (InsecureSkipVerify=true)
  3. With EXTERNAL_SSL_CA_PATH=/path/to/ca.pem: custom CA is loaded and applied to Langfuse connections

Security Considerations

  • Default secure: TLS verification is now ON by default, consistent with EXTERNAL_SSL_INSECURE default of false
  • No breaking change: Users who previously worked with hardcoded InsecureSkipVerify: true should set EXTERNAL_SSL_INSECURE=true if their Langfuse instance uses a self-signed certificate
  • Custom CA support: Private Langfuse deployments can now properly use EXTERNAL_SSL_CA_PATH for certificate validation without disabling TLS

Deployment Notes

If your self-hosted Langfuse instance uses a self-signed or private CA certificate:

  • Set EXTERNAL_SSL_CA_PATH=/path/to/ca.pem for proper certificate validation, OR
  • Set EXTERNAL_SSL_INSECURE=true to preserve the previous behavior

Checklist

Code Quality

  • My code follows the project's coding standards
  • All new and existing tests pass
  • I have run go fmt and go vet (for Go code)

Security

  • I have considered security implications
  • Changes maintain or improve the security model

Compatibility

  • Changes are backward compatible

@mason5052
fix: respect ExternalSSLInsecure config in Langfuse client TLS
9cedec5 
NewLangfuseClient receives *config.Config which provides two fields
for controlling external TLS behavior:
  - ExternalSSLInsecure (EXTERNAL_SSL_INSECURE, default false)
  - ExternalSSLCAPath   (EXTERNAL_SSL_CA_PATH, default empty)

The previous implementation hardcoded InsecureSkipVerify: true,
ignoring both config fields. This means:
  - TLS certificate verification was always disabled, even when
    the user had not set EXTERNAL_SSL_INSECURE=true
  - Custom CA certificates (EXTERNAL_SSL_CA_PATH) were never loaded

The fix mirrors the pattern in backend/pkg/system/utils.go:
  - Set InsecureSkipVerify from cfg.ExternalSSLInsecure (default false)
  - Load and apply RootCAs from cfg.ExternalSSLCAPath when set

Users who set EXTERNAL_SSL_INSECURE=true retain the previous behavior.
The default is now secure (certificate verification enabled).

Ref: vxcontrol#101
Signed-off-by: mason5052 <ehehwnwjs5052@gmail.com>
Copilot AI review requested due to automatic review settings February 23, 2026 02:02
Copilot AI reviewed Feb 23, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the Langfuse HTTP client TLS configuration to honor external TLS settings from config.Config, aligning Langfuse connectivity with the project’s intended secure-by-default external TLS behavior.

Changes:

  • Use cfg.ExternalSSLInsecure to control tls.Config.InsecureSkipVerify (instead of hardcoding insecure TLS).
  • Load a custom CA bundle from cfg.ExternalSSLCAPath and apply it to the Langfuse client TLS configuration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mason5052
fix: use SystemCertPool as base when loading custom CA for Langfuse
86fc81b 
x509.NewCertPool() creates an empty pool, which discards all
OS-trusted CAs when a custom EXTERNAL_SSL_CA_PATH is set. This
prevents verification of any certificate not signed by the custom CA,
breaking connections to Langfuse instances using public CAs.

Use x509.SystemCertPool() as the starting pool (falling back to an
empty pool if the system pool is unavailable) and append the custom
CA to it, matching the pattern in backend/pkg/system/utils.go.

Fixes review comment on PR vxcontrol#132.

Signed-off-by: mason5052 <ehehwnwjs5052@gmail.com>
@asdek asdek changed the base branch from master to feature/project_improvements February 23, 2026 19:45
@asdek asdek merged commit 0bd3b50 into vxcontrol:feature/project_improvements Feb 23, 2026
@asdek
Copy link
Contributor

asdek commented Feb 23, 2026

hey @mason5052

thank you for contribution!

@asdek asdek mentioned this pull request Feb 24, 2026
Merged
33 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mason5052 @asdek