mirror of
https://github.com/patriceckhart/zot.git
synced 2026-06-26 21:36:31 +02:00
ab7fb37046
Builds on s3rj1k's --insecure flag (#35) but limits insecure TLS to the resolved inference client for an explicit --base-url, instead of mutating http.DefaultTransport process-wide. Built-in providers, auth, and model discovery keep normal certificate verification. Documents the flag in the CLI reference. Co-authored-by: s3rj1k <evasive.gyron@gmail.com>
50 lines
1.3 KiB
Go
50 lines
1.3 KiB
Go
package provider
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"net/http"
|
|
)
|
|
|
|
// NewHTTPClient returns a provider HTTP client. When insecureTLS is true,
|
|
// only this client skips TLS certificate verification. The process-wide
|
|
// default transport is left untouched so auth, discovery, and other providers
|
|
// keep normal certificate validation.
|
|
func NewHTTPClient(insecureTLS bool) *http.Client {
|
|
if !insecureTLS {
|
|
return &http.Client{Timeout: 0}
|
|
}
|
|
tr, ok := http.DefaultTransport.(*http.Transport)
|
|
if ok {
|
|
tr = tr.Clone()
|
|
} else {
|
|
tr = &http.Transport{}
|
|
}
|
|
if tr.TLSClientConfig != nil {
|
|
tr.TLSClientConfig = tr.TLSClientConfig.Clone()
|
|
} else {
|
|
tr.TLSClientConfig = &tls.Config{}
|
|
}
|
|
tr.TLSClientConfig.InsecureSkipVerify = true //nolint:gosec
|
|
return &http.Client{Timeout: 0, Transport: tr}
|
|
}
|
|
|
|
// WithHTTPClient scopes an HTTP client to a concrete provider client.
|
|
// Unsupported clients are returned unchanged.
|
|
func WithHTTPClient(c Client, httpClient *http.Client) Client {
|
|
if httpClient == nil {
|
|
return c
|
|
}
|
|
switch v := c.(type) {
|
|
case *openaiClient:
|
|
v.http = httpClient
|
|
case *anthropicClient:
|
|
v.http = httpClient
|
|
case *geminiClient:
|
|
v.http = httpClient
|
|
case *bedrockClient:
|
|
v.http = httpClient
|
|
case *renamedClient:
|
|
v.inner = WithHTTPClient(v.inner, httpClient)
|
|
}
|
|
return c
|
|
}
|