From e10a9fd25692bf7fdb0338dd7946cba624bbd86a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ga=C3=ABl=20Goinvic?=
 <97093369+gaelgatelement@users.noreply.github.com>
Date: Fri, 4 Apr 2025 16:09:19 +0200
Subject: [PATCH] Fix DNS resolution with host aliases  + Fix TLS Verifiy on
 default transport (#92)

* Fix DNS resolution with host aliases

* Disable TLS on the default transport if required
---
 Dockerfile | 4 ++++
 main.go    | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index a222787..c6c84d7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,11 +13,15 @@ COPY *.go ./
 
 ARG TARGETOS TARGETARCH
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o lk-jwt-service
+# set up nsswitch.conf for Go's "netgo" implementation
+# - https://github.com/golang/go/blob/go1.24.0/src/net/conf.go#L343
+RUN echo 'hosts: files dns' > /etc/nsswitch.conf
 
 FROM scratch
 
 COPY --from=builder /proj/lk-jwt-service /lk-jwt-service
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /etc/nsswitch.conf /etc/nsswitch.conf
 
 EXPOSE 8080
 
diff --git a/main.go b/main.go
index 701ffb5..b2c8814 100644
--- a/main.go
+++ b/main.go
@@ -23,6 +23,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"crypto/tls"
 
 	"time"
 
@@ -64,6 +65,8 @@ func exchangeOIDCToken(
 
 	if skipVerifyTLS {
 		log.Printf("!!! WARNING !!! Skipping TLS verification for matrix client connection to %s", token.MatrixServerName)
+		// Disable TLS verification on the default HTTP Transport for the well-known lookup
+		http.DefaultTransport.(*http.Transport).TLSClientConfig  = &tls.Config{ InsecureSkipVerify: true }
 	}
 	client := fclient.NewClient(fclient.WithWellKnownSRVLookups(true), fclient.WithSkipVerify(skipVerifyTLS))