wasmerio · mihailik · Feb 25, 2025
diff --git a/lib/c-api/src/wasm_c_api/wasi/mod.rs b/lib/c-api/src/wasm_c_api/wasi/mod.rs
@@ -274,7 +274,14 @@ fn prepare_webc_env(
 
     let handle = runtime.handle().clone();
     let _guard = handle.enter();
-    let mut rt = PluggableRuntime::new(Arc::new(TokioTaskManager::new(runtime)));
+
+    let http_config = config
+        .builder
+        .build()
+        .ok()
+        .and_then(|wasi_env| wasi_env.runtime.http_config().cloned())
+        .unwrap_or_else(|| wasmer_wasix::http::client_builder::ClientBuilderConfig::default());
+    let mut rt = PluggableRuntime::new(Arc::new(TokioTaskManager::new(runtime)), &http_config);
     rt.set_engine(Some(store_mut.engine().clone()));
 
     let slice = unsafe { std::slice::from_raw_parts(bytes, len) };
@@ -345,9 +352,16 @@ pub unsafe extern "C" fn wasi_env_new(
             .unwrap()
     });
 
+    let http_config = config
+        .builder
+        .build()
+        .ok()
+        .and_then(|wasi_env| wasi_env.runtime.http_config().cloned())
+        .unwrap_or_else(|| ClientBuilderConfig::default());
+
     let handle = runtime.handle().clone();
     let _guard = handle.enter();
-    let mut rt = PluggableRuntime::new(Arc::new(TokioTaskManager::new(runtime)));
+    let mut rt = PluggableRuntime::new(Arc::new(TokioTaskManager::new(runtime)), &http_config);
     rt.set_engine(Some(store_mut.engine().clone()));
 
     if !config.inherit_stdout {

@@ -247,6 +247,7 @@ pub(super) async fn login_user(
                     cache_dir: env.cache_dir().to_path_buf(),
                     token: None,
                     registry: env.registry.clone(),
+                    http_config: env.http_config.clone(),
                 }
                 .run_async()
                 .await?;

@@ -6,7 +6,7 @@ use hyper_util::server::graceful::GracefulShutdown;
 
 use crate::{
     commands::AsyncCliCommand,
-    config::{UpdateRegistry, UserRegistry, WasmerConfig, WasmerEnv},
+    config::{CliClientBuilderConfig, UpdateRegistry, UserRegistry, WasmerConfig, WasmerEnv},
 };
 use futures_util::{stream::FuturesUnordered, StreamExt};
 use std::{path::PathBuf, time::Duration};
@@ -44,6 +44,9 @@ pub struct Login {
     /// Change the current registry
     #[clap(long, env = "WASMER_REGISTRY")]
     pub registry: Option<UserRegistry>,
+
+    #[clap(flatten)]
+    pub(crate) http_config: CliClientBuilderConfig,
 }
 
 impl Login {
@@ -231,6 +234,7 @@ impl Login {
             self.cache_dir.clone(),
             self.token.clone(),
             self.registry.clone(),
+            self.http_config.clone(),
         )
     }
 }
@@ -293,6 +297,7 @@ mod tests {
             wasmer_dir: temp.path().to_path_buf(),
             token: None,
             cache_dir: temp.path().join("cache").to_path_buf(),
+            http_config: CliClientBuilderConfig::default(),
         };
         let env = login.get_wasmer_env();
 
@@ -321,6 +326,7 @@ mod tests {
             wasmer_dir: temp.path().to_path_buf(),
             token: Some("abc".to_string()),
             cache_dir: temp.path().join("cache").to_path_buf(),
+            http_config: CliClientBuilderConfig::default(),
         };
         let env = login.get_wasmer_env();
 
@@ -381,6 +387,7 @@ mod tests {
             registry: Some("http://localhost:11".to_string().into()),
             token: Some("invalid".to_string()),
             cache_dir: crate::config::DEFAULT_WASMER_CACHE_DIR.clone(),
+            http_config: CliClientBuilderConfig::default(),
         };
 
         let res = cmd.run();

@@ -211,6 +211,7 @@ pub(super) async fn login_user(
                     cache_dir: env.cache_dir().to_path_buf(),
                     token: None,
                     registry: env.registry.clone(),
+                    http_config: env.http_config.clone(),
                 }
                 .run_async()
                 .await?;

@@ -264,6 +264,8 @@ impl PackageDownload {
 
 #[cfg(test)]
 mod tests {
+    use crate::config::CliClientBuilderConfig;
+
     use super::*;
 
     /// Download a package from the dev registry.
@@ -279,6 +281,7 @@ mod tests {
                 crate::config::DEFAULT_WASMER_CACHE_DIR.clone(),
                 None,
                 Some("https://registry.wasmer.io/graphql".to_owned().into()),
+                CliClientBuilderConfig::default(),
             ),
             validate: true,
             out_path: Some(out_path.clone()),

@@ -929,6 +929,10 @@ impl<R: wasmer_wasix::Runtime + Send + Sync> wasmer_wasix::Runtime for Monitorin
         self.runtime.http_client()
     }
 
+    fn http_config(&self) -> Option<&wasmer_wasix::http::client_builder::ClientBuilderConfig> {
+        self.runtime.http_config()
+    }
+
     fn tty(&self) -> Option<&(dyn wasmer_wasix::os::TtyBridge + Send + Sync)> {
         self.runtime.tty()
     }

@@ -573,7 +573,10 @@ impl Wasi {
         I: Into<RuntimeOrHandle>,
     {
         let tokio_task_manager = Arc::new(TokioTaskManager::new(rt_or_handle.into()));
-        let mut rt = PluggableRuntime::new(tokio_task_manager.clone());
+        let mut rt = PluggableRuntime::new(
+            tokio_task_manager.clone(),
+            &env.http_config.to_client_builder_config(),
+        );
 
         let has_networking = self.networking.is_some()
             || capabilities::get_cached_capability(pkg_cache_path)
@@ -615,8 +618,8 @@ impl Wasi {
             rt.set_tty(tty);
         }
 
-        let client =
-            wasmer_wasix::http::default_http_client().context("No HTTP client available")?;
+        let client = wasmer_wasix::http::http_client(&env.http_config.to_client_builder_config())
+            .context("No HTTP client available")?;
         let client = Arc::new(client);
 
         let package_loader = self
@@ -673,7 +676,7 @@ impl Wasi {
         let checkout_dir = env.cache_dir().join("checkouts");
         let tokens = tokens_by_authority(env)?;
 
-        let loader = BuiltinPackageLoader::new()
+        let loader = BuiltinPackageLoader::new(&env.http_config.to_client_builder_config())
             .with_cache_dir(checkout_dir)
             .with_shared_http_client(client)
             .with_tokens(tokens);

@@ -4,6 +4,7 @@ use std::path::{Path, PathBuf};
 use std::sync::LazyLock;
 use url::Url;
 use wasmer_backend_api::WasmerClient;
+use wasmer_wasix::http::client_builder::ClientBuilderConfig;
 
 pub static DEFAULT_WASMER_CLI_USER_AGENT: LazyLock<String> =
     LazyLock::new(|| format!("WasmerCLI-v{}", env!("CARGO_PKG_VERSION")));
@@ -31,6 +32,54 @@ pub struct WasmerEnv {
     /// the environment by default)
     #[clap(long, env = "WASMER_TOKEN")]
     token: Option<String>,
+
+    #[clap(flatten)]
+    pub http_config: CliClientBuilderConfig,
+}
+
+#[derive(Debug, Clone, PartialEq, clap::Parser)]
+pub struct CliClientBuilderConfig {
+    #[clap(long, env = "HTTP_PROXY", help = "HTTP proxy URL")]
+    pub proxy: Option<String>,
+
+    #[clap(long, env = "CA_FILE", help = "Path to CA certificate file")]
+    pub ca_file: Option<PathBuf>,
+
+    #[clap(
+        long,
+        env = "WASMER_UNSAFE_DISABLE_SSL_VERIFY",
+        help = "Disable SSL verification (use with caution)"
+    )]
+    pub unsafe_disable_ssl_verify: bool,
+}
+
+impl Default for CliClientBuilderConfig {
+    fn default() -> Self {
+        CliClientBuilderConfig {
+            proxy: None,
+            ca_file: None,
+            unsafe_disable_ssl_verify: false,
+        }
+    }
+}
+
+impl CliClientBuilderConfig {
+    pub fn to_client_builder_config(&self) -> ClientBuilderConfig {
+        let proxy = self
+            .proxy
+            .as_ref()
+            .map(reqwest::Proxy::all)
+            .transpose()
+            // .map_err(Into::into)
+            .ok()
+            .flatten();
+
+        ClientBuilderConfig {
+            proxy,
+            ca_file: self.ca_file.clone(),
+            unsafe_disable_ssl_verify: self.unsafe_disable_ssl_verify,
+        }
+    }
 }
 
 impl WasmerEnv {
@@ -39,12 +88,14 @@ impl WasmerEnv {
         cache_dir: PathBuf,
         token: Option<String>,
         registry: Option<UserRegistry>,
+        http_config: CliClientBuilderConfig,
     ) -> Self {
         WasmerEnv {
             wasmer_dir,
             registry,
             token,
             cache_dir,
+            http_config,
         }
     }
 
@@ -171,6 +222,7 @@ impl Default for WasmerEnv {
             cache_dir: super::DEFAULT_WASMER_CACHE_DIR.clone(),
             registry: None,
             token: None,
+            http_config: CliClientBuilderConfig::default(),
         }
     }
 }
@@ -240,6 +292,7 @@ mod tests {
             registry: None,
             cache_dir: temp.path().join("cache").to_path_buf(),
             token: None,
+            http_config: CliClientBuilderConfig::default(),
         };
 
         assert_eq!(
@@ -260,6 +313,7 @@ mod tests {
             registry: None,
             cache_dir: temp.path().join("cache").to_path_buf(),
             token: Some("asdf".to_string()),
+            http_config: CliClientBuilderConfig::default(),
         };
 
         assert_eq!(
@@ -279,6 +333,7 @@ mod tests {
             registry: Some(UserRegistry::from("wasmer.wtf")),
             cache_dir: temp.path().join("cache").to_path_buf(),
             token: None,
+            http_config: CliClientBuilderConfig::default(),
         };
 
         assert_eq!(
@@ -299,6 +354,7 @@ mod tests {
             registry: Some(UserRegistry::from("wasmer.wtf")),
             cache_dir: temp.path().join("cache").to_path_buf(),
             token: Some("asdf".to_string()),
+            http_config: CliClientBuilderConfig::default(),
         };
 
         assert_eq!(
@@ -320,6 +376,7 @@ mod tests {
             registry: None,
             cache_dir: expected_cache_dir.clone(),
             token: None,
+            http_config: CliClientBuilderConfig::default(),
         };
 
         assert_eq!(
@@ -355,6 +412,7 @@ mod tests {
                 registry: Some(UserRegistry::from(input)),
                 cache_dir: temp.path().join("cache").to_path_buf(),
                 token: None,
+                http_config: CliClientBuilderConfig::default(),
             };
 
             assert_eq!(want, &env.registry_public_url().unwrap().to_string())

diff --git a/lib/wasix/src/bin_factory/binary_package.rs b/lib/wasix/src/bin_factory/binary_package.rs
@@ -250,6 +250,7 @@ mod tests {
     use wasmer_package::utils::from_disk;
 
     use crate::{
+        http::client_builder::ClientBuilderConfig,
         runtime::{package_loader::BuiltinPackageLoader, task_manager::VirtualTaskManager},
         PluggableRuntime,
     };
@@ -291,7 +292,7 @@ mod tests {
         let tasks = task_manager();
         let mut runtime = PluggableRuntime::new(tasks);
         runtime.set_package_loader(
-            BuiltinPackageLoader::new()
+            BuiltinPackageLoader::new(ClientBuilderConfig::default())
                 .with_shared_http_client(runtime.http_client().unwrap().clone()),
         );
 
@@ -350,7 +351,7 @@ mod tests {
         let tasks = task_manager();
         let mut runtime = PluggableRuntime::new(tasks);
         runtime.set_package_loader(
-            BuiltinPackageLoader::new()
+            BuiltinPackageLoader::new(ClientBuilderConfig::default())
                 .with_shared_http_client(runtime.http_client().unwrap().clone()),
         );
 

diff --git a/lib/wasix/src/http/client_builder.rs b/lib/wasix/src/http/client_builder.rs
@@ -0,0 +1,47 @@
+use anyhow::{Context, Result};
+use reqwest::{Certificate, ClientBuilder, Proxy};
+use std::fs;
+use std::path::PathBuf;
+use std::time::Duration;
+
+#[derive(Debug, Clone)]
+pub struct ClientBuilderConfig {
+    pub proxy: Option<Proxy>,
+    pub ca_file: Option<PathBuf>,
+    pub unsafe_disable_ssl_verify: bool,
+}
+
+impl Default for ClientBuilderConfig {
+    fn default() -> Self {
+        ClientBuilderConfig {
+            proxy: None,
+            ca_file: None,
+            unsafe_disable_ssl_verify: false,
+        }
+    }
+}
+
+pub fn create_client_builder(config: ClientBuilderConfig) -> Result<ClientBuilder> {
+    let mut builder = ClientBuilder::new()
+        .connect_timeout(Duration::from_secs(10))
+        .timeout(Duration::from_secs(90));
+
+    if let Some(proxy) = config.proxy {
+        builder = builder.proxy(proxy);
+    }
+
+    if let Some(ca_file) = config.ca_file {
+        let ca_file_borrow = ca_file.clone();
+        let ca_cert = fs::read_to_string(ca_file)
+            .with_context(|| format!("Failed to read CA certificate from {ca_file_borrow:?}"))?;
+        let ca_cert =
+            Certificate::from_pem(ca_cert.as_bytes()).context("Failed to parse CA certificate")?;
+        builder = builder.add_root_certificate(ca_cert);
+    }
+
+    if config.unsafe_disable_ssl_verify {
+        builder = builder.danger_accept_invalid_certs(true);
+    }
+
+    Ok(builder)
+}
diff --git a/lib/wasix/src/http/mod.rs b/lib/wasix/src/http/mod.rs
@@ -3,6 +3,9 @@ mod client;
 #[cfg(feature = "host-reqwest")]
 pub mod reqwest;
 
+#[cfg(feature = "host-reqwest")]
+pub mod client_builder;
+
 #[cfg(feature = "js")]
 mod web_http_client;
 
@@ -14,10 +17,12 @@ pub use self::client::*;
 pub(crate) const USER_AGENT: &str = concat!(env!("CARGO_PKG_NAME"), "-", env!("CARGO_PKG_VERSION"));
 
 /// Try to instantiate a HTTP client that is suitable for the current platform.
-pub fn default_http_client() -> Option<impl HttpClient + Send + Sync + 'static> {
+pub fn http_client(
+    http_config: &client_builder::ClientBuilderConfig,
+) -> Option<impl HttpClient + Send + Sync + 'static> {
     cfg_if::cfg_if! {
         if #[cfg(feature = "host-reqwest")] {
-            Some(self::reqwest::ReqwestHttpClient::default())
+            Some(self::reqwest::ReqwestHttpClient::new(http_config))
         } else if #[cfg(feature = "js")] {
             Some(web_http_client::WebHttpClient::default())
         } else {