allow admin to add PDS that are ssl or not

[brianolson]

BGS and Slurper allow mixed SSL or not upstreams
-crawl-ssl-policy|RELAY_CRAWL_NONSSL = any|require|none|prod
/admin/pds/crawl can add either; public requestCrawl normally SSL only
BGS AllowPDSProxies for nested relay setups
-allow-pds-proxy|RELAY_ALLOW_PDS_PROXY = true

[ericvolp12]

Would be neat if we preconfigured the allowed hosts here via env var or something to avoid having the relay connected to itself or weird cases like that.

[bnewbold]

Ok with this for now to get things unblocked, but would love to un-jank all this more in the future, including all the wss:// vs https:// wrangling throuhgout the codebase.

Maybe storing hostnames separately?

Also a bit worried if it becomes possible to consume from the same host both with SSL and without.

[brianolson]

major tweak: 'allow relay' is now a per-source admin action. No more global flag.

snuck this bit of data in next to the rate-limit admin stuff
'rate limit' admin stuff could grow to 'configure PDS/source', or could keep it broken up into API endpoint per function (block, crawl, ratelimit, allow-relay, etc)

also the dashboard now uses the admin version of requestCrawl instead of the public xrpc version

[ericvolp12]

What are the implications here of skipping the createExternalUser bit? Do we end up not creating a row for users that are being echoed by a Relay?

[brianolson]

yeah

[brianolson]

this is a little weird, as it turns out that narelay does keep a little bit of per-user state so that it can emit a warning if there's a discontinuity in a user's feed ( See #915 )

[ericvolp12]

I think we'd still probably want to keep track of the users being proxied by a Relay so we can ban them and/or change their upstream status and/or count them right?

[brianolson]

mehhhh, ok, this needs some more consideration, there's some useful stuff inside .createExternalUser() and I can't just throw out the path of code that was under "user from weird place, wat"