Bypass Upstream Certificate Checking

Question

Bypass Upstream Certificate Checking

swarmee opened this issue 3 years ago · 4 comments

Is there a configuration parameter to bypass the certificate validity checking for upstream / proxied APIs?

This is the error I am getting
{"level":"error","msg":"#0000000100000001 : error while proxying request: x509: certificate is valid for abc.xyz.net not abc","time":"2021-11-17T10:44:07Z"}

This would be helpful for self signed certificates and networks that are not directly internet accessible.

Answer 1 · 2021-11-19T08:36:23.000Z

Hello swarmee,

Unfortunately, there is no such option right now. We will add this functionality to the next release - v0.6.6.

Thanks.

Answer 2 · 2021-11-19T09:55:46.000Z

Wow thanks for your quick response. I'll look forward to the next releases.
Thanks again.

Answer 3 · 2022-02-06T23:40:11.000Z

Sorry if its documented somewhere and I missed it - can you let me know the parameter to pass to skip upstream TLS certificate validation (for when I am using self signed certificates internally).

I just saw this in the code -->

	InsecureConnection bool          `conf:"default:false"`

So I guess that means the parameter is

APIFW_INSECURE_CONNECTION: "True"

Answer 4 · 2022-02-07T07:10:48.000Z

There are several options here:

Set APIFW_SERVER_INSECURE_CONNECTION parameter value to "true".
Set the path to your root CA via the APIFW_SERVER_ROOT_CA parameter.

Full documentation is available here.