feat: rule.upstream support insecure_skip_verify

ory · Nov 13, 2024 · 403b394 · 403b394
1 parent 98f8a00
commit 403b394
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/proxy/proxy.go b/proxy/proxy.go
@@ -5,6 +5,7 @@ package proxy
 
 import (
 	"context"
+	"crypto/tls"
 	"io"
 	"net/http"
 	"net/http/httputil"
@@ -74,7 +75,9 @@ func (d *Proxy) RoundTrip(r *http.Request) (*http.Response, error) {
 			Header:     rw.header,
 		}, nil
 	} else if err == nil {
-		res, err := http.DefaultTransport.RoundTrip(r)
+		tr := http.DefaultTransport.(*http.Transport).Clone()
+		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: rl.Upstream.InsecureSkipVerify}
+		res, err := tr.RoundTrip(r)
 		if err != nil {
 			d.r.Logger().
 				WithError(errors.WithStack(err)).

diff --git a/rule/rule.go b/rule/rule.go
@@ -130,6 +130,9 @@ type Rule struct {
 }
 
 type Upstream struct {
+	// InsecureSkipVerify, if true, skips TLS verification when forwarding the request to the upstream URL.
+	InsecureSkipVerify bool `json:"insecure_skip_verify"`
+
 	// PreserveHost, if false (the default), tells ORY Oathkeeper to set the upstream request's Host header to the
 	// hostname of the API's upstream's URL. Setting this flag to true instructs ORY Oathkeeper not to do so.
 	PreserveHost bool `json:"preserve_host"`