From 403b3948ec6fd042d97762c9d335cd3db505f2fd Mon Sep 17 00:00:00 2001
From: wei840222 <wei840222@gmail.com>
Date: Thu, 14 Nov 2024 00:35:28 +0800
Subject: [PATCH] feat: rule.upstream support insecure_skip_verify

---
 proxy/proxy.go | 5 ++++-
 rule/rule.go   | 3 +++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/proxy/proxy.go b/proxy/proxy.go
index e21f253adb..49ee925c25 100644
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -5,6 +5,7 @@ package proxy
 
 import (
 	"context"
+	"crypto/tls"
 	"io"
 	"net/http"
 	"net/http/httputil"
@@ -74,7 +75,9 @@ func (d *Proxy) RoundTrip(r *http.Request) (*http.Response, error) {
 			Header:     rw.header,
 		}, nil
 	} else if err == nil {
-		res, err := http.DefaultTransport.RoundTrip(r)
+		tr := http.DefaultTransport.(*http.Transport).Clone()
+		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: rl.Upstream.InsecureSkipVerify}
+		res, err := tr.RoundTrip(r)
 		if err != nil {
 			d.r.Logger().
 				WithError(errors.WithStack(err)).
diff --git a/rule/rule.go b/rule/rule.go
index 6a4b851e66..d909df2118 100644
--- a/rule/rule.go
+++ b/rule/rule.go
@@ -130,6 +130,9 @@ type Rule struct {
 }
 
 type Upstream struct {
+	// InsecureSkipVerify, if true, skips TLS verification when forwarding the request to the upstream URL.
+	InsecureSkipVerify bool `json:"insecure_skip_verify"`
+
 	// PreserveHost, if false (the default), tells ORY Oathkeeper to set the upstream request's Host header to the
 	// hostname of the API's upstream's URL. Setting this flag to true instructs ORY Oathkeeper not to do so.
 	PreserveHost bool `json:"preserve_host"`