diff --git a/proxy/proxy.go b/proxy/proxy.go index e21f253adb..49ee925c25 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -5,6 +5,7 @@ package proxy import ( "context" + "crypto/tls" "io" "net/http" "net/http/httputil" @@ -74,7 +75,9 @@ func (d *Proxy) RoundTrip(r *http.Request) (*http.Response, error) { Header: rw.header, }, nil } else if err == nil { - res, err := http.DefaultTransport.RoundTrip(r) + tr := http.DefaultTransport.(*http.Transport).Clone() + tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: rl.Upstream.InsecureSkipVerify} + res, err := tr.RoundTrip(r) if err != nil { d.r.Logger(). WithError(errors.WithStack(err)). diff --git a/rule/rule.go b/rule/rule.go index 6a4b851e66..d909df2118 100644 --- a/rule/rule.go +++ b/rule/rule.go @@ -130,6 +130,9 @@ type Rule struct { } type Upstream struct { + // InsecureSkipVerify, if true, skips TLS verification when forwarding the request to the upstream URL. + InsecureSkipVerify bool `json:"insecure_skip_verify"` + // PreserveHost, if false (the default), tells ORY Oathkeeper to set the upstream request's Host header to the // hostname of the API's upstream's URL. Setting this flag to true instructs ORY Oathkeeper not to do so. PreserveHost bool `json:"preserve_host"` diff --git a/rule/rule_migrator_test.go b/rule/rule_migrator_test.go index 50c82e1c5e..01176eea4c 100644 --- a/rule/rule_migrator_test.go +++ b/rule/rule_migrator_test.go @@ -26,25 +26,25 @@ func TestRuleMigration(t *testing.T) { { d: "should work with v0.19.0-beta.1", in: `{}`, - out: `{"id":"","version":"v0.19.0-beta.1","description":"","match":null,"errors":null,"authenticators":null,"authorizer":{"handler":"","config":null},"mutators":null,"upstream":{"preserve_host":false,"strip_path":"","url":""}}`, + out: `{"id":"","version":"v0.19.0-beta.1","description":"","match":null,"errors":null,"authenticators":null,"authorizer":{"handler":"","config":null},"mutators":null,"upstream":{"insecure_skip_verify":false,"preserve_host":false,"strip_path":"","url":""}}`, version: "v0.19.0-beta.1", }, { d: "should work with v0.19.0-beta.1+oryOS.12", in: `{}`, - out: `{"id":"","version":"v0.19.0-beta.1","description":"","match":null,"errors":null,"authenticators":null,"authorizer":{"handler":"","config":null},"mutators":null,"upstream":{"preserve_host":false,"strip_path":"","url":""}}`, + out: `{"id":"","version":"v0.19.0-beta.1","description":"","match":null,"errors":null,"authenticators":null,"authorizer":{"handler":"","config":null},"mutators":null,"upstream":{"insecure_skip_verify":false,"preserve_host":false,"strip_path":"","url":""}}`, version: "v0.19.0-beta.1+oryOS.12", }, { d: "should work with v0.19.0-beta.1", in: `{"version":"v0.19.0-beta.1"}`, - out: `{"id":"","version":"v0.19.0-beta.1","description":"","match":null,"errors":null,"authenticators":null,"authorizer":{"handler":"","config":null},"mutators":null,"upstream":{"preserve_host":false,"strip_path":"","url":""}}`, + out: `{"id":"","version":"v0.19.0-beta.1","description":"","match":null,"errors":null,"authenticators":null,"authorizer":{"handler":"","config":null},"mutators":null,"upstream":{"insecure_skip_verify":false,"preserve_host":false,"strip_path":"","url":""}}`, version: "v0.19.0-beta.1", }, { d: "should work with 0.19.0-beta.1", in: `{"version":"0.19.0-beta.1"}`, - out: `{"id":"","version":"v0.19.0-beta.1","description":"","match":null,"errors":null,"authenticators":null,"authorizer":{"handler":"","config":null},"mutators":null,"upstream":{"preserve_host":false,"strip_path":"","url":""}}`, + out: `{"id":"","version":"v0.19.0-beta.1","description":"","match":null,"errors":null,"authenticators":null,"authorizer":{"handler":"","config":null},"mutators":null,"upstream":{"insecure_skip_verify":false,"preserve_host":false,"strip_path":"","url":""}}`, version: "v0.19.0-beta.1+oryOS.12", }, { @@ -80,7 +80,7 @@ func TestRuleMigration(t *testing.T) { } } ], - "upstream":{"preserve_host":false,"strip_path":"","url":""} + "upstream":{"insecure_skip_verify":false,"preserve_host":false,"strip_path":"","url":""} }`, version: "v0.33.0-beta.1+oryOS.12", }, @@ -112,7 +112,7 @@ func TestRuleMigration(t *testing.T) { } }, "mutators": null, - "upstream":{"preserve_host":false,"strip_path":"","url":""} + "upstream":{"insecure_skip_verify":false,"preserve_host":false,"strip_path":"","url":""} }`, version: "v0.37.0+oryOS.18", },