Merge pull request #1007 from owncloud/proxy_allow_insecure_upstreams

make insecure upstream servers configurable
2025-12-31 01:10:20 -06:00 · 2020-12-04 08:23:16 +01:00
parent 5be1970322 fe2efc3c46
commit f8da4db59f
4 changed files with 37 additions and 0 deletions
--- a/changelog/unreleased/proxy-allow-insecure-upstreams.md
+++ b/changelog/unreleased/proxy-allow-insecure-upstreams.md
@@ -0,0 +1,8 @@
+Change: Proxy allow insecure upstreams
+
+Tags: proxy
+
+We can now configure the proxy if insecure upstream servers are allowed.
+This was added since you need to disable certificate checks fore some situations like testing.
+
+https://github.com/owncloud/ocis/pull/1007
--- a/proxy/pkg/config/config.go
+++ b/proxy/pkg/config/config.go
@@ -106,6 +106,7 @@ type Config struct {
 	PreSignedURL          PreSignedURL
 	AutoprovisionAccounts bool
 	EnableBasicAuth       bool
+	InsecureBackends      bool
 }

 // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request
--- a/proxy/pkg/flagset/flagset.go
+++ b/proxy/pkg/flagset/flagset.go
@@ -185,6 +185,13 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"PROXY_REVA_GATEWAY_ADDR"},
 			Destination: &cfg.Reva.Address,
 		},
+		&cli.BoolFlag{
+			Name:        "insecure",
+			Value:       false,
+			Usage:       "allow insecure communication to upstream servers",
+			EnvVars:     []string{"PROXY_INSECURE_BACKENDS"},
+			Destination: &cfg.InsecureBackends,
+		},

 		// OIDC

--- a/proxy/pkg/proxy/proxy.go
+++ b/proxy/pkg/proxy/proxy.go
@@ -2,11 +2,14 @@ package proxy

 import (
 	"context"
+	"crypto/tls"
+	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"regexp"
 	"strings"
+	"time"

 	"github.com/owncloud/ocis/proxy/pkg/proxy/policy"
 	"go.opencensus.io/plugin/ochttp/propagation/tracecontext"
@@ -37,6 +40,24 @@ func NewMultiHostReverseProxy(opts ...Option) *MultiHostReverseProxy {
 	}
 	rp.Director = rp.directorSelectionDirector

+	// equals http.DefaultTransport except TLSClientConfig
+	rp.Transport = &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).DialContext,
+		ForceAttemptHTTP2:     true,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: options.Config.InsecureBackends,
+		},
+	}
+
 	if options.Config.Policies == nil {
 		rp.logger.Info().Str("source", "runtime").Msg("Policies")
 		options.Config.Policies = defaultPolicies()