diff --git a/changelog/unreleased/proxy-allow-insecure-upstreams.md b/changelog/unreleased/proxy-allow-insecure-upstreams.md
new file mode 100644
index 000000000..ed098e39d
--- /dev/null
+++ b/changelog/unreleased/proxy-allow-insecure-upstreams.md
@@ -0,0 +1,8 @@
+Change: Proxy allow insecure upstreams
+
+Tags: proxy
+
+We can now configure the proxy if insecure upstream servers are allowed.
+This was added since you need to disable certificate checks fore some situations like testing.
+
+https://github.com/owncloud/ocis/pull/1007
diff --git a/proxy/pkg/config/config.go b/proxy/pkg/config/config.go
index 388d81914..4da46e006 100644
--- a/proxy/pkg/config/config.go
+++ b/proxy/pkg/config/config.go
@@ -106,6 +106,7 @@ type Config struct {
 	PreSignedURL          PreSignedURL
 	AutoprovisionAccounts bool
 	EnableBasicAuth       bool
+	InsecureBackends      bool
 }
 
 // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request
diff --git a/proxy/pkg/flagset/flagset.go b/proxy/pkg/flagset/flagset.go
index 3a1371a40..b8e3fb870 100644
--- a/proxy/pkg/flagset/flagset.go
+++ b/proxy/pkg/flagset/flagset.go
@@ -185,6 +185,13 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"PROXY_REVA_GATEWAY_ADDR"},
 			Destination: &cfg.Reva.Address,
 		},
+		&cli.BoolFlag{
+			Name:        "insecure",
+			Value:       false,
+			Usage:       "allow insecure communication to upstream servers",
+			EnvVars:     []string{"PROXY_INSECURE_BACKENDS"},
+			Destination: &cfg.InsecureBackends,
+		},
 
 		// OIDC
 
diff --git a/proxy/pkg/proxy/proxy.go b/proxy/pkg/proxy/proxy.go
index 54fb95a3b..b4c2e7193 100644
--- a/proxy/pkg/proxy/proxy.go
+++ b/proxy/pkg/proxy/proxy.go
@@ -2,11 +2,14 @@ package proxy
 
 import (
 	"context"
+	"crypto/tls"
+	"net"
 	"net/http"
 	"net/http/httputil"
 	"net/url"
 	"regexp"
 	"strings"
+	"time"
 
 	"github.com/owncloud/ocis/proxy/pkg/proxy/policy"
 	"go.opencensus.io/plugin/ochttp/propagation/tracecontext"
@@ -37,6 +40,24 @@ func NewMultiHostReverseProxy(opts ...Option) *MultiHostReverseProxy {
 	}
 	rp.Director = rp.directorSelectionDirector
 
+	// equals http.DefaultTransport except TLSClientConfig
+	rp.Transport = &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).DialContext,
+		ForceAttemptHTTP2:     true,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: options.Config.InsecureBackends,
+		},
+	}
+
 	if options.Config.Policies == nil {
 		rp.logger.Info().Str("source", "runtime").Msg("Policies")
 		options.Config.Policies = defaultPolicies()