Hi,
I am using proxy plugin and vodafone.com is giving 502 Bad Gateway error. If I run the following command from my Caddy proxy machine:
curl -ILX GET https://www.vodafone.com
as suggested in this post, I got the following response: curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: http://curl.haxx.se/docs/sslcerts.html ...
If I add insecure_skip_verify to the proxy, it can serve vodafone.com. Will this approach sacrifice security for other HTTPS sites that will be served by my proxy? Is there any other way to fix the issue?
You can use insecure_skip_verify, and it won’t affect other proxies than the one you specify it on… But checking that site myself allows me to connect over HTTPS as they’re presenting a valid certificate.
Are you being MITM’d? Or maybe your CA certs aren’t in order?
Ahh, looking further at it… my Debian server with curl 7.52.1 (x86_64-pc-linux-gnu) doesn’t like it (curl: (60) SSL certificate problem: unable to get local issuer certificate) but my Macbook with curl 7.54.0 (x86_64-apple-darwin18.0) doesn’t mind the error.
It appears to be a certificate chain problem. Their server isn’t sending the intermediate DigiCert SHA2 Secure Server CA cert. It’s a misconfiguration on their end (along with a whole host of other serious issues SSL Server Test: www.vodafone.com (Powered by Qualys SSL Labs))
Previous advice stands; you can use insecure_skip_verify - it’ll naturally reduce security, but it won’t compromise other proxies.
My same proxy serves other HTTPS sites as well. Does the insecure_skip_verify parameter work per request basis? Other HTTPS sites over time can have certificate issues as well and vodafone might solve their certificate issue. Is there any generic solution I can use e.g. check if there are certificate issues, if it has certificate issue then serve with insecure_skip_verify as true, otherwise serve the usual way?
I am just wondering how browser can serve vodafone.com with this certificate issues?
I doubt this is the behaviour you want. To have a proxy serving multiple different sites upstream… well, it’d be a crapshoot when you browsed to your own URL which site you’d get in response!
Maybe you mean that your server has multiple reverse proxies?
This parameter, when specified in a proxy directive, will result in Caddy not verifying the HTTPS certificate supplied by any upstream server for that proxy directive.
If you have multiple proxy directives, in multiple sites, adding this to one proxy will not affect other instances of proxy.
What you’re asking for here is: “verify it if it can be verified, otherwise don’t verify it”.
This kind of check is absolutely pointless - just don’t bother verifying it if you’re going to ignore all verification problems.
