The equivalent tls_insecure_skip_verify in `reverse_proxy`

Altiano · April 6, 2020, 11:12am

I use Caddy 2,

This is just a simple question,

What is the equivalen of tls_insecure_skip_verify in v2?

I’m using reverse_proxy directive, but the backend is by design using self-signed certificate,
How do I make sure caddy trust the self-signed certificate?
I haven’t dig deeper into changing the CA files inside caddy container because I think this should be simple to configure.

The reason I used self-signed cert because it is to be used with cloudflare.
Thanks.

axp · April 6, 2020, 12:45pm

Https only endpoint/backend with self signed cert:

unms.example.com {
    reverse_proxy 172.16.0.3:18443 {
        transport http {
                tls
                tls_insecure_skip_verify
        }
    }
}

Altiano · April 6, 2020, 1:33pm

Alright, I can get it to work right now. Thanks.

But couple more questions:

So the way it works with SSL and reverse proxy, is that I also need to put the certificate on caddy server right. (Caddyfile below)
And it seems like when using docker container in reverse_proxy directive, the container_name must have https:// protocol, if not caddy send me 500 error
What is read_buffer, and why do I need that value

mydomain.dev {
	tls /cert/mydomain.dev.pem /cert/mydomain.dev.key # <-- question #1

	reverse_proxy {
		to https://backend_container # <-- question #2
		transport http {
			tls
			tls_insecure_skip_verify
			read_buffer 8192 # <-- question #3
		}
		
	}
}

matt · April 6, 2020, 1:51pm

You only need to do that if you’ve got your own certificate you want to use; otherwise, Caddy will manage the cert for you.

Hm, that doesn’t sound right, if you’ve explicitly enabled tls in the transport.

You don’t need it. It has nothing to do with TLS; it just customizes how memory is allocated and managed while proxying. Caddy uses a good default for most things.

Altiano · April 6, 2020, 2:37pm

Actually, what I want to ask is that, why not just forward the response from the backend, because it already set with the “correct” self-signed certificate?
Maybe this how reverse proxy works, I just don’t know, or maybe this is not something that realistic in the implementation?

Yes, I can confirmed that,
Do you need any debug logs?

Altiano · April 6, 2020, 3:10pm

Ok, this is weird,

After change to the actual html content that I will use,
Now, it only send part of the file, or at least that’s what the size of the file is telling me,

If I send direct request to backend, it normal.
What just happen ?
LOL

Altiano · April 7, 2020, 4:04am

Ok,
Just to update on this issue,
This morning, I try to update the caddy docker image,
And it works,
Wow.

system · May 7, 2020, 4:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.