Make TLS verification of upstream servers configurable

internal/proxy/oauthproxy.go

@@ -1,6 +1,7 @@
 package proxy
 
 import (
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -122,11 +123,26 @@ func (u *UpstreamProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 // upstreamTransport is used to ensure that upstreams cannot override the
 // security headers applied by sso_proxy
-type upstreamTransport struct{}
+type upstreamTransport struct {
+	InsecureSkipVerify bool
+}
 
 // RoundTrip round trips the request and deletes security headers before returning the response.
 func (t *upstreamTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	resp, err := http.DefaultTransport.RoundTrip(req)
+	transport := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+			DualStack: true,
+		}).DialContext,
+		MaxIdleConns:          100,
+		IdleConnTimeout:       90 * time.Second,
+		TLSHandshakeTimeout:   10 * time.Second,
+		TLSClientConfig:       &tls.Config{InsecureSkipVerify: t.InsecureSkipVerify},
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+	resp, err := transport.RoundTrip(req)
 	if err != nil {
 		logger := log.NewLogEntry()
 		logger.Error(err, "error in upstreamTransport RoundTrip")
@@ -140,9 +156,9 @@ func (t *upstreamTransport) RoundTrip(req *http.Request) (*http.Response, error)
 
 // NewReverseProxy creates a reverse proxy to a specified url.
 // It adds an X-Forwarded-Host header that is the request's host.
-func NewReverseProxy(to *url.URL) *httputil.ReverseProxy {
+func NewReverseProxy(to *url.URL, config *UpstreamConfig) *httputil.ReverseProxy {
 	proxy := httputil.NewSingleHostReverseProxy(to)
-	proxy.Transport = &upstreamTransport{}
+	proxy.Transport = &upstreamTransport{InsecureSkipVerify: !config.TLSVerify}
 	director := proxy.Director
 	proxy.Director = func(req *http.Request) {
 		req.Header.Add("X-Forwarded-Host", req.Host)
@@ -155,9 +171,9 @@ func NewReverseProxy(to *url.URL) *httputil.ReverseProxy {
 // NewRewriteReverseProxy creates a reverse proxy that is capable of creating upstream
 // urls on the fly based on a from regex and a templated to field.
 // It adds an X-Forwarded-Host header to the the upstream's request.
-func NewRewriteReverseProxy(route *RewriteRoute) *httputil.ReverseProxy {
+func NewRewriteReverseProxy(route *RewriteRoute, config *UpstreamConfig) *httputil.ReverseProxy {
 	proxy := &httputil.ReverseProxy{}
-	proxy.Transport = &upstreamTransport{}
+	proxy.Transport = &upstreamTransport{InsecureSkipVerify: !config.TLSVerify}
 	proxy.Director = func(req *http.Request) {
 		// we do this to rewrite requests
 		rewritten := route.FromRegex.ReplaceAllString(req.Host, route.ToTemplate.Opaque)
@@ -296,15 +312,15 @@ func NewOAuthProxy(opts *Options, optFuncs ...func(*OAuthProxy) error) (*OAuthPr
 	for _, upstreamConfig := range opts.upstreamConfigs {
 		switch route := upstreamConfig.Route.(type) {
 		case *SimpleRoute:
-			reverseProxy := NewReverseProxy(route.ToURL)
+			reverseProxy := NewReverseProxy(route.ToURL, upstreamConfig)
 			handler, tags := NewReverseProxyHandler(reverseProxy, opts, upstreamConfig)
 			p.Handle(route.FromURL.Host, handler, tags, upstreamConfig)
 		case *RewriteRoute:
-			reverseProxy := NewRewriteReverseProxy(route)
+			reverseProxy := NewRewriteReverseProxy(route, upstreamConfig)
 			handler, tags := NewReverseProxyHandler(reverseProxy, opts, upstreamConfig)
 			p.HandleRegex(route.FromRegex, handler, tags, upstreamConfig)
 		default:
-			return nil, fmt.Errorf("unkown route type")
+			return nil, fmt.Errorf("unknown route type")
 		}
 	}
 

internal/proxy/oauthproxy_test.go

@@ -67,7 +67,7 @@ func TestNewReverseProxy(t *testing.T) {
 	backendHost := net.JoinHostPort(backendHostname, backendPort)
 	proxyURL, _ := url.Parse(backendURL.Scheme + "://" + backendHost + "/")
 
-	proxyHandler := NewReverseProxy(proxyURL)
+	proxyHandler := NewReverseProxy(proxyURL, &UpstreamConfig{TLSVerify: true})
 	frontend := httptest.NewServer(proxyHandler)
 	defer frontend.Close()
 
@@ -99,7 +99,7 @@ func TestNewRewriteReverseProxy(t *testing.T) {
 		},
 	}
 
-	rewriteProxy := NewRewriteReverseProxy(route)
+	rewriteProxy := NewRewriteReverseProxy(route, &UpstreamConfig{TLSVerify: true})
 
 	frontend := httptest.NewServer(rewriteProxy)
 	defer frontend.Close()
@@ -146,7 +146,7 @@ func TestNewReverseProxyHostname(t *testing.T) {
 		t.Fatalf("expected to parse to url: %s", err)
 	}
 
-	reverseProxy := NewReverseProxy(toURL)
+	reverseProxy := NewReverseProxy(toURL, &UpstreamConfig{TLSVerify: true})
 	from := httptest.NewServer(reverseProxy)
 	defer from.Close()
 
@@ -290,7 +290,7 @@ func TestEncodedSlashes(t *testing.T) {
 	defer backend.Close()
 
 	b, _ := url.Parse(backend.URL)
-	proxyHandler := NewReverseProxy(b)
+	proxyHandler := NewReverseProxy(b, &UpstreamConfig{TLSVerify: true})
 	frontend := httptest.NewServer(proxyHandler)
 	defer frontend.Close()
 

internal/proxy/proxy_config.go

@@ -48,6 +48,7 @@ type UpstreamConfig struct {
 
 	SkipAuthCompiledRegex []*regexp.Regexp
 	AllowedGroups         []string
+	TLSVerify             bool
 	HMACAuth              hmacauth.HmacAuth
 	Timeout               time.Duration
 	FlushInterval         time.Duration
@@ -75,6 +76,7 @@ type OptionsConfig struct {
 	HeaderOverrides map[string]string `yaml:"header_overrides"`
 	SkipAuthRegex   []string          `yaml:"skip_auth_regex"`
 	AllowedGroups   []string          `yaml:"allowed_groups"`
+	TLSVerify       bool              `yaml:"tls_verify"`
 	Timeout         time.Duration     `yaml:"timeout"`
 	FlushInterval   time.Duration     `yaml:"flush_interval"`
 }
@@ -358,6 +360,7 @@ func parseOptionsConfig(proxy *UpstreamConfig) error {
 	proxy.Timeout = proxy.RouteConfig.Options.Timeout
 	proxy.FlushInterval = proxy.RouteConfig.Options.FlushInterval
 	proxy.HeaderOverrides = proxy.RouteConfig.Options.HeaderOverrides
+	proxy.TLSVerify = proxy.RouteConfig.Options.TLSVerify
 
 	proxy.RouteConfig.Options = nil