Feature request: Add an option for `tls_insecure_skip_verify` in handler when tls is selected.

[vlebourl]

Hey,

Great plugin, i love it. I'm in the process of migrating my old caddy server to opnsense, and I have a number of services that only expose https, but for which I didn't bother getting a propper certificate as it's only accessed through lan or caddy. On my current installation, I access it with something like this:

sub.domain.com {
        reverse_proxy {
                to https://192.168.1.XXX
                        transport http {
                                tls
                                tls_insecure_skip_verify
                                read_buffer 8192
                }
        }
}

I could not find an option to set this in your GUI, and ommiting it leads to

"http.log.error","msg":"tls: failed to verify certificate: x509: cannot validate certificate for 192.168.1.XXX because it doesn't contain any IP SANs"

Am I missing something? I added it by hand after applying all my changes, which works, but will be overwritten on the next apply. I'm aware of the caddy.d/ folder and the possibility to have it in there, but I would rather have it shown in the ui along the other services. Would it be possible to add a tick box option to select this? Cheers,

[Monviech]

Hello, happy you like the plugin.

Regarding your request, please read this in the documentation:

Create a proper handler for tls backends: https://github.com/Monviech/os-caddy-plugin?tab=readme-ov-file#how-to-create-a-handle-with-tls-and-a-trusted-self-signed-certificate

At the end here its described why this option doesn't exist: https://github.com/Monviech/os-caddy-plugin?tab=readme-ov-file#reverse-proxy---handler

I won't add this option to the GUI as per caddy documentation it should not be used. The only time its needed is when a Certificate only has CN without SAN, but that should be deprecated since more than 10 years.

[vlebourl]

my bad :) thanks for the detailed answer!

[Monviech]

Is it working for you with the described way? If not, its easy to add this option in a little fork. I can point you to the files you have to change if you need it for yourself.

[vlebourl]

Yes it's working, and obviously a better solution. I need to find a way to automate the process of creating the self signed certificate with a SAN for each service, and importing it in opnsense now, I have too many services and I'm too lazy to do it by hand one by one .😅

[Monviech]

Great.

You probably still have to wait with this automation for a bit. The Certificate store in OPNsense doesn't have REST API yet. Though its being rewritten right now, check in OPNsense Core. Probably comes soon in a future version.

My plugin here uses the modern OPNsense mvc framework. Every action is REST API enabled. Check the end of the Readme.

[vlebourl]

Nice! Thanks for the tip. Last quetsion, do you know if there is a way of using a single authority with a "one for all" certificate. I have several services at different ips and others at the same ip but different ports. To my understanding, I have to export each self signed certificate for each of the service. It would be very convinient to have only one master certificate that can be used as authority for each of my services. Thanks so much for your help. Cheers

[Monviech]

That's what wildcard certificates are for but I don't know if they are supported the way you want to connect to backend servers. As far as I know there's no easy way to handle these self signed certificates, it's always going to be work.

I create an authority in the OPNsense, sign server certificates with it, and then roll those out to backend servers. In the Caddyfile itself I just always specify that one authority, that makes it easier there.