Add support to skip self generated certs in the Handlers

[mirchiseth]

Some apps uses a self-signed certificate by default. This naturally means the scheme is https. In such a case when using a reverse proxy which validates certificates, we need to disable this check for those apps. This is done by specifying tls_insecure_skip_verify in the handle section. I was able to get it working by manually modify the Caddyfile. But that is a kludge when using the plugin.

handle { reverse_proxy 10.10.10.2:8443 { transport http { tls tls_insecure_skip_verify } } }

[Monviech]

Hey there :)

For that, there is the trusted CA cert option. Just save the self signed certificate (for example with your browser), and then import it to System - Trust - Authorities. Then you can select it in the handle.

That way you will have an actually secure tls connection to your backend. The tls_insecure_skip_verify isn't offered by choice because the caddy documentation states not to use it.

EDIT: If that gives you any trouble, please share the caddy log why the connection failed.

EDIT2: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#examples

Instead you may establish trust with the upstream by explicitly trusting the upstream's certificate, and (optionally) setting TLS-SNI to match the hostname in the upstream's certificate:

[reverse_proxy](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) 10.0.0.1:443 {
    [transport](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#transport) http {
        [tls_trusted_ca_certs](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#tls_trusted_ca_certs) /path/to/cert.pem
        [tls_server_name](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#tls_server_name) app.example.com
    }
} 

I think I'm missing the tls_server_name option. Right now the certificate would only match the name if the Backend Domain would be specified as the same name. So for example if there is a service called "internal.example.com", the DNS Server would have to resolve that to the internal IP of the Backend Server (10.10.10.2). And the self signed certificate would need to have the name "internal.example.com".

So to make it easier I would add tls_server_name additionally to be in line with the Caddy expectations of a secure connection.

[Monviech]

I have found out the edge case where you need tls_insecure_skip_verify.

A self signed certificate that doesn't have a CN (Common Name) or a SAN (Subject Alternative Name).

Reverse Proxying to such a target with TLS, tls_trusted_ca_certs and tls_server_name is impossible. Caddy will issue an error log entry tls: failed to verify certificate: x509: certificate signed by unknown authority, logger: "http.log.error".

One could argue that all applications should get a proper self-signed certificate with a SAN extension that specifies their DNS name. Using a certificate without a name makes the TLS connection intrinsically unsafe and vulnerable to MITM attacks.

[Monviech]

I have added a How To for reverse proxying the OPNsense GUI with the Caddy Plugin, using the self-signed Certificate of the OPNsense. Everybody who uses Caddy on the OPNsense should be able to reproduce this with the new Patch-1.3.4.

https://github.com/Monviech/os-caddy-plugin/tree/main#how-to-create-a-handle-with-tls-and-a-trusted-self-signed-certificate

[mirchiseth]

Thanks for the detailed replies and the howto. I will try them. Keep up the good work.