search

andydunstall / piko

An open-source alternative to Ngrok, designed to serve production traffic and be simple to host (particularly on Kubernetes)
MIT License
1.9k stars 55 forks source link

feat: introduce InsecureSkipVerify to listener config #178

Closed tschwery closed 10 hours ago

tschwery commented 2 days ago

We want to tunnel services, some of which are secured with HTTPS but self-signed certificates, and over which we have limited control. This PR adds a insecure_skip_verify configuration in the listener that would allow the agent to proxy such services.

listeners:
    - endpoint_id: self-signed-api
      addr: https://some-server:8443
      protocol: http
      insecure_skip_verify: true
      timeout: 15s

This configuration name is based on the InsecureSkipVerify configuration of the TLS Transport configuration and reflects the fact that this is insecure and should be a last resort.

I'm open to any comment or other suggestions if I missed another way of dealing with that.

andydunstall commented 10 hours ago

Hi @tschwery, thanks for having a go at this.

I want all TLS configuration to be consistent across Piko, therefore this will be a fairly large change (and require documentation updates etc), so if you don't mind I've opened an issue (https://github.com/andydunstall/piko/issues/185) and I'll aim to complete this by Monday

I'm keen to avoid 'quick patches' that add InsecureSkipVerify for your use case, but then are hard to maintain and extend long term, so want to make sure all TLS client configuration supports InsecureSkipVerify, and support a tls protocol on the agent