search

caddyserver / caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
https://caddyserver.com
Apache License 2.0
57.4k stars 4k forks source link

reverseproxy: feature request: certificate pinning for use with tls_insecure_skip_verify #6330

Open akovalenko opened 4 months ago

akovalenko commented 4 months ago

Unfortunately there are times where you need tls_insecure_skip_verify in production, like reverse proxying to old, outdated devices, with awfully wrong self-signed certificates that might be expired and never updated.

I propose an option for pinning fixed certificates to such endpoints, like a PR #6329 that I use in my own setup.

First, we get SHA256 fingerprint of the certificate: openssl x509 -in .lnd/tls.cert -noout -fingerprint -sha256

Then we add a directive alongside tls_insecure_skip_verify: tls_server_cert_sha256 "07:E9:E5:E8:50:54:26:CE:7D:37:A4:4F:71:15:0B:3A:53:B3:65:A6:9E:B8:D9:20:93:54:94:16:2D:48:23:01"

Now our security exception doesn't allow an easy MITM attack.

mholt commented 4 months ago

Thanks for the issue (and the PR) -- I'll look into this after the 2.8 release!