Allow insecure certs for remote caching

jaredpalmer commented 2 years ago

Describe the feature you'd like to request

Allow unverified requests for the remote cache

the nodejs equivalent is something like:

agent: new https.Agent({
    rejectUnauthorized: false,
}),

Describe the solution you'd like

Add flag or config or env var that modifies the tls config of the api client.

So something like.....

// pseudo code
func NewAPIClient(insecure: boolean) Client {
    c := &APIClient{}

    tr := &http.Transport{
        TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure}, // <--- Problem
    }
    c.client = &http.Client{Transport: tr}
    return c
}

but in here:

https://github.com/vercel/turborepo/blob/main/cli/internal/client/client.go#L36

Note: InsecureSkipVerify controls whether a client verifies the server’s certificate chain and hostname. If InsecureSkipVerify is true, crypto/tls accepts any certificate presented by the server and any hostname in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used.

See: https://github.com/hashicorp/go-retryablehttp/blob/master/client.go which uses https://github.com/hashicorp/go-cleanhttp

Describe alternatives you've considered

N/A

weyert commented 2 years ago

May I ask why? As these days it’s pretty easy to get a valid certificate like with Let’s Encrypt

sharvilak11 commented 1 year ago

@jaredpalmer @weyert Has this been added to latest versions ? We aren't supposed to use LetsEncrypt at our org, so we always use it with self signed certs and this is a roadblock for us while integrating on a self hosted remote cache.

vercel / turborepo