reverseproxy: feature request: certificate pinning for use with tls_insecure_skip_verify

[akovalenko]

Unfortunately there are times where you need tls_insecure_skip_verify in production, like reverse proxying to old, outdated devices, with awfully wrong self-signed certificates that might be expired and never updated.

I propose an option for pinning fixed certificates to such endpoints, like a PR #6329 that I use in my own setup.

First, we get SHA256 fingerprint of the certificate: openssl x509 -in .lnd/tls.cert -noout -fingerprint -sha256

Then we add a directive alongside tls_insecure_skip_verify: tls_server_cert_sha256 "07:E9:E5:E8:50:54:26:CE:7D:37:A4:4F:71:15:0B:3A:53:B3:65:A6:9E:B8:D9:20:93:54:94:16:2D:48:23:01"

Now our security exception doesn't allow an easy MITM attack.

[mholt]

Thanks for the issue (and the PR) -- I'll look into this after the 2.8 release!