caddy icon indicating copy to clipboard operation
caddy copied to clipboard

Published 20 hours ago verified publisher icon caddyserver

reverseproxy: add tls_server_cert_sha256

Open akovalenko opened this issue 1 year ago • 1 comments

Unfortunately there are some production setups requiring tls_insecure_skip_verify in reverse_proxy, like old devices with outdated firmware. In many such cases, the devices aren't supposed to regenerate or update their certificates.

This patch adds tls_server_cert_sha256 directive for reverse_proxy, making MITM impossible even with tls_insecure_skip_verify.

akovalenko avatar May 20 '24 16:05 akovalenko

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar May 20 '24 16:05 CLAassistant

I have a similar use case where I reverse-proxy to a Podman container with a self-signed certificate that has a very long lifetime.
To avoid using tls_insecure_skip_verify, I use the tls_trust_pool file /path/to/localhost_127_0_0_1.pem directive instead, which also prevents MITM by leveraging existing functionality.
You can find more details here: https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#tls_trust_pool

steffenbusch avatar Nov 05 '24 08:11 steffenbusch

@steffenbusch That's probably the preferred thing to do. @akovalenko does that work for you?

mholt avatar Nov 14 '24 22:11 mholt

I've been thinking on this and sitting on this and I don't love that it pins specific keys (which is discouraged), and it sounds like there are other mechanisms that work for people... @akovalenko I might close this, respectfully; but feel free to continue discussion and we can reopen this if necessary.

mholt avatar Mar 21 '25 17:03 mholt