diff --git a/proxy/proxy.go b/proxy/proxy.go index e21f253adb..49ee925c25 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -5,6 +5,7 @@ package proxy import ( "context" + "crypto/tls" "io" "net/http" "net/http/httputil" @@ -74,7 +75,9 @@ func (d *Proxy) RoundTrip(r *http.Request) (*http.Response, error) { Header: rw.header, }, nil } else if err == nil { - res, err := http.DefaultTransport.RoundTrip(r) + tr := http.DefaultTransport.(*http.Transport).Clone() + tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: rl.Upstream.InsecureSkipVerify} + res, err := tr.RoundTrip(r) if err != nil { d.r.Logger(). WithError(errors.WithStack(err)). diff --git a/rule/rule.go b/rule/rule.go index 6a4b851e66..d909df2118 100644 --- a/rule/rule.go +++ b/rule/rule.go @@ -130,6 +130,9 @@ type Rule struct { } type Upstream struct { + // InsecureSkipVerify, if true, skips TLS verification when forwarding the request to the upstream URL. + InsecureSkipVerify bool `json:"insecure_skip_verify"` + // PreserveHost, if false (the default), tells ORY Oathkeeper to set the upstream request's Host header to the // hostname of the API's upstream's URL. Setting this flag to true instructs ORY Oathkeeper not to do so. PreserveHost bool `json:"preserve_host"`