Can I use a HTTPS upstream with a self-signed cert?

[funkypenguin]

Hey folks,

I'm trying to use oauth2_proxy to protect the admin interface of a UniFi Controller UI. The UniFi controller uses its own, self-signed cert to provide HTTPS access. Changing the cert is very hard, since you'd have to change the contents of the java bundle used to provide the controller.

Oauth2_proxy is refusing to proxy to the upstream controller, with a message like this:

[email protected]    | 2017/12/20 08:20:53 reverseproxy.go:316: http: proxy error: x509: certificate signed by unknown authority

Any ideas re how I can make this work?

Thanks!
D

[jehiah]

@funkypenguin Have you tried -ssl-insecure-skip-verify ?

[ploxiln]

I think -ssl-insecure-skip-verify, by changing the default http client, applies to the requests to the provider, but not to the proxy transport to the upstream/backend ... that's my guess due to #403 where @funkypenguin has already commented as well.

[funkypenguin]

Correct, I've just re-tested, same issue applies as #403 (I'd forgotten I commented there)

My container:

/ # ps -ef | grep skip
    1 root       0:00 oauth2_proxy -upstream=https://unifi:8443 -ssl-insecure-skip-verify=true -redirect-url=https://unifi.funkypenguin.co.nz -http-address=http://0.0.0.0:4180 -email-domain=funkypenguin.co.nz -provider=github -authenticated-emails-file=/authenticated-emails.txt -ssl-insecure-skip-verify

My logs

[email protected]    | 2017/12/21 08:04:40 reverseproxy.go:316: http: proxy error: x509: certificate signed by unknown authority