-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reverseproxy: add tls_server_cert_sha256 #6329
base: master
Are you sure you want to change the base?
Conversation
Unfortunately there *are* some production setups requiring tls_insecure_skip_verify in reverse_proxy, like old devices with outdated firmware. In many such cases, the devices aren't supposed to regenerate or update their certificates. This patch adds tls_server_cert_sha256 directive for reverse_proxy, making MITM impossible even with tls_insecure_skip_verify.
408709b
to
5fde819
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks; is this a use case you've encountered? Could you elaborate?
I ask because while I appreciate that it tries to make something insecure secure, it also effectively pins keys which is... not secure. 🙃
// If non-empty, TLS compares the SHA-256 fingerprint of the | ||
// server certificate to a fixed value, specified as | ||
// hexadecimal string. | ||
ServerCertSha256 string `json:"server_cert_sha256,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ServerCertSha256 string `json:"server_cert_sha256,omitempty"` | |
ServerCertSHA256 string `json:"server_cert_sha256,omitempty"` |
I have a similar use case where I reverse-proxy to a Podman container with a self-signed certificate that has a very long lifetime. |
@steffenbusch That's probably the preferred thing to do. @akovalenko does that work for you? |
Unfortunately there are some production setups requiring tls_insecure_skip_verify in reverse_proxy, like old devices with outdated firmware. In many such cases, the devices aren't supposed to regenerate or update their certificates.
This patch adds tls_server_cert_sha256 directive for reverse_proxy, making MITM impossible even with tls_insecure_skip_verify.