Skip to content

Fix #44: Add insecureTLSSkipVerify parameter to proxy config#45

Merged
mishankov merged 3 commits into
mainfrom
issue-44-add-insecure-skip-verify
Mar 12, 2026
Merged

Fix #44: Add insecureTLSSkipVerify parameter to proxy config#45
mishankov merged 3 commits into
mainfrom
issue-44-add-insecure-skip-verify

Conversation

@mishankov
Copy link
Copy Markdown
Owner

@mishankov mishankov commented Mar 12, 2026
edited
Loading

Summary

Closes #44

This PR adds support for skipping TLS certificate verification on a per-proxy basis through the new insecureTLSSkipVerify configuration parameter.

Changes

  • Added insecureTLSSkipVerify field to Proxy struct in config
  • Modified proxy handler to create custom HTTP client with TLS skip verify when enabled
  • Added comprehensive test for insecureTLSSkipVerify functionality
  • Updated README with documentation for the new parameter

Use Case

When proxying to HTTPS targets with self-signed or invalid certificates (common in development/testing environments), users can now enable insecureTLSSkipVerify for specific proxy routes instead of globally disabling TLS verification.

Configuration Example

[[proxy]]
prefix = "/api"
target = "https://api-server:8443"
insecureTLSSkipVerify = true

Testing

  • ✅ All existing proxy tests pass
  • ✅ New test verifies insecure mode works with TLS server
  • ✅ Code compiles successfully
  • ✅ Manual testing with self-signed certificates

Code Review Summary

No P0 or P1 blockers found.

Findings

[P2] HTTP Client Creation on Every Request

  • Creating a new http.Client instance on every request when insecureTLSSkipVerify is true could impact performance under high load
  • Recommendation: Consider caching the insecure client in future optimization if needed
  • Not a blocker - acceptable for initial implementation

[P3] Missing Test for Default TLS Behavior

  • No explicit test verifying normal TLS verification when insecureTLSSkipVerify is false
  • Other tests implicitly verify normal behavior
  • Not a blocker - acceptable coverage

Security Considerations

The feature is intentionally insecure (as the name suggests) but acceptable because:

  • Opt-in per proxy route
  • Clearly documented with security implications
  • Common legitimate use case for development/testing
  • User has full control

Known Limitations

  • Performance: HTTP client created per request when insecure mode enabled (minor, can optimize later)
  • Security: Users should avoid enabling in production environments

Checklist

  • Code follows project conventions
  • Tests added/updated
  • Documentation updated
  • All tests pass
  • Code review completed

@mishankov
Fix #44: Add insecureSkipVerify parameter to proxy config
1fc7744 
- Add insecureSkipVerify field to Proxy struct in config
- Create custom HTTP client with TLS skip verify when enabled
- Add test for insecureSkipVerify functionality
- Update README with documentation for new parameter
@mishankov
Rename insecureSkipVerify to insecureTLSSkipVerify
dc03c21
@mishankov mishankov changed the title Fix #44: Add insecureSkipVerify parameter to proxy config Fix #44: Add insecureTLSSkipVerify parameter to proxy config Mar 12, 2026
@mishankov
Optimize: Create insecure HTTP client once during handler initialization
c21519a 
- Add insecureClient field to ProxyHandler struct
- Initialize insecure client in NewProxyHandler
- Reuse client across requests instead of creating on each request
- Resolves P2 performance issue from code review
@mishankov mishankov merged commit 0e0090c into main Mar 12, 2026
4 checks passed
@mishankov mishankov deleted the issue-44-add-insecure-skip-verify branch March 12, 2026 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add provy parametr to ignore SSL errors

1 participant

@mishankov