Skip to content

Commit b9def71

Browse files
Implement disable_insecure_upstreams_check (#149)
1 parent 8f8155f commit b9def71

3 files changed

Lines changed: 16 additions & 1 deletion

File tree

README.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,7 @@ forward_proxy {
8888
ports 80 443
8989
hide_ip
9090
hide_via
91+
disable_insecure_upstreams_check
9192
probe_resistance secret-link-kWWL9Q.com # alternatively you can use a real domain, such as caddyserver.com
9293
serve_pac /secret-proxy.pac
9394
@@ -133,6 +134,10 @@ forward_proxy {
133134
Only this address will trigger a 407 response, prompting browsers to request credentials from user and cache them for the rest of the session.
134135

135136
Default: no probing resistance.
137+
- `disable_insecure_upstreams_check`
138+
Disables the check for insecure (HTTP) upstreams. By default, forwardproxy will refuse to connect to upstreams that are not using TLS. This option disables that check.
139+
140+
Default: check for insecure upstreams.
136141

137142
### Privacy
138143

caddyfile.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,13 @@ func (h *Handler) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
9999
}
100100
h.HideVia = true
101101

102+
case "disable_insecure_upstreams_check":
103+
args := d.RemainingArgs()
104+
if len(args) != 0 {
105+
return d.ArgErr()
106+
}
107+
h.DisableInsecureUpstreamsCheck = true
108+
102109
case "probe_resistance":
103110
args := d.RemainingArgs()
104111
if len(args) > 1 {

forwardproxy.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,9 @@ type Handler struct {
6464
// If true, the Via header will not be added.
6565
HideVia bool `json:"hide_via,omitempty"`
6666

67+
// If true, the strict check preventing HTTP upstreams will be disabled.
68+
DisableInsecureUpstreamsCheck bool `json:"disable_insecure_upstreams_check,omitempty"`
69+
6770
// Host(s) (and ports) of the proxy. When you configure a client,
6871
// you will give it the host (and port) of the proxy to use.
6972
Hosts caddyhttp.MatchHost `json:"hosts,omitempty"`
@@ -191,7 +194,7 @@ func (h *Handler) Provision(ctx caddy.Context) error {
191194
}
192195
h.upstream = upstreamURL
193196

194-
if !isLocalhost(h.upstream.Hostname()) && h.upstream.Scheme != "https" {
197+
if !h.DisableInsecureUpstreamsCheck && !isLocalhost(h.upstream.Hostname()) && h.upstream.Scheme != "https" {
195198
return errors.New("insecure schemes are only allowed to localhost upstreams")
196199
}
197200

0 commit comments

Comments
 (0)