diff --git a/deploy/mc-proxy-rift.toml b/deploy/mc-proxy-rift.toml
index 1ffa2f4..0a3084d 100644
--- a/deploy/mc-proxy-rift.toml
+++ b/deploy/mc-proxy-rift.toml
@@ -52,7 +52,7 @@ rate_window       = "1m"
 
 # Prometheus metrics — loopback only, for node-local MCP scraping.
 [metrics]
-addr = "127.0.0.1:9090"
+addr = "127.0.0.1:9091"
 path = "/metrics"
 
 [proxy]
diff --git a/internal/l7/serve.go b/internal/l7/serve.go
index 8121c7b..e99d0e6 100644
--- a/internal/l7/serve.go
+++ b/internal/l7/serve.go
@@ -175,10 +175,13 @@ func newTransport(route RouteConfig) (http.RoundTripper, error) {
 	}
 
 	if route.BackendTLS {
-		// TLS to backend (h2 over TLS).
+		// TLS to backend (h2 over TLS). Backend cert verification is
+		// skipped — the proxy connects to trusted internal backends
+		// that may use IP addresses or self-signed certificates.
 		return &http2.Transport{
 			TLSClientConfig: &tls.Config{
-				MinVersion: tls.VersionTLS12,
+				MinVersion:         tls.VersionTLS12,
+				InsecureSkipVerify: true, //nolint:gosec // trusted backend
 			},
 		}, nil
 	}