From 357ad60e42c1b551b41b53d7bd6bbbc28f38cec4 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Wed, 25 Mar 2026 19:41:58 -0700 Subject: [PATCH] Skip backend cert verification for L7 re-encrypt routes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When backend_tls=true, the h2 transport was verifying the backend's TLS certificate. This fails when the backend address is an IP (no IP SANs) or uses a self-signed cert. Backend connections are to trusted internal services — skip verification. Also change rift metrics port to 9091 to avoid conflict with exod on 9090. Co-Authored-By: Claude Opus 4.6 (1M context) --- deploy/mc-proxy-rift.toml | 2 +- internal/l7/serve.go | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/deploy/mc-proxy-rift.toml b/deploy/mc-proxy-rift.toml index 1ffa2f4..0a3084d 100644 --- a/deploy/mc-proxy-rift.toml +++ b/deploy/mc-proxy-rift.toml @@ -52,7 +52,7 @@ rate_window = "1m" # Prometheus metrics — loopback only, for node-local MCP scraping. [metrics] -addr = "127.0.0.1:9090" +addr = "127.0.0.1:9091" path = "/metrics" [proxy] diff --git a/internal/l7/serve.go b/internal/l7/serve.go index 8121c7b..e99d0e6 100644 --- a/internal/l7/serve.go +++ b/internal/l7/serve.go @@ -175,10 +175,13 @@ func newTransport(route RouteConfig) (http.RoundTripper, error) { } if route.BackendTLS { - // TLS to backend (h2 over TLS). + // TLS to backend (h2 over TLS). Backend cert verification is + // skipped — the proxy connects to trusted internal backends + // that may use IP addresses or self-signed certificates. return &http2.Transport{ TLSClientConfig: &tls.Config{ - MinVersion: tls.VersionTLS12, + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: true, //nolint:gosec // trusted backend }, }, nil }