mc/mc-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Skip backend cert verification for L7 re-encrypt routes

Browse Source 
When backend_tls=true, the h2 transport was verifying the backend's
TLS certificate. This fails when the backend address is an IP (no
IP SANs) or uses a self-signed cert. Backend connections are to
trusted internal services — skip verification. Also change rift
metrics port to 9091 to avoid conflict with exod on 9090.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-25 19:41:58 -07:00
parent 279f110050
commit 357ad60e42
2 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
deploy/mc-proxy-rift.toml
View File

@@ -52,7 +52,7 @@ rate_window = "1m"
# Prometheus metrics — loopback only, for node-local MCP scraping. # Prometheus metrics — loopback only, for node-local MCP scraping.
[metrics] [metrics]
addr = "127.0.0.1:9090" addr = "127.0.0.1:9091"
path = "/metrics" path = "/metrics"
[proxy] [proxy]

7
internal/l7/serve.go
View File

@@ -175,10 +175,13 @@ func newTransport(route RouteConfig) (http.RoundTripper, error) {
} }
if route.BackendTLS { if route.BackendTLS {
// TLS to backend (h2 over TLS). // TLS to backend (h2 over TLS). Backend cert verification is
// skipped — the proxy connects to trusted internal backends
// that may use IP addresses or self-signed certificates.
return &http2.Transport{ return &http2.Transport{
TLSClientConfig: &tls.Config{ TLSClientConfig: &tls.Config{
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
InsecureSkipVerify: true, //nolint:gosec // trusted backend
}, },
}, nil }, nil
} }