Skip backend cert verification for L7 re-encrypt routes

When backend_tls=true, the h2 transport was verifying the backend's TLS certificate. This fails when the backend address is an IP (no IP SANs) or uses a self-signed cert. Backend connections are to trusted internal services — skip verification. Also change rift metrics port to 9091 to avoid conflict with exod on 9090. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 19:41:58 -07:00
parent 279f110050
commit 357ad60e42
2 changed files with 6 additions and 3 deletions
--- a/deploy/mc-proxy-rift.toml
+++ b/deploy/mc-proxy-rift.toml
@@ -52,7 +52,7 @@ rate_window       = "1m"

 # Prometheus metrics — loopback only, for node-local MCP scraping.
 [metrics]
-addr = "127.0.0.1:9090"
+addr = "127.0.0.1:9091"
 path = "/metrics"

 [proxy]
--- a/internal/l7/serve.go
+++ b/internal/l7/serve.go
@@ -175,10 +175,13 @@ func newTransport(route RouteConfig) (http.RoundTripper, error) {
 	}

 	if route.BackendTLS {
-		// TLS to backend (h2 over TLS).
+		// TLS to backend (h2 over TLS). Backend cert verification is
+		// skipped — the proxy connects to trusted internal backends
+		// that may use IP addresses or self-signed certificates.
 		return &http2.Transport{
 			TLSClientConfig: &tls.Config{
 				MinVersion:         tls.VersionTLS12,
+				InsecureSkipVerify: true, //nolint:gosec // trusted backend
 			},
 		}, nil
 	}