You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When defining local server backends, you should be able to specify whether you want to verify the TLS certificate for upstream requests. Currently Viceroy always verifies hostnames, which is the right default, but there is no way to disable this.
For a development tool this option is important, as a common use case is to run a server locally that is using self-signed certificates that won't verify using the system's root cert pool. In these cases we are not concerned about the hostname being verified.
In our specific case, the software we're running requires serving HTTPS, even if it's with a self-signed certificate. We have worked around Viceroy's verification requirement by running a separate nginx proxy that serves non-HTTPS and proxies to the HTTPS server with TLS certificate verification turned off, and pointing our backend to that, but this is a gross hack for functionality that should be provided by Viceroy instead.
I propose that we add a new field to the local_server.backends portion of fastly.toml to disable verification. If we want to match the VCL definition we could call this ssl_check_cert though my preference would be to avoid "ssl" terminology generally and it's not used elsewhere in fastly.toml.
The text was updated successfully, but these errors were encountered:
When defining local server backends, you should be able to specify whether you want to verify the TLS certificate for upstream requests. Currently Viceroy always verifies hostnames, which is the right default, but there is no way to disable this.
For a development tool this option is important, as a common use case is to run a server locally that is using self-signed certificates that won't verify using the system's root cert pool. In these cases we are not concerned about the hostname being verified.
In our specific case, the software we're running requires serving HTTPS, even if it's with a self-signed certificate. We have worked around Viceroy's verification requirement by running a separate nginx proxy that serves non-HTTPS and proxies to the HTTPS server with TLS certificate verification turned off, and pointing our backend to that, but this is a gross hack for functionality that should be provided by Viceroy instead.
I propose that we add a new field to the
local_server.backendsportion of fastly.toml to disable verification. If we want to match the VCL definition we could call thisssl_check_certthough my preference would be to avoid "ssl" terminology generally and it's not used elsewhere in fastly.toml.The text was updated successfully, but these errors were encountered: