Add https upstream support

[tmessi]

This seems to work for me. I generally have a internal root CA that is trusted via standard system certs. The skipverify option could be used to deal with self-signed certs, but would obviously skip verification.

I was also thinking of maybe having another certificate store for CAs that could then be selected via a tag option. If that seems like a good idea I can make another PR or amend this one.

Ref: #181

[CLAassistant]

All committers have signed the CLA.

[magiconair]

@shadowfax-chc Thanks for working on this but this isn't correct.

There are two TCP connections in play here: one inbound and one outbound/upstream. The listener is the inbound TCP connection and the proxy is the outbound TCP connection. To allow outbound https connections you only need to set the protocol in the target URL which your first patch accomplishes. The Go std library should do the rest.

This requires however that the certificates can be validated through the default root CAs as configured on the system. If you want to allow certificate verification with a custom certificate source then this must be configured in the route command/urlprefix- tag.

Lets start with supporting skipVerify on the outbound connection since this is rather simple and should solve most of the problems. Supporting custom root CAs would require to either override the http.Client that is used by the reverse proxy (which isn't possible ATM) or use a custom transport per request (which defeats connection caching). This most likely requires a somewhat larger refactor.

To support skipVerify you need to do several things:

1. Add a TLSSkipVerify bool flag to the route.Target and set it in the route.addTarget method in route/route.go
2. Create another http.Transport which has the InsecureSkipVerify flag set to true and store it in the HTTPProxy.
3. Pick which transport to use in the HTTPProxy.ServeHTTP method based on the flag in the selected target.

Once we find a way to have a custom client/transport per request this solution can easily be refactored.

You don't have to (and shouldn't) configure the Listener since this is for the inbound connection. skipVerify may be useful here as well but that's a different thing.

Also, please provide an integration test for both cases in proxy/http_integration_test.go.

[tmessi]

Ah, that makes sense. Let me make sure I am setting this option in the correct place now, and I will get some tests.

[magiconair]

This is enough since this is also in line with the option parser in config

t.TLSSkipVerify := r.Opts["skipverify"] == "true"

[magiconair]

Pls add a comment.

[magiconair]

"TLSSkipVerify disables certificate validation for upstream TLS connections."

Could you also move the variable below the StripPath variable, please?

[magiconair]

Maybe move this into a local newTransport := func(tlscfg *tls.Config) http.Transport func to avoid the duplication.

[magiconair]

Oh, I can actually change the files myself now. Interesting. Didn't know that.

[magiconair]

I'll try that on the next PR, though.

[tmessi]

@magiconair made the requested changes and added tests

[magiconair]

LGTM. Merged it. Thank you!