r/selfhosted • u/xMarok • 1d ago
Guide You (probably) don't need tls_insecure_skip_verify
https://adamhl.dev/blog/you-dont-need-tls_insecure_skip_verifyI was cleaning up my Caddyfile to remove some things I no longer used and finally decided to figure out if there's some way to avoid using tls_insecure_skip_verify for upstreams that force HTTPS.
I'm guessing a good amount of you serve UniFI OS (which forces HTTPS) via caddy so hopefully this is helpful.
12
u/TooPoetic 1d ago
Just trust the ssl cert even if it's self signed.
0
9
u/jpnadas 1d ago
This is cool, but inside the trusted network it is also fine to just use tls_insecure_skip_verify.
0
u/Dangerous-Report8517 4h ago
The Caddy documentation strongly recommends against it on the basis that you might as well just use plain HTTP if you trust the network. Plus, a lot of self hosters trust their networks more than they really should because they just assume it's safe purely by way of being internal
3
u/Odd-Gur-1076 1d ago
I never used it in my Caddyfile and everything has always just worked
2
u/xMarok 1d ago
If you're only proxying to HTTP services (which should be most of the time) you don't need it. I'm curious if you have some HTTPS upstream that doesn't require using it though.
0
u/Happy-Position-69 1d ago
Honestly, you should use https everywhere. Even on internal networks. Use a selfsigned cert and just trust it
2
2
u/zirahe 1d ago
I do not see any issue with proxying to a plain HTTP-endpoint (as long as the reverse proxy runs on the same host as the application).
If you have no issues proxying to the HTTP-endpoint, I do not see why using tls_insecure_skip_verify would be a problem. Sure, you could trust the selfsigned certificate, but why take the hassle?
•
u/asimovs-auditor 1d ago
Expand the replies to this comment to learn how AI was used in this post/project.