Support for upstream ssl proxy hosts

src/backend/internal/proxy-host.js

@@ -48,6 +48,11 @@ const internalProxyHost = {
                 // At this point the domains should have been checked
                 data.owner_user_id = access.token.getUserId(1);
 
+                // Ignoring upstream ssl errors only applies when upstream scheme is https
+                if (data.forward_scheme === 'http') {
+                    data.ignore_invalid_upstream_ssl = false;
+                }
+
                 return proxyHostModel
                     .query()
                     .omit(omissions())
@@ -163,7 +168,12 @@ const internalProxyHost = {
                 // Add domain_names to the data in case it isn't there, so that the audit log renders correctly. The order is important here.
                 data = _.assign({}, {
                     domain_names: row.domain_names
-                },data);
+                }, data);
+
+                // Ignoring upstream ssl errors only applies when upstream scheme is https
+                if (typeof data.forward_scheme !== 'undefined' && data.forward_scheme === 'http') {
+                    data.ignore_invalid_upstream_ssl = false;
+                }
 
                 return proxyHostModel
                     .query()

src/backend/migrations/20181213013211_forward_scheme.js

@@ -0,0 +1,37 @@
+'use strict';
+
+const migrate_name = 'forward_scheme';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex/*, Promise*/) {
+    logger.info('[' + migrate_name + '] Migrating Up...');
+
+    return knex.schema.table('proxy_host', function (proxy_host) {
+        proxy_host.string('forward_scheme').notNull().defaultTo('http');
+        proxy_host.integer('ignore_invalid_upstream_ssl').notNull().unsigned().defaultTo(0);
+    })
+        .then(() => {
+            logger.info('[' + migrate_name + '] proxy_host Table altered');
+        });
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex, Promise) {
+    logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+    return Promise.resolve(true);
+};

src/backend/schema/endpoints/proxy-hosts.json

@@ -18,6 +18,10 @@
     "domain_names": {
       "$ref": "../definitions.json#/definitions/domain_names"
     },
+    "forward_scheme": {
+      "type": "string",
+      "enum": ["http", "https"]
+    },
     "forward_host": {
       "type": "string",
       "minLength": 1,
@@ -48,6 +52,11 @@
       "example": true,
       "type": "boolean"
     },
+    "ignore_invalid_upstream_ssl": {
+      "description": "Ignore invalid upstream SSL certificates",
+      "example": true,
+      "type": "boolean"
+    },
     "access_list_id": {
       "$ref": "../definitions.json#/definitions/access_list_id"
     },
@@ -71,6 +80,9 @@
     "domain_names": {
       "$ref": "#/definitions/domain_names"
     },
+    "forward_scheme": {
+      "$ref": "#/definitions/forward_scheme"
+    },
     "forward_host": {
       "$ref": "#/definitions/forward_host"
     },
@@ -95,6 +107,9 @@
     "allow_websocket_upgrade": {
       "$ref": "#/definitions/allow_websocket_upgrade"
     },
+    "ignore_invalid_upstream_ssl": {
+      "$ref": "#/definitions/ignore_invalid_upstream_ssl"
+    },
     "access_list_id": {
       "$ref": "#/definitions/access_list_id"
     },
@@ -138,6 +153,7 @@
         "additionalProperties": false,
         "required": [
           "domain_names",
+          "forward_scheme",
           "forward_host",
           "forward_port"
         ],
@@ -145,6 +161,9 @@
           "domain_names": {
             "$ref": "#/definitions/domain_names"
           },
+          "forward_scheme": {
+            "$ref": "#/definitions/forward_scheme"
+          },
           "forward_host": {
             "$ref": "#/definitions/forward_host"
           },
@@ -169,6 +188,9 @@
           "allow_websocket_upgrade": {
             "$ref": "#/definitions/allow_websocket_upgrade"
           },
+          "ignore_invalid_upstream_ssl": {
+            "$ref": "#/definitions/ignore_invalid_upstream_ssl"
+          },
           "access_list_id": {
             "$ref": "#/definitions/access_list_id"
           },
@@ -203,6 +225,9 @@
           "domain_names": {
             "$ref": "#/definitions/domain_names"
           },
+          "forward_scheme": {
+            "$ref": "#/definitions/forward_scheme"
+          },
           "forward_host": {
             "$ref": "#/definitions/forward_host"
           },
@@ -227,6 +252,9 @@
           "allow_websocket_upgrade": {
             "$ref": "#/definitions/allow_websocket_upgrade"
           },
+          "ignore_invalid_upstream_ssl": {
+            "$ref": "#/definitions/ignore_invalid_upstream_ssl"
+          },
           "access_list_id": {
             "$ref": "#/definitions/access_list_id"
           },

src/backend/templates/proxy_host.conf

@@ -1,8 +1,9 @@
 {% include "_header_comment.conf" %}
 
 server {
-  set $server "{{ forward_host }}";
-  set $port   {{ forward_port }};
+  set $forward_scheme {{ forward_scheme }};
+  set $server         "{{ forward_host }}";
+  set $port           {{ forward_port }};
 
 {% include "_listen.conf" %}
 {% include "_certificates.conf" %}