From 4d21b8a04f083d3101f4cb987f7cccbd402c29f1 Mon Sep 17 00:00:00 2001
From: yaroslavros <yaroslavros@gmail.com>
Date: Sun, 19 Apr 2020 17:41:29 +0100
Subject: [PATCH] Make sure websockets respect
 ssl-upstream-insecure-skip-verify setting. (#494)

* Make sure websockets respect ssl-upstream-insecure-skip-verify setting.

Signed-off-by: Yaroslav Rosomakho <yaroslavros@gmail.com>

* Updated changelog for websockets taking into account ssl-upstream-insecure-skip-verify

Signed-off-by: Yaroslav Rosomakho <yaroslavros@gmail.com>

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
---
 CHANGELOG.md  | 1 +
 oauthproxy.go | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5b84bfc..41e5a70 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -39,6 +39,7 @@
 - [#413](https://github.com/oauth2-proxy/oauth2-proxy/pull/413) Add -set-basic-auth param to set the Basic Authorization header for upstreams (@morarucostel).
 - [#483](https://github.com/oauth2-proxy/oauth2-proxy/pull/483) Warn users when session cookies are split (@JoelSpeed)
 - [#488](https://github.com/oauth2-proxy/oauth2-proxy/pull/488) Set-Basic-Auth should default to false (@JoelSpeed)
+- [#494](https://github.com/oauth2-proxy/oauth2-proxy/pull/494) Upstream websockets TLS certificate validation now depends on ssl-upstream-insecure-skip-verify
 
 # v5.1.0
 
diff --git a/oauthproxy.go b/oauthproxy.go
index bdf1f6a..d788065 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -191,6 +191,9 @@ func NewWebSocketOrRestReverseProxy(u *url.URL, opts *Options, auth hmacauth.Hma
 		wsScheme := "ws" + strings.TrimPrefix(u.Scheme, "http")
 		wsURL := &url.URL{Scheme: wsScheme, Host: u.Host}
 		wsProxy = wsutil.NewSingleHostReverseProxy(wsURL)
+		if opts.SSLUpstreamInsecureSkipVerify {
+			wsProxy.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+		}
 	}
 	return &UpstreamProxy{
 		upstream:  u.Host,
-- 
GitLab