caddy-frontend: Verify proxy on request

software/caddy-frontend/buildout.hash.cfg

@@ -55,7 +55,7 @@ md5sum = 4dbb8560e4de1af2a0706b020e713fe7
 
 [template-default-slave-virtualhost]
 filename = templates/default-virtualhost.conf.in
-md5sum = 1f70a3005915e84091bfd6cb7c77b05c
+md5sum = 11f1784afb63a1b79221677148bc8db6
 
 [template-cached-slave-virtualhost]
 filename = templates/cached-virtualhost.conf.in

software/caddy-frontend/templates/default-virtualhost.conf.in

@@ -29,14 +29,6 @@
   log / {{ slave_parameter.get('access_log') }} {combined}
   errors {{ slave_parameter.get('error_log') }}
 
-{% if ssl_proxy_verify -%}
-{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
-# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-{%   endif %}
-# TODO-Caddy   SSLProxyVerify require
-# TODO-Caddy   #SSLProxyCheckPeerCN on
-# TODO-Caddy   SSLProxyCheckPeerExpire on
-{% endif %}
 # TODO-Caddy   SSLProtocol all -SSLv2 -SSLv3
 # TODO-Caddy   SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
 # TODO-Caddy   SSLHonorCipherOrder on
@@ -66,6 +58,14 @@
   proxy / {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }} {
     transparent
     timeout 600s
+{%- if ssl_proxy_verify %}
+{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
+{%-   endif %}
+{%- else %}
+    insecure_skip_verify
+{%- endif %}
   }
   {% if 'default-path' in slave_parameter %}
   redir 301 {
@@ -91,9 +91,14 @@
   proxy / {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }} {
     transparent
     timeout 600s
-{%- if not ssl_proxy_verify %}
-    insecure_skip_verify
+{%- if ssl_proxy_verify %}
+{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
 {%-   endif %}
+{%- else %}
+    insecure_skip_verify
+{%- endif %}
   }
 {% endif -%}
 }
@@ -105,15 +110,6 @@
   log / {{ slave_parameter.get('access_log') }} {combined}
   errors {{ slave_parameter.get('error_log') }}
 
-{% if ssl_proxy_verify -%}
-{%   if 'ssl_proxy_ca_crt' in slave_parameter -%}
-# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
-{%   endif %}
-# TODO-Caddy   SSLProxyVerify require
-# TODO-Caddy   #SSLProxyCheckPeerCN on
-# TODO-Caddy   SSLProxyCheckPeerExpire on
-{% endif %}
-
 {% if disable_via_header %}
 # TODO-Caddy   Header unset Via
 {% endif -%}
@@ -151,6 +147,14 @@
   proxy / {{ slave_parameter.get('https-url', slave_parameter.get('url', '')) }} {
     transparent
     timeout 600s
+{%- if ssl_proxy_verify %}
+{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
+{%-   endif %}
+{%- else %}
+    insecure_skip_verify
+{%- endif %}
   }
   {% if 'default-path' in slave_parameter %}
   redir 301 {
@@ -172,9 +176,14 @@
   proxy / {{ slave_parameter.get('url', '') }} {
     transparent
     timeout 600s
-{%- if not ssl_proxy_verify %}
-    insecure_skip_verify
+{%- if ssl_proxy_verify %}
+{%-   if 'ssl_proxy_ca_crt' in slave_parameter %}
+# TODO-Caddy   SSLProxyCACertificateFile {{ slave_parameter.get('path_to_ssl_proxy_ca_crt', '') }}
+#              Requires https://github.com/mholt/caddy/issues/1550 or "just adding your CA to the system's trust store"
 {%-   endif %}
+{%- else %}
+    insecure_skip_verify
+{%- endif %}
   }
 {% endif -%}
   # If nothing exist : put a nice error