Merge pull request #2803 from tuunit/bugfix/self-signed-certificate-handling

fix: self signed certificate handling in v7.7.0
2025-08-08 22:46:33 +02:00 · 2024-10-07 11:54:22 +01:00
parent cda641473f 4bd920b208
commit d68336dcf4
3 changed files with 9 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,8 @@

 ## Changes since v7.7.0

+- [#2803](https://github.com/oauth2-proxy/oauth2-proxy/pull/2803) fix: self signed certificate handling in v7.7.0 (@tuunit)
+
 # V7.7.0

 ## Release Highlights
--- a/pkg/requests/http.go
+++ b/pkg/requests/http.go
@ -18,10 +18,12 @@ func (t *userAgentTransport) RoundTrip(req *http.Request) (*http.Response, error
 }

 var DefaultHTTPClient = &http.Client{Transport: &userAgentTransport{
-	next:      http.DefaultTransport,
+	next:      DefaultTransport,
 	userAgent: "oauth2-proxy/" + version.VERSION,
 }}

+var DefaultTransport = http.DefaultTransport
+
 func setDefaultUserAgent(header http.Header, userAgent string) {
 	if header != nil && len(header.Values("User-Agent")) == 0 {
 		header.Set("User-Agent", userAgent)
--- a/pkg/validation/options.go
+++ b/pkg/validation/options.go
@ -13,6 +13,7 @@ import (
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/ip"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
 	internaloidc "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/providers/oidc"
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
 )

@ -30,20 +31,16 @@ func Validate(o *options.Options) error {
 	msgs = parseSignatureKey(o, msgs)

 	if o.SSLInsecureSkipVerify {
-		insecureTransport := &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // #nosec G402 -- InsecureSkipVerify is a configurable option we allow
-		}
-		http.DefaultClient = &http.Client{Transport: insecureTransport}
+		transport := requests.DefaultTransport.(*http.Transport)
+		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec G402 -- InsecureSkipVerify is a configurable option we allow
 	} else if len(o.Providers[0].CAFiles) > 0 {
 		pool, err := util.GetCertPool(o.Providers[0].CAFiles, o.Providers[0].UseSystemTrustStore)
 		if err == nil {
-			transport := http.DefaultTransport.(*http.Transport).Clone()
+			transport := requests.DefaultTransport.(*http.Transport)
 			transport.TLSClientConfig = &tls.Config{
 				RootCAs:    pool,
 				MinVersion: tls.VersionTLS12,
 			}
-
-			http.DefaultClient = &http.Client{Transport: transport}
 		} else {
 			msgs = append(msgs, fmt.Sprintf("unable to load provider CA file(s): %v", err))
 		}