Make "skipverify" configurable for remote proxy requests.

proxy.conf.in

@@ -31,6 +31,11 @@ tokentype = static
 # streams.
 #token_key = privkey.pem
 
+# If set to "true", certificate validation of remote stream requests will be
+# skipped. This should only be enabled during development, e.g. to work with
+# self-signed certificates.
+#skipverify = false
+
 [tokens]
 # For token type "static": Mapping of <tokenid> = <publickey> of signaling
 # servers allowed to connect.

proxy/proxy_remote.go

@@ -51,8 +51,9 @@ type RemoteConnection struct {
 	url  *url.URL
 	conn *websocket.Conn
 
-	tokenId  string
-	tokenKey *rsa.PrivateKey
+	tokenId   string
+	tokenKey  *rsa.PrivateKey
+	tlsConfig *tls.Config
 
 	msgId      atomic.Int64
 	helloMsgId string
@@ -61,7 +62,7 @@ type RemoteConnection struct {
 	messageCallbacks map[string]chan *signaling.ProxyServerMessage
 }
 
-func NewRemoteConnection(proxyUrl string, tokenId string, tokenKey *rsa.PrivateKey) (*RemoteConnection, error) {
+func NewRemoteConnection(proxyUrl string, tokenId string, tokenKey *rsa.PrivateKey, tlsConfig *tls.Config) (*RemoteConnection, error) {
 	u, err := url.Parse(proxyUrl)
 	if err != nil {
 		return nil, err
@@ -70,8 +71,9 @@ func NewRemoteConnection(proxyUrl string, tokenId string, tokenKey *rsa.PrivateK
 	result := &RemoteConnection{
 		url: u,
 
-		tokenId:  tokenId,
-		tokenKey: tokenKey,
+		tokenId:   tokenId,
+		tokenKey:  tokenKey,
+		tlsConfig: tlsConfig,
 
 		messageCallbacks: make(map[string]chan *signaling.ProxyServerMessage),
 	}
@@ -101,11 +103,8 @@ func (c *RemoteConnection) Connect(ctx context.Context) error {
 	}
 
 	dialer := websocket.Dialer{
-		Proxy: http.ProxyFromEnvironment,
-		TLSClientConfig: &tls.Config{
-			// TODO: Make this configurable.
-			InsecureSkipVerify: true,
-		},
+		Proxy:           http.ProxyFromEnvironment,
+		TLSClientConfig: c.tlsConfig,
 	}
 
 	conn, _, err := dialer.DialContext(ctx, u.String(), nil)

proxy/proxy_server.go

@@ -25,6 +25,7 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -117,6 +118,7 @@ type ProxyServer struct {
 
 	tokenId               string
 	tokenKey              *rsa.PrivateKey
+	remoteTlsConfig       *tls.Config
 	remoteHostname        string
 	remoteConnections     map[string]*RemoteConnection
 	remoteConnectionsLock sync.Mutex
@@ -223,6 +225,7 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile) (*
 	tokenId, _ := config.GetString("app", "token_id")
 	var tokenKey *rsa.PrivateKey
 	var remoteHostname string
+	var remoteTlsConfig *tls.Config
 	if tokenId != "" {
 		tokenKeyFilename, _ := config.GetString("app", "token_key")
 		if tokenKeyFilename == "" {
@@ -250,6 +253,14 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile) (*
 		} else {
 			log.Printf("Using \"%s\" as hostname for remote streams", remoteHostname)
 		}
+
+		skipverify, _ := config.GetBool("backend", "skipverify")
+		if skipverify {
+			log.Println("WARNING: Remote stream requests verification is disabled!")
+			remoteTlsConfig = &tls.Config{
+				InsecureSkipVerify: skipverify,
+			}
+		}
 	} else {
 		log.Printf("No token id configured, remote streams will be disabled")
 	}
@@ -278,6 +289,7 @@ func NewProxyServer(r *mux.Router, version string, config *goconf.ConfigFile) (*
 
 		tokenId:           tokenId,
 		tokenKey:          tokenKey,
+		remoteTlsConfig:   remoteTlsConfig,
 		remoteHostname:    remoteHostname,
 		remoteConnections: make(map[string]*RemoteConnection),
 	}
@@ -1285,7 +1297,7 @@ func (s *ProxyServer) getRemoteConnection(ctx context.Context, url string) (*Rem
 		return conn, nil
 	}
 
-	conn, err := NewRemoteConnection(url, s.tokenId, s.tokenKey)
+	conn, err := NewRemoteConnection(url, s.tokenId, s.tokenKey, s.remoteTlsConfig)
 	if err != nil {
 		return nil, err
 	}