- adding the x-forwarded-for header rather than setting it

- adding the option to control the upstream tls verification
- added a few extra unit test, really for coverage rathar than anything else :-)

config.go

@@ -41,6 +41,7 @@ func newDefaultConfig() *Config {
 		ClaimsMatch:    make(map[string]string, 0),
 		Header:         make(map[string]string, 0),
 		CORS:           &CORS{},
+		SkipUpstreamTLSVerify: true,
 	}
 }
 
@@ -155,6 +156,9 @@ func readOptions(cx *cli.Context, config *Config) (err error) {
 	if cx.IsSet("skip-token-verification") {
 		config.SkipTokenVerification = cx.Bool("skip-token-verification")
 	}
+	if cx.IsSet("skip-upstream-tls-verify") {
+		config.SkipUpstreamTLSVerify = cx.Bool("skip-upstream-tls-verify")
+	}
 	if cx.IsSet("encryption-key") {
 		config.EncryptionKey = cx.String("encryption-key")
 	}
@@ -336,6 +340,10 @@ func getOptions() []cli.Flag {
 			Name:  "tls-ca-certificate",
 			Usage: "the path to the ca certificate used for mutual TLS",
 		},
+		cli.BoolTFlag{
+			Name:  "skip-upstream-tls-verify",
+			Usage: "whether to skip the verification of any upstream TLS (defaults to true)",
+		},
 		cli.StringSliceFlag{
 			Name:  "scope",
 			Usage: "a variable list of scopes requested when authenticating the user",

config_test.go

@@ -19,6 +19,8 @@ import (
 	"io/ioutil"
 	"os"
 	"testing"
+
+	"github.com/codegangsta/cli"
 )
 
 func TestNewDefaultConfig(t *testing.T) {
@@ -164,6 +166,15 @@ func TestIsConfig(t *testing.T) {
 	}
 }
 
+func TestReadOptions(t *testing.T) {
+	c := cli.NewApp()
+	c.Flags = getOptions()
+	c.Action = func(cx *cli.Context) {
+		readOptions(cx, &Config{})
+	}
+	c.Run([]string{""})
+}
+
 func TestGetOptions(t *testing.T) {
 	if flags := getOptions(); flags == nil {
 		t.Errorf("we should have received some flags options")

doc.go

@@ -121,6 +121,8 @@ type Config struct {
 	TLSPrivateKey string `json:"tls_private_key" yaml:"tls_private_key"`
 	// TLSCaCertificate is the CA certificate which the client cert must be signed
 	TLSCaCertificate string `json:"tls_ca_certificate" yaml:"tls_ca_certificate"`
+	// SkipUpstreamTLSVerify skips the verification of any upstream tls
+	SkipUpstreamTLSVerify bool `json:"skip-upstream-tls-verify" yaml:"skip-upstream-tls-verify"`
 	// Upstream is the upstream endpoint i.e whom were proxying to
 	Upstream string `json:"upstream" yaml:"upstream"`
 	// TagData is passed to the templates

handlers.go

@@ -263,7 +263,7 @@ func (r *KeycloakProxy) authenticationHandler() gin.HandlerFunc {
 //  - if everything is ok, we permit the request to pass through
 //
 func (r *KeycloakProxy) admissionHandler() gin.HandlerFunc {
-	// step: compile the regexs for the claims
+	// step: compile the regex's for the claims
 	claimMatches := make(map[string]*regexp.Regexp, 0)
 	for k, v := range r.config.ClaimsMatch {
 		claimMatches[k] = regexp.MustCompile(v)
@@ -372,7 +372,7 @@ func (r *KeycloakProxy) proxyHandler(cx *gin.Context) {
 		}
 	}
 
-	// step: retrieve the user context
+	// step: retrieve the user context if any
 	if identity, found := cx.Get(userContextName); found {
 		id := identity.(*userContext)
 		cx.Request.Header.Add("X-Auth-UserId", id.id)
@@ -385,8 +385,9 @@ func (r *KeycloakProxy) proxyHandler(cx *gin.Context) {
 	}
 
 	// step: add the default headers
-	cx.Request.Header.Set("X-Forwarded-For", cx.Request.RemoteAddr)
-	cx.Request.Header.Set("X-Forwarded-Agent", "keycloak-proxy")
+	cx.Request.Header.Add("X-Forwarded-For", cx.Request.RemoteAddr)
+	cx.Request.Header.Set("X-Forwarded-Agent", prog)
+	cx.Request.Header.Set("X-Forwarded-Agent-Version", version)
 
 	// step: is this connection upgrading?
 	if isUpgradedConnection(cx.Request) {

server.go

@@ -317,7 +317,7 @@ func (r *KeycloakProxy) initializeReverseProxy(upstream *url.URL) (reverseProxy,
 			Timeout:   10 * time.Second,
 		}).Dial,
 		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
+			InsecureSkipVerify: r.config.SkipUpstreamTLSVerify,
 		},
 		DisableKeepAlives:   !r.config.Keepalives,
 		TLSHandshakeTimeout: 10 * time.Second,