From 5cadfba3b7de74d04d171b610cf99136ae095eb0 Mon Sep 17 00:00:00 2001
From: Eduardo Silva <eduardo@eth0.com.br>
Date: Mon, 16 Mar 2026 14:27:03 -0300
Subject: [PATCH] add allow_invalid_cert field to application model and update
 related forms and config processing

---
 app_gateway/caddy_config_export.py            |  1 +
 app_gateway/forms.py                          |  4 ++-
 .../0007_application_allow_invalid_cert.py    | 16 ++++++++++++
 app_gateway/models.py                         |  1 +
 containers/caddy/process_config.py            | 26 ++++++++++++-------
 5 files changed, 38 insertions(+), 10 deletions(-)
 create mode 100644 app_gateway/migrations/0007_application_allow_invalid_cert.py

diff --git a/app_gateway/caddy_config_export.py b/app_gateway/caddy_config_export.py
index ff1dd17..543ac64 100644
--- a/app_gateway/caddy_config_export.py
+++ b/app_gateway/caddy_config_export.py
@@ -26,6 +26,7 @@ def build_applications_data():
             'name': app.display_name or app.name,
             'hosts': list(app.hosts.values_list('hostname', flat=True)),
             'upstream': app.upstream,
+            'allow_invalid_cert': app.allow_invalid_cert,
         }
         entries.append(entry)
     return {'entries': entries}
diff --git a/app_gateway/forms.py b/app_gateway/forms.py
index 92923b8..428015d 100644
--- a/app_gateway/forms.py
+++ b/app_gateway/forms.py
@@ -13,11 +13,12 @@ from app_gateway.models import (
 class ApplicationForm(forms.ModelForm):
     class Meta:
         model = Application
-        fields = ['name', 'display_name', 'upstream']
+        fields = ['name', 'display_name', 'upstream', 'allow_invalid_cert']
         labels = {
             'name': _('Name'),
             'display_name': _('Display Name'),
             'upstream': _('Upstream'),
+            'allow_invalid_cert': _('Allow invalid/self-signed certificate'),
         }
 
     def __init__(self, *args, **kwargs):
@@ -33,6 +34,7 @@ class ApplicationForm(forms.ModelForm):
             ),
             Div(
                 Div('upstream', css_class='col-md-12'),
+                Div('allow_invalid_cert', css_class='col-md-12'),
                 css_class='row'
             ),
             Div(
diff --git a/app_gateway/migrations/0007_application_allow_invalid_cert.py b/app_gateway/migrations/0007_application_allow_invalid_cert.py
new file mode 100644
index 0000000..8f5a8c0
--- /dev/null
+++ b/app_gateway/migrations/0007_application_allow_invalid_cert.py
@@ -0,0 +1,16 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('app_gateway', '0006_alter_accesspolicy_policy_type'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='application',
+            name='allow_invalid_cert',
+            field=models.BooleanField(default=False, help_text='Allow invalid or self-signed TLS certificates from the upstream'),
+        ),
+    ]
diff --git a/app_gateway/models.py b/app_gateway/models.py
index ceae309..024a6b1 100644
--- a/app_gateway/models.py
+++ b/app_gateway/models.py
@@ -10,6 +10,7 @@ class Application(models.Model):
     name = models.SlugField(max_length=64, unique=True)
     display_name = models.CharField(max_length=128, blank=True)
     upstream = models.CharField(max_length=255, help_text=_("Upstream address, e.g.: http://10.188.18.27:3000"))
+    allow_invalid_cert = models.BooleanField(default=False, help_text=_("Allow invalid or self-signed TLS certificates from the upstream"))
 
     created = models.DateTimeField(auto_now_add=True)
     updated = models.DateTimeField(auto_now=True)
diff --git a/containers/caddy/process_config.py b/containers/caddy/process_config.py
index 01b08a2..7b88f46 100644
--- a/containers/caddy/process_config.py
+++ b/containers/caddy/process_config.py
@@ -74,24 +74,32 @@ def build_caddyfile(apps, auth_policies, routes):
             return "  handle {"
         return f"  handle {matcher} {{"
 
-    def emit_reverse_proxy(base, upstream_path, indent="    "):
+    def emit_reverse_proxy(base, upstream_path, indent="    ", allow_invalid_cert=False):
         if upstream_path:
             lines.append(f"{indent}rewrite * {upstream_path}{{uri}}")
-        lines.append(f"{indent}reverse_proxy {base}")
+        if allow_invalid_cert:
+            lines.append(f"{indent}reverse_proxy {base} {{")
+            lines.append(f"{indent}  transport http {{")
+            lines.append(f"{indent}    tls_insecure_skip_verify")
+            lines.append(f"{indent}  }}")
+            lines.append(f"{indent}}}")
+        else:
+            lines.append(f"{indent}reverse_proxy {base}")
 
-    def emit_protected_handle(path_matcher, base, upstream_path):
+    def emit_protected_handle(path_matcher, base, upstream_path, allow_invalid_cert=False):
         lines.append(handle_open(path_matcher))
         lines.append(f"    forward_auth {AUTH_GATEWAY_INTERNAL_URL} {{")
         lines.append(f"      uri {AUTH_GATEWAY_CHECK_URI}")
         lines.append("      copy_headers X-Auth-User X-Auth-Email X-Auth-Groups X-Auth-Factors X-Auth-Policy")
         lines.append("    }")
-        emit_reverse_proxy(base, upstream_path)
+        emit_reverse_proxy(base, upstream_path, allow_invalid_cert=allow_invalid_cert)
         lines.append("  }")
         lines.append("")
 
     for app in apps:
         hosts = app.get("hosts", [])
         upstream = app.get("upstream", "")
+        allow_invalid_cert = app.get("allow_invalid_cert", False)
         static_routes = app.get("static_routes", [])
         app_id = app.get("id", "")
 
@@ -117,7 +125,7 @@ def build_caddyfile(apps, auth_policies, routes):
 
         app_route_data = route_entries.get(app_id)
         if app_route_data is None:
-            emit_reverse_proxy(base, upstream_path, indent="  ")
+            emit_reverse_proxy(base, upstream_path, indent="  ", allow_invalid_cert=allow_invalid_cert)
             lines.append("}")
             lines.append("")
             continue
@@ -129,7 +137,7 @@ def build_caddyfile(apps, auth_policies, routes):
             matcher = f"{path_prefix}*"
             if policy_type == "bypass":
                 lines.append(handle_open(matcher))
-                emit_reverse_proxy(base, upstream_path)
+                emit_reverse_proxy(base, upstream_path, allow_invalid_cert=allow_invalid_cert)
                 lines.append("  }")
                 lines.append("")
             elif policy_type == "deny":
@@ -138,15 +146,15 @@ def build_caddyfile(apps, auth_policies, routes):
                 lines.append("  }")
                 lines.append("")
             else:
-                emit_protected_handle(matcher, base, upstream_path)
+                emit_protected_handle(matcher, base, upstream_path, allow_invalid_cert=allow_invalid_cert)
 
         default_policy_type = get_policy_type(app_route_data.get("default_policy"))
         if default_policy_type == "bypass":
-            emit_reverse_proxy(base, upstream_path, indent="  ")
+            emit_reverse_proxy(base, upstream_path, indent="  ", allow_invalid_cert=allow_invalid_cert)
         elif default_policy_type == "deny":
             lines.append("  respond 403")
         else:
-            emit_protected_handle("*", base, upstream_path)
+            emit_protected_handle("*", base, upstream_path, allow_invalid_cert=allow_invalid_cert)
         lines.append("}")
         lines.append("")