[GH-ISSUE #4456] [Feature Request] Custom RootCA Support for *2https plugins #3520

New issue

Closed

opened 2026-05-05 14:15:49 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented 2026-05-05 14:15:49 -06:00

Owner

Copy link

Originally created by @adamwallred on GitHub (Sep 25, 2024).
Original GitHub issue: https://github.com/fatedier/frp/issues/4456

Describe the feature request

The http2https and https2https plugins currently prepare the httputil.ReverseProxy TLS config with a hard-coded InsecureSkipVerify: true . In cases where we have a custom CA signing the certificate for the proxied service, it would be nice to provide the CA cert and verify the connections.

Describe alternatives you've considered

No response

Affected area

• Docs
• Installation
• Performance and Scalability
• Security
• User Experience
• Test and Release
• Developer Infrastructure
• Client Plugin
• Server Plugin
• Extensions
• Others

Originally created by @adamwallred on GitHub (Sep 25, 2024). Original GitHub issue: https://github.com/fatedier/frp/issues/4456 ### Describe the feature request The http2https and https2https plugins currently prepare the `httputil.ReverseProxy` TLS config with a hard-coded `InsecureSkipVerify: true` . In cases where we have a custom CA signing the certificate for the proxied service, it would be nice to provide the CA cert and verify the connections. ### Describe alternatives you've considered _No response_ ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [X] Security - [ ] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [X] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror 2026-05-05 14:15:49 -06:00

• closed this issue
• added the
  lifecycle/stale
  label

gitea-mirror commented 2026-05-05 14:15:53 -06:00

Author

Owner

Copy link

@fatedier commented on GitHub (Sep 26, 2024):

frp is commonly used for reverse proxying to your internal HTTP/HTTPS services. I believe the scenario you mentioned is not a common use case.

These plugins provide some basic functionalities, but not all of them, so we are not inclined to make changes at this point. In future major version plans, there will be a restructuring to support more complex Layer 7 proxy capabilities, and we will consider adding support at that time.

<!-- gh-comment-id:2375785161 --> @fatedier commented on GitHub (Sep 26, 2024): frp is commonly used for reverse proxying to your internal HTTP/HTTPS services. I believe the scenario you mentioned is not a common use case. These plugins provide some basic functionalities, but not all of them, so we are not inclined to make changes at this point. In future major version plans, there will be a restructuring to support more complex Layer 7 proxy capabilities, and we will consider adding support at that time.

gitea-mirror commented 2026-05-05 14:15:53 -06:00

Author

Owner

Copy link

@adamwallred commented on GitHub (Sep 26, 2024):

frp is commonly used for reverse proxying to your internal HTTP/HTTPS services. I believe the scenario you mentioned is not a common use case.

I would guess that internal HTTPS services have a good chance of using a custom or self-signed CA. If it's an internal service that someone has taken the time to add TLS to, then I think it's not too unexpected that the certificate is self-signed or using a custom CA. If it's an internal-only service, why would it need a commercial certificate?

For example, consider container orchestration systems like k8s that use tools like cert-manager that maintain a private CA to sign certificates for auto-generated internal service domains. Since k8s service domains are not guaranteed to be globally unique, you cannot prove ownership of them, and commercial CAs won't sign certs for them. It's common to have internal services signed by a custom CA.

<!-- gh-comment-id:2376826404 --> @adamwallred commented on GitHub (Sep 26, 2024): > frp is commonly used for reverse proxying to your internal HTTP/HTTPS services. I believe the scenario you mentioned is not a common use case. I would guess that internal HTTPS services have a good chance of using a custom or self-signed CA. If it's an internal service that someone has taken the time to add TLS to, then I think it's not too unexpected that the certificate is self-signed or using a custom CA. If it's an internal-only service, why would it need a commercial certificate? For example, consider container orchestration systems like k8s that use tools like [cert-manager](https://cert-manager.io/) that maintain a private CA to sign certificates for auto-generated internal service domains. Since k8s service domains are not guaranteed to be globally unique, you cannot prove ownership of them, and commercial CAs won't sign certs for them. It's common to have internal services signed by a custom CA.

gitea-mirror commented 2026-05-05 14:15:54 -06:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Oct 18, 2024):

Issues go stale after 21d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

<!-- gh-comment-id:2420952362 --> @github-actions[bot] commented on GitHub (Oct 18, 2024): Issues go stale after 21d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

gitea-mirror referenced this issue 2026-05-05 14:48:26 -06:00

[PR #3520] [MERGED] update FUNDING.yml #4770

gitea-mirror referenced this issue 2026-05-05 14:48:31 -06:00

[PR #3537] [MERGED] release v0.51.1 #4774

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

new

master

copilot/review-pull-request-5198

v0.68.1

v0.68.0

v0.67.0

v0.66.0

v0.65.0

v0.64.0

v0.63.0

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.0

v0.59.0

v0.58.1

v0.58.0

v0.57.0

v0.56.0

v0.55.1

v0.55.0

v0.54.0

v0.53.2

v0.53.1

v0.53.0

v0.52.3

v0.52.2

v0.52.1

v0.52.0

v0.51.3

v0.51.2

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.1

v0.46.0

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.1

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.3

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.1

v0.32.0

v0.31.2

v0.31.1

v0.31.0

v0.30.0

v0.29.1

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.0

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

In Progress

  

WIP

  

WaitingForInfo

  

bug

  

doc

  

duplicate

  

easy

  

enhancement

  

future

  

help wanted

  

invalid

  

lifecycle/stale

  

need-issue-template

  

need-usage-help

  

no plan

  

proposal

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

todo

No labels

In Progress

WIP

WaitingForInfo

bug

doc

duplicate

easy

enhancement

future

help wanted

invalid

lifecycle/stale

need-issue-template

need-usage-help

no plan

proposal

pull-request

question

todo

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#3520

No description provided.