diff --git a/site/content/en/latest/tasks/security/backend-skip-tls-verification.md b/site/content/en/latest/tasks/security/backend-skip-tls-verification.md new file mode 100644 index 0000000000..4d862b0b18 --- /dev/null +++ b/site/content/en/latest/tasks/security/backend-skip-tls-verification.md @@ -0,0 +1,341 @@ +--- +title: "Backend TLS: Skip TLS Verification" +--- + +This task demonstrates how to skip TLS verification for a backend service in Envoy Gateway. + +By default, you must configure a [BackendTLSPolicy][] to validate the TLS certificate of a backend service when it uses TLS. + +However, in certain scenarios—such as development or testing—you might want to skip TLS verification for a backend service. +To do this, you can use the [Backend][] API and set the `tls.insecureSkipVerify` field to true in the [Backend][] resource. + +Warning: Skipping TLS verification disables certificate validation, which can expose your connection to man-in-the-middle +attacks. This setting is typically used only for development or testing and is not recommended in production environments. + +## Prerequisites + +- OpenSSL to generate TLS assets. + +## Installation + +{{< boilerplate prerequisites >}} + +## Enable Backend + +The [Backend][] API is disabled by default in Envoy Gateway. To enable it, follow the steps outlined in [Backend Routing][] to configure the [EnvoyGateway][] startup settings accordingly. + +## TLS Certificates + +Generate the certificates and keys used by the backend to terminate TLS connections from the Gateways. + +Create a root certificate and private key to sign certificates: + +```shell +openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout ca.key -out ca.crt +``` + +Create a certificate and a private key for `www.example.com`. + +First, create an openssl configuration file: + +```shell +cat > openssl.conf <}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +## Skip TLS Verification + +In the following example, we will create a [Backend][] resource that routes to the `tls-backend` service, and an [HTTPRoute][] +that references the [Backend][] resource. + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Send a request to the backend service: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:80:${GATEWAY_HOST}" \ +http://www.example.com:80/get +``` + +Because the backend service is using TLS, and no [BackendTLSPolicy][] is configured to validate the TLS certificate, +the request will fail with a `400 Bad Request` error: + +```bash +* Connected to www.example.com (172.18.0.200) port 80 +* using HTTP/1.x +> GET /get HTTP/1.1 +> Host:www.example.com +> User-Agent: curl/8.14.1 +> Accept: */* +> +* Request completely sent off +< HTTP/1.1 400 Bad Request +< date: Thu, 31 Jul 2025 06:09:51 GMT +< transfer-encoding: chunked +``` + +Disabling TLS verification by setting the `InsecureSkipVerify` field to `true` allows the request to succeed: + +{{< tabpane text=true >}} +{{% tab header="Apply from stdin" %}} + +```shell +cat <}} + +Send the request again: + +```shell +curl -v -HHost:www.example.com --resolve "www.example.com:80:${GATEWAY_HOST}" \ +http://www.example.com:80/get +``` + +You should now see a successful response from the backend service. Since TLS verification has been skipped, the request +proceeds without validating the backend’s TLS certificate. The response will include TLS details such as the protocol +version and cipher suite used for the connection. + + +```shell +< HTTP/1.1 200 OK +[...] + "tls": { + "version": "TLSv1.2", + "serverName": "", + "negotiatedProtocol": "http/1.1", + "cipherSuite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" + } +``` + +[Backend Routing]: ../traffic/backend/#enable-backend +[Backend]: ../../../api/extension_types#backend +[EnvoyGateway]: ../../../api/extension_types#envoygateway +[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute +[BackendTLSPolicy]: https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/