-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow insecure https reqeusts #7596
Comments
Thanks for the idea @BitTheByte. Do you have a specific use case for this? |
@bunchesofdonald using prefect with behind a proxy with a self-signed SSL certificate |
I would also like this option. Obviously in production I would have properly configured SSL certs but currently in DEV I've got self-signed certs and so without this option I can't test prefect :/ |
I "fixed" the problem by patching prefect/src/prefect/client/orion.py Lines 83 to 96 in 9542ae3
It would be good to have a config setting to enable this without having to resort to patching the source. |
Documentation for that option: https://www.python-httpx.org/advanced/#changing-the-verification-defaults I am open to adding a cc @jawnsy |
I'd propose a name like I think it's safer to add certificates to the CA store or tunnel TLS traffic through an unencrypted proxy (e.g. connect to a proxy over HTTP, use HTTP CONNECT to open an encrypted end-to-end tunnel to Prefect Cloud) rather than turning off verification. httpx describes this as the tunnelling method of proxying, instead of forwarding. I think that environment variables for this configuration should look something like: I'm not sure how to configure the trust store with httpx, as it seems to rely on one distributed by certifi, rather than the one included with the ca-certificates package, so turning off verification might be the easiest approach without changes to our agent. We could add a Turning off TLS certificate verification entirely may be suitable in certain threat models, such as environments where you trust the network and can prevent DNS cache poisoning attacks, or for test purposes. cc @loljawn |
@jawnsy I was proposing a more generic name because the
If we want to be more explicit than the httpx options, we could do separate settings such as |
The self-signed certificates I have are just junk/throwaway certificates, automatically created for our ingress controller when we spin up our DEV cluster. As they're not long lived I'd rather not add them to my system trust store so I'd really just like an option to disable SSL verification altogether (as I've done by patching the source). I'm aware of the risks and on a secure network and just using it for testing. I'm fine with a big scary name, and would even be ok with an annoying warning. If the issue were just about getting |
Ah great, that works for me as further justification for a dedicated (Note: We may need confirmation from our security team as well) |
Closed by #7850 |
First check
Prefect Version
2.x
Describe the current behavior
Not Implemented
Describe the proposed behavior
opt-in flag to allow sending insecure https requests e.g.
PREFECT_CLIENT_ALLOW_INSECURE
Example Use
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: