app/vmctl: disallow insecure https connections to vm-native-dst-addr and vm-native-src-addr by default

It is better from security PoV to disallow insecure https connections to vm-native-dst-addr and vm-native-src-addr . This also maintains backwards compatibility with vmctl before the commit 828aca82e9 Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5595 Updates https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5606
2024-11-21 14:44:00 +00:00 · 2024-01-16 20:18:01 +02:00 · 2024-01-16 20:18:01 +02:00 · 4e4d7f4cbe
commit 4e4d7f4cbe
parent 19c04549a5
2 changed files with 8 additions and 4 deletions
--- a/app/vmctl/flags.go
+++ b/app/vmctl/flags.go
@ -471,12 +471,12 @@ var (
 		&cli.BoolFlag{
 			Name:  vmNativeSrcInsecureSkipVerify,
 			Usage: "Whether to skip TLS certificate verification when connecting to the source address",
-			Value: true,
+			Value: false,
 		},
 		&cli.BoolFlag{
 			Name:  vmNativeDstInsecureSkipVerify,
 			Usage: "Whether to skip TLS certificate verification when connecting to the destination address",
-			Value: true,
+			Value: false,
 		},
 	}
 )
--- a/app/vmctl/main.go
+++ b/app/vmctl/main.go
@ -223,7 +223,9 @@ func main() {
 					}
 					srcHTTPClient := &http.Client{Transport: &http.Transport{
 						DisableKeepAlives: disableKeepAlive,
-						TLSClientConfig:   &tls.Config{InsecureSkipVerify: srcInsecureSkipVerify},
+						TLSClientConfig: &tls.Config{
+							InsecureSkipVerify: srcInsecureSkipVerify,
+						},
 					}}

 					dstAddr := strings.Trim(c.String(vmNativeDstAddr), "/")
@ -238,7 +240,9 @@ func main() {
 					}
 					dstHTTPClient := &http.Client{Transport: &http.Transport{
 						DisableKeepAlives: disableKeepAlive,
-						TLSClientConfig:   &tls.Config{InsecureSkipVerify: dstInsecureSkipVerify},
+						TLSClientConfig: &tls.Config{
+							InsecureSkipVerify: dstInsecureSkipVerify,
+						},
 					}}

 					p := vmNativeProcessor{