feat: configurable rejectUnauthorized

[jan-molak]

This change makes it possible to configure global-agent to ignore certificate errors when the request-specific configuration is not provided.

Problem

Axios does not allow its users to ignore SSL certificate errors, see axios/axios#535, axios/axios#1976 and other issues.

The recommended way around it is to configure Axios with an https.Agent with the appropriate setting:

const instance = axios.create({
  httpsAgent: new https.Agent({  
    rejectUnauthorized: false
  })
});

However, because of the way Axios determines whether to use a http.Agent or a https.Agent based on the protocol of the destination url, this only works if both the proxy and the target URL follow the same, HTTPS protocol.

To address the problem of Axios not supporting such protocol mismatch Global Agent could be used, but this then doesn't support ignoring certificate errors by means other than setting NODE_TLS_REJECT_UNAUTHORIZED to 0, which is a discouraged practice.

Proposed solution

Adding a new configuration option rejectUnauthorized to bootstrap routine would allow developers to provide a default setting for all the requests that go through global-agent, while allowing the more customisable HTTP clients like Sindre's got to still override it on a per-request basis:

bootstrap({ rejectUnauthorized: false });

const instance = axios.create();

Alternatives considered

While it is possible to force Global Agent to rejectUnauthorized by specifying NODE_TLS_REJECT_UNAUTHORIZED equal 0, I'd rather avoid that as this results in a warning emitted by Node.js:

(node:18596) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.

[jan-molak]

Looks like the PR fails because of an intermittent timeout on one of the build runners?

[roccomuso]

thanks for the PR, hope it gets reviewed and merged soon