diff --git a/cmd/zrok/sharePrivate.go b/cmd/zrok/sharePrivate.go
index c1a2f7a4..fca0b17a 100644
--- a/cmd/zrok/sharePrivate.go
+++ b/cmd/zrok/sharePrivate.go
@@ -32,6 +32,7 @@ type sharePrivateCommand struct {
 	basicAuth   []string
 	backendMode string
 	headless    bool
+	insecure    bool
 	cmd         *cobra.Command
 }
 
@@ -45,6 +46,7 @@ func newSharePrivateCommand() *sharePrivateCommand {
 	cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...")
 	cmd.Flags().StringVar(&command.backendMode, "backend-mode", "proxy", "The backend mode {proxy, web}")
 	cmd.Flags().BoolVar(&command.headless, "headless", false, "Disable TUI and run headless")
+	cmd.Flags().BoolVar(&command.insecure, "insecure", false, "Enable insecure TLS certificate validation for <target>")
 	cmd.Run = command.run
 	return command
 }
@@ -145,6 +147,7 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 			IdentityPath:    zif,
 			EndpointAddress: target,
 			ShrToken:        resp.Payload.ShrToken,
+			Insecure:        cmd.insecure,
 			RequestsChan:    requestsChan,
 		}
 		_, err = cmd.proxyBackendMode(cfg)
diff --git a/cmd/zrok/sharePublic.go b/cmd/zrok/sharePublic.go
index 5330461a..2ca340c5 100644
--- a/cmd/zrok/sharePublic.go
+++ b/cmd/zrok/sharePublic.go
@@ -33,6 +33,7 @@ type sharePublicCommand struct {
 	frontendSelection []string
 	backendMode       string
 	headless          bool
+	insecure          bool
 	cmd               *cobra.Command
 }
 
@@ -47,6 +48,7 @@ func newSharePublicCommand() *sharePublicCommand {
 	cmd.Flags().StringArrayVar(&command.frontendSelection, "frontends", []string{"public"}, "Selected frontends to use for the share")
 	cmd.Flags().StringVar(&command.backendMode, "backend-mode", "proxy", "The backend mode {proxy, web}")
 	cmd.Flags().BoolVar(&command.headless, "headless", false, "Disable TUI and run headless")
+	cmd.Flags().BoolVar(&command.insecure, "insecure", false, "Enable insecure TLS certificate validation for <target>")
 	cmd.Run = command.run
 	return command
 }
@@ -148,6 +150,7 @@ func (cmd *sharePublicCommand) run(_ *cobra.Command, args []string) {
 			IdentityPath:    zif,
 			EndpointAddress: target,
 			ShrToken:        resp.Payload.ShrToken,
+			Insecure:        cmd.insecure,
 			RequestsChan:    requestsChan,
 		}
 		_, err = cmd.proxyBackendMode(cfg)
diff --git a/cmd/zrok/shareReserved.go b/cmd/zrok/shareReserved.go
index ff2de5d5..a87cf023 100644
--- a/cmd/zrok/shareReserved.go
+++ b/cmd/zrok/shareReserved.go
@@ -24,6 +24,7 @@ func init() {
 type shareReservedCommand struct {
 	overrideEndpoint string
 	headless         bool
+	insecure         bool
 	cmd              *cobra.Command
 }
 
@@ -35,6 +36,7 @@ func newShareReservedCommand() *shareReservedCommand {
 	command := &shareReservedCommand{cmd: cmd}
 	cmd.Flags().StringVar(&command.overrideEndpoint, "override-endpoint", "", "Override the stored target endpoint with a replacement")
 	cmd.Flags().BoolVar(&command.headless, "headless", false, "Disable TUI and run headless")
+	cmd.Flags().BoolVar(&command.insecure, "insecure", false, "Enable insecure TLS certificate validation")
 	cmd.Run = command.run
 	return command
 }
@@ -110,6 +112,7 @@ func (cmd *shareReservedCommand) run(_ *cobra.Command, args []string) {
 			IdentityPath:    zif,
 			EndpointAddress: target,
 			ShrToken:        shrToken,
+			Insecure:        cmd.insecure,
 			RequestsChan:    requestsChan,
 		}
 		_, err := cmd.proxyBackendMode(cfg)
diff --git a/endpoints/proxyBackend/http.go b/endpoints/proxyBackend/http.go
index 3188bcc2..5992809b 100644
--- a/endpoints/proxyBackend/http.go
+++ b/endpoints/proxyBackend/http.go
@@ -2,6 +2,7 @@ package proxyBackend
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"github.com/openziti/sdk-golang/ziti"
 	"github.com/openziti/sdk-golang/ziti/config"
@@ -21,6 +22,7 @@ type Config struct {
 	IdentityPath    string
 	EndpointAddress string
 	ShrToken        string
+	Insecure        bool
 	RequestsChan    chan *endpoints.Request
 }
 
@@ -45,7 +47,7 @@ func NewBackend(cfg *Config) (*backend, error) {
 		return nil, errors.Wrap(err, "error listening")
 	}
 
-	proxy, err := newReverseProxy(cfg.EndpointAddress, cfg.RequestsChan)
+	proxy, err := newReverseProxy(cfg)
 	if err != nil {
 		return nil, err
 	}
@@ -70,21 +72,24 @@ func (self *backend) Requests() func() int32 {
 	return self.requests
 }
 
-func newReverseProxy(target string, requests chan *endpoints.Request) (*httputil.ReverseProxy, error) {
-	targetURL, err := url.Parse(target)
+func newReverseProxy(cfg *Config) (*httputil.ReverseProxy, error) {
+	targetURL, err := url.Parse(cfg.EndpointAddress)
 	if err != nil {
 		return nil, err
 	}
 
 	tpt := http.DefaultTransport.(*http.Transport).Clone()
 	tpt.DialContext = metricsDial
+	if cfg.Insecure {
+		tpt.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+	}
 
 	proxy := httputil.NewSingleHostReverseProxy(targetURL)
 	proxy.Transport = tpt
 	director := proxy.Director
 	proxy.Director = func(req *http.Request) {
-		if requests != nil {
-			requests <- &endpoints.Request{
+		if cfg.RequestsChan != nil {
+			cfg.RequestsChan <- &endpoints.Request{
 				Stamp:      time.Now(),
 				RemoteAddr: fmt.Sprintf("%v", req.Header["X-Real-Ip"]),
 				Method:     req.Method,