Reputation: 63
Force nginx to verify upstream certs
I am trying to institute TLS at every layer of a proxying path. What I'm seeing is Nginx allowing an upstream to have a self-signed certificate. Is there any way to lock the authorities that are accepted when passing traffic to an upstream?
end-user --1--> nginx01 --2--> nginx02 --N--> nginxN
nginx01 has a trusted cert and the end-user connects without issue. nginx02 has a self-signed cert, and when I proxy_pass to https://nginx02 I don't see any complaints in end-user browser or in nginx01 logs. I would expect a rejection. If I curl nginx02 from nginx01 as expected I get the ssl rejection.
Is there any way to force nginx01 to validate nginx02 certs?
CentOS 7 running nginx 1.6.3-8.
/etc/hosts
10.21.10.99 upstream.example.com
curl https://upstream.example.com
# ssl rejection
curl https://upstream.example.com --cacert ./upstream.example.com.crt
# works fine (200)
# nginx configuration
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/security/full_chain.crt;
ssl_certificate_key /etc/nginx/security/ingress.example.com.key;
server_name ingress.example.com;
location / {
proxy_pass https://upstream.example.com;
}
}
Upvotes: 6
Views: 11118
Answers (2)
Reputation: 18504
Use
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /path/to/your_selfsigned_ca_cert.pem
For additional details you can refer to nginx proxy docs here
Upvotes: 6
Reputation: 63
I just needed to upgrade to get some proxy_ssl directives. http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verify
Upvotes: 0
Related Questions
- (13: Permission denied) while connecting to upstream:[nginx]
- Nginx cause too many redirects
- Node.js + Nginx - What now?
- Nginx -- static file serving confusion with root & alias
- Configure NGINX + CloudFlare + SSL
- Docker registry login fails with "Certificate signed by unknown authority"
- AWS EB - Redirect all traffic to https
- How to load balance wso2 1.9.0 with NGINX 1.6.2