Feature suggestion: Additional check for SSL misconfiguration in stream proxy.
amdeich at gmail.com
Thu Apr 30 04:59:41 UTC 2020
Consider following configuration:
} # end stream
It is perfectly Ok for nginx, though it doesn't do what one would
expect it to - data being send to upstream server in plain text.
This is due to the fact that proxy_ssl if off by default.
So all proxy_ssl_* directives being ignored.
This looks kind of error-prone, as unlike in HTTP-proxy module, we
can't specify schema for upstream connections.
Thus, one could expect nginx to complain about misconfiguration (using
proxy_ssl_* without specifying proxy_ssl on; first), rather than
silently send data in cleartext.
If patch with additional checks implementation for stream-proxy module
will be submitted, are there any chances it could be considered for
merging into upstream?
More information about the nginx-devel