Feature suggestion: Additional check for SSL misconfiguration in stream proxy.

Andrey Kulikov amdeich at gmail.com
Thu Apr 30 04:59:41 UTC 2020


Consider following configuration:

stream {
    server {
        listen 5443;
        proxy_pass my-tls-upstream:443;
        proxy_ssl_verify on;
        proxy_ssl_server_name on;
        proxy_ssl_trusted_certificate trusted_root_CAs.cer;
}  # end stream

It is perfectly Ok for nginx, though it doesn't do what one would
expect it to - data being send to upstream server in plain text.
This is due to the fact that proxy_ssl if off by default.
So all proxy_ssl_* directives being ignored.

This looks kind of error-prone, as unlike in HTTP-proxy module, we
can't specify schema for upstream connections.

Thus, one could expect nginx to complain about misconfiguration (using
proxy_ssl_* without specifying proxy_ssl on; first), rather than
silently send data in cleartext.

If patch with additional checks implementation for stream-proxy module
will be submitted, are there any chances it could be considered for
merging into upstream?

Best wishes,

More information about the nginx-devel mailing list