Nginx upstream server certificate verification

shivramg94 nginx-forum at forum.nginx.org
Thu Mar 30 06:59:50 UTC 2017


I am trying to implement HTTPS protocol communication at every layer of a
proxying path. My proxying path is from client to load balancer (nginx) and
then from nginx to the upstream server. 

I am facing a problem when the request is proxied from nginx to the upstream
server. 

I am getting the following error in the nginx logs 

2017/03/26 19:08:39 [error] 76753#0: *140 upstream SSL certificate does not
match "8ba0c0da44ee43ea894987ab01cf4fbc" while SSL handshaking to upstream,
client: 10.191.200.230, server:
abc.uscom-central-1.ssenv.opcdev2.oraclecorp.com, request: "GET /a/a.html
HTTP/1.1", upstream: "https://10.240.81.28:8001/a/a.html", host:
"abc.uscom-central-1.ssenv.opcdev2.oraclecorp.com:10003" 

This is my configuration for the upstream server block 

upstream 8ba0c0da44ee43ea894987ab01cf4fbc { 
server slc01etc.us.oracle.com:8001 weight=1; 
keepalive 100; 
} 

proxy_pass https://8ba0c0da44ee43ea894987ab01cf4fbc; 
proxy_set_header Host $host:10003; 
proxy_set_header WL-Proxy-SSL true; 
proxy_set_header IS_SSL ssl; 
proxy_ssl_trusted_certificate
/u01/data/secure_artifacts/ssl/trusted_certs/trusted-cert.pem; 
proxy_ssl_verify on;proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for; 

When the request goes from Nginx to the upstream server, nginx matches the
upstream ssl certificate against the pattern present in the proxy_pass
directive. But my upstream ssl certificate pattern is the upstream server
hostname (slc01etc.us.oracle.com) . 

Is there any way, where I can force Nginx to verify the upstream ssl
certificate against the server hostnames provided in the upstream server
block, instead of the pattern present in the proxy_pass directive?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273295,273295#msg-273295



More information about the nginx mailing list