proxy_ssl_verify error: 'upstream SSL certificate does not match "" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev at
Tue Jun 2 19:10:45 UTC 2020

On 6/2/20 8:27 AM, Francis Daly wrote:
> That suggests that if you choose to use "proxy_ssl_server_name on;",
> then you almost certainly do not want to add your own "proxy_set_header
> Host" value.
> The nginx code probably should not try to check for (and reject) that
> combination of directives-and-values; but might it be worth adding a
> note to to say that that other
> directive is probably a bad idea, especially if you get a http 421 response
> from your upstream?

trying to simplify/repeat, i've

vhost config,

	upstream test-upstream {

	server {
		listen ssl http2;

		location /app1 {

			proxy_ssl_verify       on;
			proxy_ssl_verify_depth 2;
			proxy_ssl_certificate         "/etc/ssl/nginx/test.client.crt";
			proxy_ssl_certificate_key     "/etc/ssl/nginx/test.client.key";
			proxy_ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";

			proxy_pass https://test-upstream/;
			proxy_ssl_server_name on;


and, upstream config

		server {
			listen ssl http2;

			root /srv/www/test;
			index index.php;
			expires -1;

			ssl_certificate         "/etc/ssl/nginx/test.server.crt";
			ssl_certificate_key     "/etc/ssl/nginx/test.server.key";
			ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";

			ssl_verify_client off;
			ssl_verify_depth 2;
			ssl_client_certificate  "/etc/ssl/nginx/ca_int.crt";

			location ~ \.php {
				try_files $uri =404;
				fastcgi_pass   phpfpm;
				fastcgi_index  index.php;
				fastcgi_param  PATH_INFO $fastcgi_script_name;
				include        includes/fastcgi/fastcgi_params;

			error_log   /var/log/nginx/test.error.log  info;

on access to

still get

	421 Misdirected Request

in log

	==> /var/log/nginx/test.error.log <==
	2020/06/02 11:52:13 [info] 8713#8713: *18 client attempted to request the server name different from the one that was negotiated while reading client request headers, client:, server:, request: "GET / HTTP/1.0", host: "test-upstream"

Is that

	host: "test-upstream"

to be expected?  it's an upstream name, not an actual host.

Still unable to wrap my head around where this mis-match is coming from ... I have a nagging suspicion I'm missing something *really* obvious :-/

More information about the nginx mailing list