proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?
PGNet Dev
pgnet.dev at gmail.com
Tue Jun 2 19:10:45 UTC 2020
On 6/2/20 8:27 AM, Francis Daly wrote:
> That suggests that if you choose to use "proxy_ssl_server_name on;",
> then you almost certainly do not want to add your own "proxy_set_header
> Host" value.
>
> The nginx code probably should not try to check for (and reject) that
> combination of directives-and-values; but might it be worth adding a
> note to http://nginx.org/r/proxy_ssl_server_name to say that that other
> directive is probably a bad idea, especially if you get a http 421 response
> from your upstream?
trying to simplify/repeat, i've
vhost config,
upstream test-upstream {
server test.example.com:11111;
}
server {
listen 10.10.10.1:443 ssl http2;
server_name example.com;
...
location /app1 {
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_certificate "/etc/ssl/nginx/test.client.crt";
proxy_ssl_certificate_key "/etc/ssl/nginx/test.client.key";
proxy_ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";
proxy_pass https://test-upstream/;
proxy_ssl_server_name on;
proxy_ssl_name test.example.com;
}
}
and, upstream config
server {
listen 127.0.0.1:11111 ssl http2;
server_name test.example.com;
root /srv/www/test;
index index.php;
expires -1;
ssl_certificate "/etc/ssl/nginx/test.server.crt";
ssl_certificate_key "/etc/ssl/nginx/test.server.key";
ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";
ssl_verify_client off;
ssl_verify_depth 2;
ssl_client_certificate "/etc/ssl/nginx/ca_int.crt";
location ~ \.php {
try_files $uri =404;
fastcgi_pass phpfpm;
fastcgi_index index.php;
fastcgi_param PATH_INFO $fastcgi_script_name;
include includes/fastcgi/fastcgi_params;
}
error_log /var/log/nginx/test.error.log info;
}
on access to
https://example.com/app1
still get
421 Misdirected Request
in log
==> /var/log/nginx/test.error.log <==
2020/06/02 11:52:13 [info] 8713#8713: *18 client attempted to request the server name different from the one that was negotiated while reading client request headers, client: 127.0.0.1, server: test.example.com, request: "GET / HTTP/1.0", host: "test-upstream"
Is that
host: "test-upstream"
to be expected? it's an upstream name, not an actual host.
Still unable to wrap my head around where this mis-match is coming from ... I have a nagging suspicion I'm missing something *really* obvious :-/
More information about the nginx
mailing list