Upstream certificate validation - Servers in a server group
Maxim Dounin
mdounin at mdounin.ru
Tue Mar 1 14:05:17 UTC 2022
Hello!
On Tue, Mar 01, 2022 at 09:26:23AM +0000, Nitsan Matsliah via nginx wrote:
> Assuming I have 2 servers in an upstream server group:
>
> 1. Test1.server.local
> 2. Test2.server.local
> Each one of these servers holds their own FQDN in their
> respective certificates.
> Test1.server.local will have test1.server.local as its subject
> and subject alternative name in the certificate it serves.
> Test2.server.local will have test2.server.local as its subject
> and subject alternative name in the certificate it serves.
>
> Now, let’s assume that the name of the upstream group or
> proxy_ssl_name is Test.server.local, nginx will compare the
> subject name from each certificate (either test1.server.local or
> test2.server.local) to the upstream group name -
> test.server.local and would complain about a mismatch.
> Unless test.server.local is added to each upstream server
> certificate this issue will persist.
>
> Is there any way around this using maybe nginx plus or any other
> alternative?
That's expected behaviour: an upstream group is essentially a more
sophisticated replacement for a domain name which resolves to
multiple IP addresses. All servers in the upstream group are
expected to be equal: to be able to answer to the same requests,
respond to the same SNI name (assuming proxy_ssl_server_name is
used), and to return SSL certificates matching the same name.
You can use the proxy_ssl_name to change the expected name, for
example, if the name of the upstream group does not match the name
in the certificates used. That is, if you are using "upstream
test {...}" in the configuration, but servers use the
"test.example.com" in the certificates. But this directive cannot
be used to provide different names for different servers in the
upstream group. Much like you cannot use proxy_set_header to add
different headers to requests sent to different servers.
Proper solution for your configuration would be to provide
appropriate (and the same) name in certificates used by all
servers in the upstream group. If for some reason you have to
connect to servers which are using different names in the
certificates, consider using separate upstream blocks for such
servers.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list