Nginx upstream server certificate verification

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Nginx upstream server certificate verification

Joergi
I am trying to implement HTTPS protocol communication at every layer of a
proxying path. My proxying path is from client to load balancer (nginx) and
then from nginx to the upstream server.

I am facing a problem when the request is proxied from nginx to the upstream
server.

I am getting the following error in the nginx logs

2017/03/26 19:08:39 [error] 76753#0: *140 upstream SSL certificate does not
match "8ba0c0da44ee43ea894987ab01cf4fbc" while SSL handshaking to upstream,
client: 10.191.200.230, server:
abc.uscom-central-1.ssenv.opcdev2.oraclecorp.com, request: "GET /a/a.html
HTTP/1.1", upstream: "https://10.240.81.28:8001/a/a.html", host:
"abc.uscom-central-1.ssenv.opcdev2.oraclecorp.com:10003"

This is my configuration for the upstream server block

upstream 8ba0c0da44ee43ea894987ab01cf4fbc {
server slc01etc.us.oracle.com:8001 weight=1;
keepalive 100;
}

proxy_pass https://8ba0c0da44ee43ea894987ab01cf4fbc; 
proxy_set_header Host $host:10003;
proxy_set_header WL-Proxy-SSL true;
proxy_set_header IS_SSL ssl;
proxy_ssl_trusted_certificate
/u01/data/secure_artifacts/ssl/trusted_certs/trusted-cert.pem;
proxy_ssl_verify on;proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;

When the request goes from Nginx to the upstream server, nginx matches the
upstream ssl certificate against the pattern present in the proxy_pass
directive. But my upstream ssl certificate pattern is the upstream server
hostname (slc01etc.us.oracle.com) .

Is there any way, where I can force Nginx to verify the upstream ssl
certificate against the server hostnames provided in the upstream server
block, instead of the pattern present in the proxy_pass directive?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273295,273295#msg-273295

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx upstream server certificate verification

Sergey Kandaurov

> On 30 Mar 2017, at 09:59, shivramg94 <[hidden email]> wrote:
>
> I am trying to implement HTTPS protocol communication at every layer of a
> proxying path. My proxying path is from client to load balancer (nginx) and
> then from nginx to the upstream server.
>
> I am facing a problem when the request is proxied from nginx to the upstream
> server.
>
> I am getting the following error in the nginx logs
>
> 2017/03/26 19:08:39 [error] 76753#0: *140 upstream SSL certificate does not
> match "8ba0c0da44ee43ea894987ab01cf4fbc" while SSL handshaking to upstream,
> client: 10.191.200.230, server:
> abc.uscom-central-1.ssenv.opcdev2.oraclecorp.com, request: "GET /a/a.html
> HTTP/1.1", upstream: "https://10.240.81.28:8001/a/a.html", host:
> "abc.uscom-central-1.ssenv.opcdev2.oraclecorp.com:10003"
>
> This is my configuration for the upstream server block
>
> upstream 8ba0c0da44ee43ea894987ab01cf4fbc {
> server slc01etc.us.oracle.com:8001 weight=1;
> keepalive 100;
> }
>
> proxy_pass https://8ba0c0da44ee43ea894987ab01cf4fbc; 
> proxy_set_header Host $host:10003;
> proxy_set_header WL-Proxy-SSL true;
> proxy_set_header IS_SSL ssl;
> proxy_ssl_trusted_certificate
> /u01/data/secure_artifacts/ssl/trusted_certs/trusted-cert.pem;
> proxy_ssl_verify on;proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
>
> When the request goes from Nginx to the upstream server, nginx matches the
> upstream ssl certificate against the pattern present in the proxy_pass
> directive. But my upstream ssl certificate pattern is the upstream server
> hostname (slc01etc.us.oracle.com) .
>
> Is there any way, where I can force Nginx to verify the upstream ssl
> certificate against the server hostnames provided in the upstream server
> block, instead of the pattern present in the proxy_pass directive?

Use the proxy_ssl_name directive to override.
See for more details: http://nginx.org/r/proxy_ssl_name

--
Sergey Kandaurov

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx upstream server certificate verification

Joergi
Thank Sergey, for you response.

I have one more question. If I have multiple upstream server host names in
the upstream server block, then how can I specify the specific upstream
server host name to which the request is being proxied, in the
proxy_ssl_name directive?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273295,273355#msg-273355

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx upstream server certificate verification

Joergi
In reply to this post by Sergey Kandaurov
Thank Sergey, for you response.

I have one more question. If I have multiple upstream server host names in
the upstream server block, then how can I specify the specific upstream
server host name to which the request is being proxied, in the
proxy_ssl_name directive?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273295,273462#msg-273462

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Nginx upstream server certificate verification

Sergey Kandaurov

> On 6 Apr 2017, at 21:46, shivramg94 <[hidden email]> wrote:
>
> Thank Sergey, for you response.
>
> I have one more question. If I have multiple upstream server host names in
> the upstream server block, then how can I specify the specific upstream
> server host name to which the request is being proxied, in the
> proxy_ssl_name directive?
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,273295,273462#msg-273462

You could try to construct proxy_ssl_name based on upstream address, e.g.:

    map $upstream_addr $name {
        ~\Q192.0.2.1:8000\E$ first;
        ~\Q192.0.2.2:8000\E$ second;
    }

    proxy_ssl_name $name;

Note well that $upstream_addr may contain multiple addresses, use it
with a special care.  See for details: http://nginx.org/r/$upstream_addr

--
Sergey Kandaurov

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Loading...