Missing default secure configuration: proxy_ssl_verify
|Reported by:||Owned by:|
Is there a reason proxy_ssl_verify is not on by default?
Syntax: proxy_ssl_verify on | off;
Context: http, server, location
This directive appeared in version 1.7.0.
When this bug was reported and discussed in 2013 (https://trac.nginx.org/nginx/ticket/13), the suggestion was to make it secure by default and i quote "The default for https connections should be to require verification. The current setup encourages administrators to believe that their proxy connections are resistant to MITM attack when they actually are not.".
Many admins and security minded folks may not be aware that nginx is not secure by default in this respect. Please do the needful to make it secure by default.