Opened 4 years ago

Closed 4 years ago

#1273 closed defect (wontfix)

Missing default secure configuration: proxy_ssl_verify

Reported by: bishtspp@… Owned by:
Priority: major Milestone:
Component: other Version: 1.9.x
Keywords: Cc:
uname -a:
nginx -V: 1.9.1

Description

Hi,

Is there a reason proxy_ssl_verify is not on by default?

Syntax: proxy_ssl_verify on | off;
Default:
proxy_ssl_verify off;
Context: http, server, location
This directive appeared in version 1.7.0.

When this bug was reported and discussed in 2013 (https://trac.nginx.org/nginx/ticket/13), the suggestion was to make it secure by default and i quote "The default for https connections should be to require verification. The current setup encourages administrators to believe that their proxy connections are resistant to MITM attack when they actually are not.".

Many admins and security minded folks may not be aware that nginx is not secure by default in this respect. Please do the needful to make it secure by default.

Regards
Prithvi

Change History (1)

comment:1 by Maxim Dounin, 4 years ago

Resolution: wontfix
Status: newclosed

The behaviour is in line with behaviour of previous nginx versions, and thus to avoid breaking existing configurations. It is also in line with corresponding Apache behaviour.

Note: See TracTickets for help on using tickets.