id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2148	proxy_ssl_verify does not support iPAddress subjectAlternativeName	gavriluk@…		"Module ngx_http_proxy_module proxy_ssl_trusted_certificate ignores x509 extension ipAddress

location config:
proxy_pass https://10.10.10.10:8443;
proxy_ssl_certificate  /nginx/certs/chain.pem;
proxy_ssl_certificate_key /nginx/certs/client.key;
proxy_ssl_trusted_certificate /nginx/certs/proxied_server.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;


When specifies
proxy_pass https://10.10.10.10:8443;
there is an error in error.log and 502 Bad gateway in curl

2021/03/09 23:22:34 [error] 18566#0: *1 upstream SSL certificate does not match ""10.10.10.10"" while SSL handshaking to upstream, client: 127.0.0.1, server: localhost, request: ""GET / HTTP/1.1"", upstream: ""https://10.10.10.10:8443/"", host: ""localhost""


but when specifies
proxy_pass https://somehost:8443;
then it works

certificate:
$> openssl x509 -text -in /nginx/certs/proxied_server.pem
...
X509v3 Subject Alternative Name:
  DNS:somehost, IP Address:10.10.10.10
..."	enhancement	accepted	minor		nginx-module	1.16.x			gavriluk@…	Linux 3.10.0-1160.11.1.el7.x86_64 #1 SMP Mon Nov 30 13:05:31 EST 2020 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.16.1

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)

built with OpenSSL 1.0.2k-fips  26 Jan 2017

TLS SNI support enabled

configure arguments: --prefix=/opt/nginx --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_stub_status_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre=../pcre-8.44 --with-compat --with-perl_modules_path=/usr/lib64/perl5 --with-perl=/usr/bin/perl"