Opened 4 years ago
Last modified 4 years ago
#2148 accepted enhancement
Module ngx_http_proxy_module proxy_ssl_trusted_certificate ignores x509 extension ipAddress — at Version 1
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.16.x |
| Keywords: | Cc: | gavriluk@… | |
| uname -a: | Linux 3.10.0-1160.11.1.el7.x86_64 #1 SMP Mon Nov 30 13:05:31 EST 2020 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/opt/nginx --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_stub_status_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre=../pcre-8.44 --with-compat --with-perl_modules_path=/usr/lib64/perl5 --with-perl=/usr/bin/perl |
||
Description (last modified by )
Module ngx_http_proxy_module proxy_ssl_trusted_certificate ignores x509 extension ipAddress
location config:
proxy_pass https://10.10.10.10:8443;
proxy_ssl_certificate /nginx/certs/chain.pem;
proxy_ssl_certificate_key /nginx/certs/client.key;
proxy_ssl_trusted_certificate /nginx/certs/proxied_server.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
When specifies
proxy_pass https://10.10.10.10:8443;
there is an error in error.log and 502 Bad gateway in curl
2021/03/09 23:22:34 [error] 18566#0: *1 upstream SSL certificate does not match "10.10.10.10" while SSL handshaking to upstream, client: 127.0.0.1, server: localhost, request: "GET / HTTP/1.1", upstream: "https://10.10.10.10:8443/", host: "localhost"
but when specifies
proxy_pass https://somehost:8443;
then it works
certificate:
$> openssl x509 -text -in /nginx/certs/proxied_server.pem
...
X509v3 Subject Alternative Name:
DNS:somehost, IP Address:10.10.10.10
...
