Opened 3 years ago
Closed 3 years ago
#2157 closed enhancement (invalid)
it would be great if module ngx_http_upstream_module could use domain name without translating to it's ip
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-module | Version: | 1.16.x |
| Keywords: | ngx_http_upstream_module ngx_http_proxy_module proxy_ssl_verify error | Cc: | |
| uname -a: | Linux 3.10.0-1160.11.1.el7.x86_64 #1 SMP Mon Nov 30 13:05:31 EST 2020 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/opt/nginx --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_stub_status_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre=../pcre-8.44 --with-compat --with-perl_modules_path=/usr/lib64/perl5 --with-perl=/usr/bin/perl |
||
Description
Module ngx_http_proxy_module - proxy_ssl_verify doesn't support ngx_http_upstream_module
when location is specified like this:
proxy_pass https://someserver.org; proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_trusted_certificate somecert.pem;
SSL verification is OK
when location is specified with upstream:
upstream someupstream {
server someserver1.org:8080;
server someserver2.org:8080;
}
...
location / {
proxy_pass https://someupstream;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_trusted_certificate somecert.pem;
}
SSL verification is not ok because of ngx_http_upstream_module translates domain names someserver1.org and someserver2.org into ip addresses
and proxy_ssl_verify does not support iPAddress subjectAlternativeName extension yet https://trac.nginx.org/nginx/ticket/2148#ticket
But it would be great if module ngx_http_upstream_module could use domain name without translating to it's ip
Note:
See TracTickets
for help on using tickets.
The SSL certificate verification as enabled by
proxy_ssl_verifyuses the domain name as specified in theproxy_passdirective. No "translation to IP addresses" happens here. Rather, in your second example verification fails because the name used inproxy_passissomeupstreaminstead ofsomeserver.org, so the certificate presented by the server does not match the name.If the domain name used doesn't fit for some reason, e.g., you use an unrelated name for the upstream{} block as in your second example, you can configure nginx to use a different name for SSL verification by using the proxy_ssl_name directive. That is, using
proxy_ssl_name someserver.org;should help.Alternatively, you can rewrite configuration to use the correct name as the upstream{} block name as well, for example:
upstream someserver.org { server server1.someserver.org:8443; server server2.someserver.org:8443; } ... location / { proxy_pass https://someserver.org; proxy_ssl_verify on; ... }(Just a side note: using port 8080 for SSL probably isn't the best idea.)