Opened 11 days ago

Closed 10 days ago

#2157 closed enhancement (invalid)

it would be great if module ngx_http_upstream_module could use domain name without translating to it's ip

Reported by: gavriluk@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.16.x
Keywords: ngx_http_upstream_module ngx_http_proxy_module proxy_ssl_verify error Cc:
uname -a: Linux 3.10.0-1160.11.1.el7.x86_64 #1 SMP Mon Nov 30 13:05:31 EST 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.16.1

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)

built with OpenSSL 1.0.2k-fips 26 Jan 2017

TLS SNI support enabled

configure arguments: --prefix=/opt/nginx --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_stub_status_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre=../pcre-8.44 --with-compat --with-perl_modules_path=/usr/lib64/perl5 --with-perl=/usr/bin/perl

Description

Module ngx_http_proxy_module - proxy_ssl_verify doesn't support ngx_http_upstream_module

when location is specified like this:

proxy_pass ​https://someserver.org;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_trusted_certificate somecert.pem;

SSL verification is OK

when location is specified with upstream:

upstream someupstream {
    server someserver1.org:8080;
    server someserver2.org:8080;
}
...
location / {
  proxy_pass ​https://someupstream;
  proxy_ssl_verify on;
  proxy_ssl_verify_depth 2;
  proxy_ssl_trusted_certificate somecert.pem;
}

SSL verification is not ok because of ngx_http_upstream_module translates domain names someserver1.org and someserver2.org into ip addresses

and proxy_ssl_verify does not support iPAddress subjectAlternativeName extension yet https://trac.nginx.org/nginx/ticket/2148#ticket

But it would be great if module ngx_http_upstream_module could use domain name without translating to it's ip

Change History (1)

comment:1 by Maxim Dounin, 10 days ago

Resolution: invalid
Status: newclosed

The SSL certificate verification as enabled by proxy_ssl_verify uses the domain name as specified in the proxy_pass directive. No "translation to IP addresses" happens here. Rather, in your second example verification fails because the name used in proxy_pass is someupstream instead of someserver.org, so the certificate presented by the server does not match the name.

If the domain name used doesn't fit for some reason, e.g., you use an unrelated name for the upstream{} block as in your second example, you can configure nginx to use a different name for SSL verification by using the proxy_ssl_name directive. That is, using proxy_ssl_name someserver.org; should help.

Alternatively, you can rewrite configuration to use the correct name as the upstream{} block name as well, for example:

upstream someserver.org {
    server server1.someserver.org:8443;
    server server2.someserver.org:8443;
}

...

location / {
    proxy_pass ​https://someserver.org;
    proxy_ssl_verify on;
    ...
}

(Just a side note: using port 8080 for SSL probably isn't the best idea.)

Note: See TracTickets for help on using tickets.