id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2157	it would be great if module ngx_http_upstream_module could use domain name without translating to it's ip	gavriluk@…		"Module ngx_http_proxy_module - proxy_ssl_verify doesn't support ngx_http_upstream_module

when location is specified like this:
{{{
proxy_pass ​https://someserver.org;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_trusted_certificate somecert.pem;
}}}
SSL verification is OK

when location is specified with upstream:
{{{
upstream someupstream {
    server someserver1.org:8080;
    server someserver2.org:8080;
}
...
location / {
  proxy_pass ​https://someupstream;
  proxy_ssl_verify on;
  proxy_ssl_verify_depth 2;
  proxy_ssl_trusted_certificate somecert.pem;
}
}}}

SSL verification is **not ok** because of ngx_http_upstream_module translates domain names someserver1.org and someserver2.org into ip addresses

and proxy_ssl_verify does not support iPAddress subjectAlternativeName extension yet [https://trac.nginx.org/nginx/ticket/2148#ticket]

But it would be great if module ngx_http_upstream_module could use domain name without translating to it's ip"	enhancement	closed	major		nginx-module	1.16.x	invalid	ngx_http_upstream_module ngx_http_proxy_module proxy_ssl_verify error		Linux 3.10.0-1160.11.1.el7.x86_64 #1 SMP Mon Nov 30 13:05:31 EST 2020 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.16.1

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)

built with OpenSSL 1.0.2k-fips 26 Jan 2017

TLS SNI support enabled

configure arguments: --prefix=/opt/nginx --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_stub_status_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-http_memcached_module --with-http_perl_module=dynamic --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre=../pcre-8.44 --with-compat --with-perl_modules_path=/usr/lib64/perl5 --with-perl=/usr/bin/perl"