Opened 8 years ago
Closed 8 years ago
#1273 closed defect (wontfix)
Missing default secure configuration: proxy_ssl_verify
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | major | Milestone: | |
Component: | other | Version: | 1.9.x |
Keywords: | Cc: | ||
uname -a: | |||
nginx -V: | 1.9.1 |
Description
Hi,
Is there a reason proxy_ssl_verify is not on by default?
Syntax: proxy_ssl_verify on | off;
Default:
proxy_ssl_verify off;
Context: http, server, location
This directive appeared in version 1.7.0.
When this bug was reported and discussed in 2013 (https://trac.nginx.org/nginx/ticket/13), the suggestion was to make it secure by default and i quote "The default for https connections should be to require verification. The current setup encourages administrators to believe that their proxy connections are resistant to MITM attack when they actually are not.".
Many admins and security minded folks may not be aware that nginx is not secure by default in this respect. Please do the needful to make it secure by default.
Regards
Prithvi
The behaviour is in line with behaviour of previous nginx versions, and thus to avoid breaking existing configurations. It is also in line with corresponding Apache behaviour.