I am trying to implement HTTPS protocol communication at every layer of a proxying path. My proxying path is from client to load balancer (nginx) and then from nginx to the upstream server.
I am facing a problem when the request is proxied from nginx to the upstream server.
I am getting the following error in the nginx logs
2017/03/26 19:08:39 [error] 76753#0: *140 upstream SSL certificate does not match "8ba0c0da44ee43ea894987ab01cf4fbc" while SSL handshaking to upstream, client: 10.191.200.230, server: abc.uscom-central-1.ssenv.opcdev2.oraclecorp.com, request: "GET /a/a.html HTTP/1.1", upstream: "https://10.240.81.28:8001/a/a.html", host: "abc.uscom-central-1.ssenv.opcdev2.oraclecorp.com:10003"
This is my configuration for the upstream server block
upstream 8ba0c0da44ee43ea894987ab01cf4fbc {
server slc01etc.us.oracle.com:8001 weight=1;
keepalive 100;
}
proxy_pass https://8ba0c0da44ee43ea894987ab01cf4fbc;
proxy_set_header Host $host:10003;
proxy_set_header WL-Proxy-SSL true;
proxy_set_header IS_SSL ssl;
proxy_ssl_trusted_certificate /u01/data/secure_artifacts/ssl/trusted_certs/trusted-cert.pem;
proxy_ssl_verify on;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
When the request goes from Nginx to the upstream server, nginx matches the upstream ssl certificate against the pattern present in the proxy_pass directive. But my upstream ssl certificate pattern is the upstream server hostname (slc01etc.us.oracle.com) .
Is there any way, where I can force Nginx to verify the upstream ssl certificate against the server hostnames provided in the upstream server block, instead of the pattern present in the proxy_pass directibve?
We can make use of the "proxy_ssl_name" directive in nginx. It allows overriding the hostname against which nginx should verify the certificate of the backend server.
proxy_ssl_name mybackend-server.hostname.com;
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With