NGINX ssl upstream verify fail

ssl nginx proxypass
meso_2600 picture meso_2600 · Jun 29, 2017 · Viewed 7.1k times · Source

[UPDATE]

This has been raised a a bug with NGINX support.

I have used default config file from the NGINX website (but without two way auth) in order to load balance between four upstream app servers over SSL with the the proxy_ssl_verify set to on. Yes, All upstream servers have valid certificates with CN matching their hostnames, and CA has been placed on the NGINX server with proper permissions and set in the nginx.conf file. Here are my findings (removed the rest of the config as it is not relevant):

  1. OK - Works with proxy_ssl_verify off:

    stream {
      upstream upstream_appsrv{
          server serverA.domain.com:443;
      }
      server {
          listen     8443;
          proxy_pass https://upstream_appsrv;
            (...)
          proxy_ssl  off;
          proxy_ssl_verify off;
      }
}

  2. NOT OK - As soon as I set proxy_ssl_verify on + proxy_ssl on:

    stream {
    upstream upstream_appsrv{
        server serverA.domain.com:443;
    }
    server {
        listen     8443;
        proxy_pass https://upstream_appsrv;
        (...)
        proxy_ssl  on;
        proxy_ssl_verify on;
    }
}

NGINX started throwing errors about upstream SSL certificate not matching the backend:2 upstream SSL certificate does not match "serverB.domain.com" while SSL handshaking to upstream...Lets change some things and go to the third step.

  1. OK! - Now everything works fine:

    stream {
        upstream serverA.domain.com{
            server serverA.domain.com:443;
        }
        server {
            listen     8443;
            proxy_pass https://serverA.domain.com;
            (...)
            proxy_ssl  on;
            proxy_ssl_verify on;
        }
}

Turns out, that not only the server definition has to match the CN used in the certificate on the upstream server (obviously) but also the upstream upstream_appsrv needs to match the CN! Ok so next step, lets add another upstream server:

  1. NOT OK...

    stream {
        upstream serverA.domain.com{
            server serverB.domain.com:443;
        }
        server {
            listen     8443;
            proxy_pass https://serverA.domain.com;
            (...)
            proxy_ssl  on;
            proxy_ssl_verify on;
        }
}

As soon as NGINX connects to the serverB we start seeing same errors again... Even though serverB has got proper CN set matching it's hostname (and is using same CA as serverA) it turns out that NGINX tries to match the CN against the upstream definition. And that's the issue I am trying to resolve.

Answer

Related questions

malformed HTTP response with docker private registry (v2) behind an nginx proxy

I have setup a Docker private registry (v2) on a CentOS 7 box following their offical documentation: https://docs.docker.com/registry/deploying/ I am running docker 1.6.0 on a Fedora 21 box. The registry is running on port 5000, and is using an …

Read More
NGINX to reverse proxy websockets AND enable SSL (wss://)?

I'm so lost and new to building NGINX on my own but I want to be able to enable secure websockets without having an additional layer. I don't want to enable SSL on the websocket server itself but instead I …

Read More
SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

I'm not able to setup SSL. I've Googled and I found a few solutions but none of them worked for me. I need some help please... Here's the error I get when I attempt to restart nginx: root@s17925268:~# service …

Read More