Welcome! Log In Create A New Profile


proxy_ssl_verify on for raw IP

Posted by yusk 
proxy_ssl_verify on for raw IP
July 17, 2019 11:31AM
Hello friends,

Unbound dns server is quite slow for forwarding dns over tls to public DNS.
I think it lacks tls connection reuse function.

I am trying to use nginx as DoT accelerator.
client -> (udp/tcp 53) -> unbound -> (tcp 10053) -> nginx -> (tls 853) -> Cloudflare/Google public DNS
Below configuration runs well with 'proxy_ssl_verify off' :
stream {
upstream public_dns_over_tls {
server [2606:4700:4700::1111]:853; # CloudFlare primary
server [2606:4700:4700::1001]:853; # CloudFlare secondary
server [2001:4860:4860::8888]:853; # Google primary
server [2001:4860:4860::8844]:853; # Google secondary
server backup; # CloudFlare primary
server backup; # CloudFlare secondary
server backup; # Google primary
server backup; # Google secondary
server {
listen 10053;
proxy_pass public_dns_over_tls;
proxy_ssl on;
proxy_ssl_session_reuse on;
proxy_ssl_verify off;
# proxy_ssl_verify on;
# proxy_ssl_verify_depth 2;
# proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# error_log /var/log/nginx/dns-error.log debug;

But above configuration does not work with 'proxy_ssl_verify on'.
It seems that nginx check proxy certificate by x509_check_host() only.
I think nginx should use X509_check_ip()
when 'proxy_ssl_veriy on' and proxied server address is designated by IP address.

Thank you.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 115
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready