Welcome! Log In Create A New Profile

Advanced

proxy_ssl_verify on for raw IP

Posted by yusk 
proxy_ssl_verify on for raw IP
July 17, 2019 11:31AM
Hello friends,

Unbound dns server is quite slow for forwarding dns over tls to public DNS.
I think it lacks tls connection reuse function.

I am trying to use nginx as DoT accelerator.
client -> (udp/tcp 53) -> unbound -> (tcp 10053) -> nginx -> (tls 853) -> Cloudflare/Google public DNS
Below configuration runs well with 'proxy_ssl_verify off' :
---
stream {
upstream public_dns_over_tls {
server [2606:4700:4700::1111]:853; # CloudFlare primary
server [2606:4700:4700::1001]:853; # CloudFlare secondary
server [2001:4860:4860::8888]:853; # Google primary
server [2001:4860:4860::8844]:853; # Google secondary
server 1.1.1.1:853 backup; # CloudFlare primary
server 1.0.0.1:853 backup; # CloudFlare secondary
server 8.8.8.8:853 backup; # Google primary
server 8.8.4.4:853 backup; # Google secondary
}
server {
listen 10053;
proxy_pass public_dns_over_tls;
proxy_ssl on;
proxy_ssl_session_reuse on;
proxy_ssl_verify off;
# proxy_ssl_verify on;
# proxy_ssl_verify_depth 2;
# proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
# error_log /var/log/nginx/dns-error.log debug;
}
}
---

But above configuration does not work with 'proxy_ssl_verify on'.
It seems that nginx check proxy certificate by x509_check_host() only.
I think nginx should use X509_check_ip()
when 'proxy_ssl_veriy on' and proxied server address is designated by IP address.

Thank you.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 66
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready