Welcome! Log In Create A New Profile

Advanced

Re: Upstream certificate validation - Servers in a server group

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
March 01, 2022 09:08AM
Hello!

On Tue, Mar 01, 2022 at 09:26:23AM +0000, Nitsan Matsliah via nginx wrote:

> Assuming I have 2 servers in an upstream server group:
>
> 1. Test1.server.local
> 2. Test2.server.local
> Each one of these servers holds their own FQDN in their
> respective certificates.
> Test1.server.local will have test1.server.local as its subject
> and subject alternative name in the certificate it serves.
> Test2.server.local will have test2.server.local as its subject
> and subject alternative name in the certificate it serves.
>
> Now, let’s assume that the name of the upstream group or
> proxy_ssl_name is Test.server.local, nginx will compare the
> subject name from each certificate (either test1.server.local or
> test2.server.local) to the upstream group name -
> test.server.local and would complain about a mismatch.
> Unless test.server.local is added to each upstream server
> certificate this issue will persist.
>
> Is there any way around this using maybe nginx plus or any other
> alternative?

That's expected behaviour: an upstream group is essentially a more
sophisticated replacement for a domain name which resolves to
multiple IP addresses. All servers in the upstream group are
expected to be equal: to be able to answer to the same requests,
respond to the same SNI name (assuming proxy_ssl_server_name is
used), and to return SSL certificates matching the same name.

You can use the proxy_ssl_name to change the expected name, for
example, if the name of the upstream group does not match the name
in the certificates used. That is, if you are using "upstream
test {...}" in the configuration, but servers use the
"test.example.com" in the certificates. But this directive cannot
be used to provide different names for different servers in the
upstream group. Much like you cannot use proxy_set_header to add
different headers to requests sent to different servers.

Proper solution for your configuration would be to provide
appropriate (and the same) name in certificates used by all
servers in the upstream group. If for some reason you have to
connect to servers which are using different names in the
certificates, consider using separate upstream blocks for such
servers.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org
Reply Quote
RSS
Subject Author Posted

Upstream certificate validation - Servers in a server group

Nitsan Matsliah via nginx March 01, 2022 04:32AM

Re: Upstream certificate validation - Servers in a server group

Maxim Dounin March 01, 2022 09:08AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 256
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready