Welcome! Log In Create A New Profile

Advanced

Feature suggestion: Additional check for SSL misconfiguration in stream proxy.

Andrey Kulikov
April 30, 2020 01:00AM
Hello,

Consider following configuration:

stream {
server {
listen 5443;
proxy_pass my-tls-upstream:443;
proxy_ssl_verify on;
proxy_ssl_server_name on;
proxy_ssl_trusted_certificate trusted_root_CAs.cer;
}
} # end stream

It is perfectly Ok for nginx, though it doesn't do what one would
expect it to - data being send to upstream server in plain text.
This is due to the fact that proxy_ssl if off by default.
So all proxy_ssl_* directives being ignored.

This looks kind of error-prone, as unlike in HTTP-proxy module, we
can't specify schema for upstream connections.

Thus, one could expect nginx to complain about misconfiguration (using
proxy_ssl_* without specifying proxy_ssl on; first), rather than
silently send data in cleartext.

If patch with additional checks implementation for stream-proxy module
will be submitted, are there any chances it could be considered for
merging into upstream?

--
Best wishes,
Andrey.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

Feature suggestion: Additional check for SSL misconfiguration in stream proxy.

Andrey Kulikov 109 April 30, 2020 01:00AM

Re: Feature suggestion: Additional check for SSL misconfiguration in stream proxy.

Maxim Dounin 25 May 12, 2020 03:20PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 93
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready