> On 30 Mar 2017, at 09:59, shivramg94 <nginx-fo...@forum.nginx.org> wrote: > > I am trying to implement HTTPS protocol communication at every layer of a > proxying path. My proxying path is from client to load balancer (nginx) and > then from nginx to the upstream server. > > I am facing a problem when the request is proxied from nginx to the upstream > server. > > I am getting the following error in the nginx logs > > 2017/03/26 19:08:39 [error] 76753#0: *140 upstream SSL certificate does not > match "8ba0c0da44ee43ea894987ab01cf4fbc" while SSL handshaking to upstream, > client: 10.191.200.230, server: > abc.uscom-central-1.ssenv.opcdev2.oraclecorp.com, request: "GET /a/a.html > HTTP/1.1", upstream: "https://10.240.81.28:8001/a/a.html";, host: > "abc.uscom-central-1.ssenv.opcdev2.oraclecorp.com:10003" > > This is my configuration for the upstream server block > > upstream 8ba0c0da44ee43ea894987ab01cf4fbc { > server slc01etc.us.oracle.com:8001 weight=1; > keepalive 100; > } > > proxy_pass https://8ba0c0da44ee43ea894987ab01cf4fbc; > proxy_set_header Host $host:10003; > proxy_set_header WL-Proxy-SSL true; > proxy_set_header IS_SSL ssl; > proxy_ssl_trusted_certificate > /u01/data/secure_artifacts/ssl/trusted_certs/trusted-cert.pem; > proxy_ssl_verify on;proxy_set_header X-Forwarded-For > $proxy_add_x_forwarded_for; > > When the request goes from Nginx to the upstream server, nginx matches the > upstream ssl certificate against the pattern present in the proxy_pass > directive. But my upstream ssl certificate pattern is the upstream server > hostname (slc01etc.us.oracle.com) . > > Is there any way, where I can force Nginx to verify the upstream ssl > certificate against the server hostnames provided in the upstream server > block, instead of the pattern present in the proxy_pass directive?
Use the proxy_ssl_name directive to override. See for more details: http://nginx.org/r/proxy_ssl_name -- Sergey Kandaurov _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
