Home / server / Questions / 994785
Accepted
iBug
Asked: 2019-12-09 06:18:46 +0800 CST

Make NGINX verify upstream SSL certificate against a custom domain?

  • 772

I have a custom-managed domain when inside my corporate's intranet it resolves to an internal gateway machine, and when outside the intranet it resolves to Cloudflare. There's a website we want to provide access to both the intranet and the internet, so I have configured Nginx on the gateway as follows:

server {
    listen 443 ssl http2;
    server_name example.com;

    location / {
        proxy_pass https://example.com.cloudflare.net;
        proxy_set_header Host "example.com";
    }
}

The problem is, now I want Nginx to verify the SSL certificate for example.com.cloudflare.net against example.com (instead of the resolved domain). How should I do so?

Note that example.com resolves to the intranet IP address of this gateway machine (it's in the intranet, too).

nginx

1 Answers

  1. Best Answer

    Looks like proxy_ssl_name is what you are looking for. From the documentation:

    Syntax:   proxy_ssl_name name; 
Default:  proxy_ssl_name $proxy_host;
...
Allows overriding the server name used to verify the certificate 
proxied HTTPS server and to be passed through SNI when establishing
a connection with the proxied HTTPS server.
    • 1