From 2fe7e5c18de3a623a423c440e2303fb57c9dbcf1 Mon Sep 17 00:00:00 2001 From: Michal Cichra Date: Fri, 24 Mar 2017 12:59:33 +0100 Subject: [PATCH] turn on proxy ssl verification unfortunately this can't be behind a flag --- apicast/.s2iignore | 1 + apicast/apicast.d/proxy_ssl.conf | 4 ++++ apicast/conf.d/apicast.conf | 4 ++++ apicast/http.d/init.conf | 2 ++ t/012-configuration-loading-boot-with-config.t | 2 +- 5 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 apicast/apicast.d/proxy_ssl.conf diff --git a/apicast/.s2iignore b/apicast/.s2iignore index 566749acf..43cbc75e1 100644 --- a/apicast/.s2iignore +++ b/apicast/.s2iignore @@ -1,2 +1,3 @@ .s2i conf/ca-bundle.crt +apicast.d/proxy_ssl.conf diff --git a/apicast/apicast.d/proxy_ssl.conf b/apicast/apicast.d/proxy_ssl.conf new file mode 100644 index 000000000..f0126001d --- /dev/null +++ b/apicast/apicast.d/proxy_ssl.conf @@ -0,0 +1,4 @@ +# This file is not in the built docker image and have to be added by hand. + +proxy_ssl_trusted_certificate ca-bundle.crt; +proxy_ssl_verify on; diff --git a/apicast/conf.d/apicast.conf b/apicast/conf.d/apicast.conf index 9ad9e8274..1761147ed 100644 --- a/apicast/conf.d/apicast.conf +++ b/apicast/conf.d/apicast.conf @@ -48,6 +48,10 @@ location @out_of_band_authrep_action { } } +proxy_ssl_server_name on; +proxy_ssl_name $http_host; +proxy_ssl_verify_depth 5; + location / { set $cached_key null; set $credentials null; diff --git a/apicast/http.d/init.conf b/apicast/http.d/init.conf index 2b8d06e9b..1ee8d52b8 100644 --- a/apicast/http.d/init.conf +++ b/apicast/http.d/init.conf @@ -23,3 +23,5 @@ init_by_lua_block { init_worker_by_lua_block { require('module'):init_worker() } + +lua_shared_dict init 16k; diff --git a/t/012-configuration-loading-boot-with-config.t b/t/012-configuration-loading-boot-with-config.t index de97d66eb..779db3805 100644 --- a/t/012-configuration-loading-boot-with-config.t +++ b/t/012-configuration-loading-boot-with-config.t @@ -5,7 +5,7 @@ my $pwd = cwd(); my $apicast = $ENV{TEST_NGINX_APICAST_PATH} || "$pwd/apicast"; $ENV{TEST_NGINX_LUA_PATH} = "$apicast/src/?.lua;;"; -$ENV{TEST_NGINX_HTTP_CONFIG} = "$apicast/http.d/*.conf"; +$ENV{TEST_NGINX_HTTP_CONFIG} = "$apicast/http.d/init.conf"; $ENV{TEST_NGINX_APICAST_PATH} = $apicast; $ENV{APICAST_CONFIGURATION_LOADER} = 'boot'; $ENV{THREESCALE_CONFIG_FILE} = 't/servroot/html/config.json';