[nginx] allow enabling proxy_ssl_verify

[nginx] proxy ssl verification off by default because it would be off in the resulting docker image so better to have it the same in development
3scale · Mar 27, 2017 · 8349947 · 8349947
1 parent 6c63287
commit 8349947
Show file tree

Hide file tree

Showing 7 changed files with 71 additions and 6 deletions.
diff --git a/apicast/apicast.d/proxy_ssl.conf b/apicast/apicast.d/proxy_ssl.conf
@@ -1,4 +1,3 @@
 # This file is not in the built docker image and have to be added by hand.
 
-proxy_ssl_trusted_certificate ca-bundle.crt;
-proxy_ssl_verify on;
+proxy_ssl_verify off;
diff --git a/apicast/conf.d/apicast.conf b/apicast/conf.d/apicast.conf
@@ -48,10 +48,6 @@ location @out_of_band_authrep_action {
   }
 }
 
-proxy_ssl_server_name on;
-proxy_ssl_name $http_host;
-proxy_ssl_verify_depth 5;
-
 location / {
   set $cached_key null;
   set $credentials null;

diff --git a/apicast/conf/nginx.conf b/apicast/conf/nginx.conf
@@ -65,6 +65,8 @@ http {
     server_name _;
     underscores_in_headers on;
 
+    include ../http.d/ssl.conf;
+
     include ../apicast.d/*.conf;
     include ../conf.d/apicast.conf;
   }

diff --git a/apicast/http.d/lua_ssl.conf → apicast/http.d/ssl.conf b/apicast/http.d/lua_ssl.conf → apicast/http.d/ssl.conf
@@ -6,3 +6,9 @@
 #
 lua_ssl_verify_depth 5;
 lua_ssl_trusted_certificate ca-bundle.crt;
+
+proxy_ssl_server_name on;
+proxy_ssl_name $http_host;
+proxy_ssl_verify_depth 5;
+
+proxy_ssl_trusted_certificate ca-bundle.crt;
diff --git a/examples/ssl-verification/README.md b/examples/ssl-verification/README.md
@@ -0,0 +1,20 @@
+# SSL/TLS Verification
+
+APIcast supports certificate verification against trusted CAs. This feature is off by default because some environments use custom CAs and would make those connections fail by default.
+
+## Upstream verification
+
+This validation is controller by `proxy_ssl_*` nginx directives. Everything is set up to use default OS trusted certificates. Only step needed is to add custom configuration to enable the verification:
+
+```nginx
+# apicast.d/proxy_ssl.conf
+proxy_ssl_verify on;
+```
+
+## 3scale AMP verification
+
+To enable verification for connections between APIcast and 3scale AMP you'll need to set `OPENSSL_VERIFY` environment variable. Everything is set up to use the default OS  trusted certificate chain.
+
+```shell
+docker run --env OPENSSL_VERIFY=true apicast
+```
diff --git a/examples/ssl-verification/badssl.json b/examples/ssl-verification/badssl.json
@@ -0,0 +1,41 @@
+{
+  "services": [
+    {
+      "id": "wrong-host",
+      "backend_version": 1,
+      "proxy": {
+        "api_backend": "https://wrong.host.badssl.com",
+        "hosts": [
+          "wrong.host.badssl.com"
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "GET",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1
+          }
+        ]
+      }
+    },
+    {
+      "id": "ok-host",
+      "backend_version": 1,
+      "proxy": {
+        "api_backend": "https://badssl.com",
+        "hosts": [
+          "badssl.com"
+        ],
+        "proxy_rules": [
+          {
+            "http_method": "GET",
+            "pattern": "/",
+            "metric_system_name": "hits",
+            "delta": 1
+          }
+        ]
+      }
+    }
+  ]
+}
+
diff --git a/examples/ssl-verification/proxy_ssl.conf b/examples/ssl-verification/proxy_ssl.conf
@@ -0,0 +1 @@
+proxy_ssl_verify on;