Nginx Proxy Pass SSL Verification

Mr Hyde asked:

I am using proxy_pass directive to upstream https server. The proxy server is meant for LAN clients. The upstream https server uses letsencrypt. How do I configure SSL verification?

proxy_pass https://upstream.backend
proxy_verify_ssl on;
proxy_ssl_trusted_certificate <which_file_is_supposed_to_be_here>;
proxy_ssl_verify_depth <what_number_here>;

My answer:


The documentation for proxy_ssl_trusted_certificate states:

Specifies a file with trusted CA certificates in the PEM format used to verify the certificate of the proxied HTTPS server.

Since you’re validating public TLS certificates, you can point it at your system’s CA certificate bundle. By default on Red Hat derived systems this is /etc/pki/tls/certs/ca-bundle.crt or /etc/pki/tls/certs/ca-bundle.trust.crt. Your location may vary if you for some reason don’t use a Red Hat derived system as your web server.

If you want, you can also download Let’s Encrypt’s CA certificate separately, place that on your filesystem somewhere, and point at it.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.