This is an automated email from the ASF dual-hosted git repository.
cbickel pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-openwhisk.git
The following commit(s) were added to refs/heads/master by this push:
new 22c0807 Assure nginx verifies downstream ssl certs. (#3658)
22c0807 is described below
commit 22c0807b9eae20af9acc70b91a1943dd35a95092
Author: Vadim Raskin <[email protected]>
AuthorDate: Wed May 16 13:00:16 2018 +0200
Assure nginx verifies downstream ssl certs. (#3658)
---
ansible/roles/nginx/templates/nginx.conf.j2 | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ansible/roles/nginx/templates/nginx.conf.j2
b/ansible/roles/nginx/templates/nginx.conf.j2
index 61ea6fb..a86593f 100644
--- a/ansible/roles/nginx/templates/nginx.conf.j2
+++ b/ansible/roles/nginx/templates/nginx.conf.j2
@@ -26,6 +26,8 @@ http {
{% if controller.protocol == 'https' %}
proxy_ssl_session_reuse on;
proxy_ssl_name {{ controller.ssl.cn }};
+ proxy_ssl_verify on;
+ proxy_ssl_trusted_certificate /etc/nginx/{{ controller.ssl.cert }};
proxy_ssl_protocols TLSv1.1 TLSv1.2;
proxy_ssl_certificate /etc/nginx/{{ controller.ssl.cert }};
proxy_ssl_certificate_key /etc/nginx/{{ controller.ssl.key }};
@@ -90,7 +92,6 @@ http {
ssl_protocols TLSv1.2;
ssl_ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
- proxy_ssl_verify off;
proxy_ssl_session_reuse on;
# proxy to the web action path
--
To stop receiving notification emails like this one, please contact
[email protected].
