On Thu, Mar 12, 2020 at 10:47:40PM -0700, satscreate wrote: Hi there,
> https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/# > location /upstream { > proxy_pass https://$upstream$request_uri; > proxy_ssl_certificate /etc/nginx/client.pem; > proxy_ssl_certificate_key /etc/nginx/client.key; > proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt; > What is below client.pem & client.key? > > is this the nginx client files which needs to be created and signed with CA? The page you link to says """ Add the client certificate and the key that will be used to authenticate NGINX on each upstream server with proxy_ssl_certificate and proxy_ssl_certificate_key directives: """ and the documentation for those directives is at http://nginx.org/r/proxy_ssl_certificate Those files relate to the client certificate that nginx will offer to the upstream server in order to identify itself. > What is trusted_ca_cert.crt;? http://nginx.org/r/proxy_ssl_trusted_certificate That file allows nginx to verify that the certificate presented by the upstream server, is one that nginx is willing to consider acceptable. > Is this related to backend.example.com? how can i obtain this? Yes; the Certificate Authority that signed the backend.example.com certificate should make this available to anyone they want to trust them. > But getting below exception when i hit the API. > > upstream SSL certificate verify error: (19:self signed certificate in > certificate chain) while SSL handshaking to upstream, client: <user_ip>, > server: <nginx_server_ip>, request: "POST /getsomething HTTP/1.1", upstream: > "https://backend.example.com:443/getsomething";, host: "nginx_server_ip" I believe that that says that nginx (as the client) does not accept the certificate provided by the server at backend.example.com; probably due to nginx's proxy_ssl_trusted_certificate configuration not being what it expects. Cheers, f -- Francis Daly [email protected] _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
