Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

[PGNet Dev]

On 6/2/20 8:27 AM, Francis Daly wrote:
> That suggests that if you choose to use "proxy_ssl_server_name on;",
> then you almost certainly do not want to add your own "proxy_set_header
> Host" value.
> 
> The nginx code probably should not try to check for (and reject) that
> combination of directives-and-values; but might it be worth adding a
> note to http://nginx.org/r/proxy_ssl_server_name to say that that other
> directive is probably a bad idea, especially if you get a http 421 response
> from your upstream?

trying to simplify/repeat, i've

vhost config,

        upstream test-upstream {
                server test.example.com:11111;
        }

        server {
                listen 10.10.10.1:443 ssl http2;
                server_name example.com;

                ...
                location /app1 {

                        proxy_ssl_verify       on;
                        proxy_ssl_verify_depth 2;
                        proxy_ssl_certificate         
"/etc/ssl/nginx/test.client.crt";
                        proxy_ssl_certificate_key     
"/etc/ssl/nginx/test.client.key";
                        proxy_ssl_trusted_certificate 
"/etc/ssl/nginx/ca_int.crt";

                        proxy_pass https://test-upstream/;
                        proxy_ssl_server_name on;
                        proxy_ssl_name test.example.com;

                }
        }

and, upstream config

                server {
                        listen 127.0.0.1:11111 ssl http2;
                        server_name test.example.com;

                        root /srv/www/test;
                        index index.php;
                        expires -1;

                        ssl_certificate         
"/etc/ssl/nginx/test.server.crt";
                        ssl_certificate_key     
"/etc/ssl/nginx/test.server.key";
                        ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";

                        ssl_verify_client off;
                        ssl_verify_depth 2;
                        ssl_client_certificate  "/etc/ssl/nginx/ca_int.crt";

                        location ~ \.php {
                                try_files $uri =404;
                                fastcgi_pass   phpfpm;
                                fastcgi_index  index.php;
                                fastcgi_param  PATH_INFO $fastcgi_script_name;
                                include        includes/fastcgi/fastcgi_params;
                        }

                        error_log   /var/log/nginx/test.error.log  info;
                }

on access to

        https://example.com/app1

still get

        421 Misdirected Request

in log

        ==> /var/log/nginx/test.error.log <==
        2020/06/02 11:52:13 [info] 8713#8713: *18 client attempted to request 
the server name different from the one that was negotiated while reading client 
request headers, client: 127.0.0.1, server: test.example.com, request: "GET / 
HTTP/1.0", host: "test-upstream"

Is that

        host: "test-upstream"

to be expected?  it's an upstream name, not an actual host.

Still unable to wrap my head around where this mis-match is coming from ... I 
have a nagging suspicion I'm missing something *really* obvious :-/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx