switch to get nginx to validate proxy tls connections #116
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
So it turns out that by default NGINX does not validate the TLS certificates of its backend servers when used as a reverse-proxy:
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
This fits their expectation of the reverse-proxy being presented into a fleet of HTTP workers which are all either running HTTP (ick) or else self-signed arbitrary certificates which we don't really care about.
This patch introduces two new on-by-default settings:
nginx_proxy_ssl_verify- default1, or set to0to disablenginx_proxy_ssl_trusted_certificatedefault/etc/ssl/certs/ca-certificates.crtThe first of these settings controls whether
proxy_ssl_verify(see this page) is enabled.The second defines a default for
proxy_ssl_trusted_certificate(see ditto) which may need to be changed by the user.We are currently considering options for inclusion of: (as documented)
...which need more research for a new feature to be launched.
This patch is:
This bug/issue was reported by The Tor Project, who are working on their own fork of EOTKwhich may have a different approach towards fixing this issue.
From a practical perspective, the issue is hard to exploit without pwning the DNS of an Onion proxy (or: messing with upstream like BGP) and given that for large EOTK deployments mostly those are within the bounds of trust of the web fleet this bug is not an active threat and may actually cause a performance issue; but it is an issue for small EOTK deployments where an onion proxy is not co-located.
More relevant documentation is at:
https://stackoverflow.com/questions/66111292/nginx-proxy-ssl-trusted-certificate-with-letsencrypt-upstream
Aside: If you run EOTK with a website that contains legacy port-80 URLs AND ALSO services traffic on port 80, it is essential that you break that behaviour by use of
force_ssldue to behaviour of Tor Browser as documented here