OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: Fright on June 11, 2020, 04:36:56 pm

Title: nginx SNI proxy_ssl_name
Post by: Fright on June 11, 2020, 04:36:56 pm

Hi!
I have SNI backend.
Since opnsense sets proxy_pass parameter to upstream (https://<upstreamuuid>), simple
"proxy_ssl_server_name on" doesnt work:
capture shows that server_name extension is set to "upstream<uuid>"

So to use SNI extension I need to use proxy_ssl_name in location:
proxy_ssl_name <my backend hostname>;
proxy_set_header Host <my backend hostname>;

But there is no such parameter in location gui config.
Where in GUI I can set this parameters?
Thanks!

upd: i add hostname in  "TLS: Servername override"  in Upstream section but it doesnt help (and again: its a location parameter, not upstream). and its not adding proxy_ssl_name in conf

upd2: if i set "proxy_ssl_server_name on" it removes "proxy_ssl_name <my backend hostname>";
but i think its not right. nginx documentations says that "proxy_ssl_server_name on" read hostname from proxy_pass parameter by default, not from user request. and if upstream is used we need to use proxy_ssl_name param to pass SNI hostname

Title: Re: nginx SNI proxy_ssl_name
Post by: Fright on June 12, 2020, 10:31:18 am

I think this is error in GUI->config. shoud not delete proxy_ssl_name parameter if SNI enabled

proxy_ssl_server_name and proxy_ssl_name parameters must works together.

if I manualy edit .conf file to:
proxy_ssl_server_name on
proxy_ssl_name myhost.dom

and restart nginx - it works!

am i wrong tho ?

Title: Re: nginx SNI proxy_ssl_name
Post by: fabian on June 12, 2020, 11:09:24 am

As far as I know proxy_ssl_servername means that it forwards the server name it got from the client. The other setting is to set it explicitly to a specific value. I think the documentation needs to be checked. Maybe the behavior has changed.

Title: Re: nginx SNI proxy_ssl_name
Post by: Fright on June 12, 2020, 12:23:38 pm

Quote from: fabian on June 12, 2020, 11:09:24 am

As far as I know proxy_ssl_servername means that it forwards the server name it got from the client. The other setting is to set it explicitly to a specific value. I think the documentation needs to be checked. Maybe the behavior has changed.

https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_name
"By default, the host part of the proxy_pass URL is used."
I do packet capture. Its true.

Title: Re: nginx SNI proxy_ssl_name
Post by: Fright on June 13, 2020, 09:35:01 am

I edited location.conf so that proxy_ssl_server_name and proxy_ssl_name work together (delete Else statement and close If). Everything works as expected. Should I open a issue on GitHub?