Make NGINX verify upstream SSL certificate against a custom domain?

Question

I have a custom-managed domain when inside my corporate's intranet it resolves to an internal gateway machine, and when outside the intranet it resolves to Cloudflare. There's a website we want to provide access to both the intranet and the internet, so I have configured Nginx on the gateway as follows:

server {
    listen 443 ssl http2;
    server_name example.com;

    location / {
        proxy_pass https://example.com.cloudflare.net;
        proxy_set_header Host "example.com";
    }
}

The problem is, now I want Nginx to verify the SSL certificate for example.com.cloudflare.net against example.com (instead of the resolved domain). How should I do so?

Note that example.com resolves to the intranet IP address of this gateway machine (it's in the intranet, too).

score 1 · Accepted Answer · answered Dec 08 '19 at 14:36

Looks like proxy_ssl_name is what you are looking for. From the documentation:

Syntax:   proxy_ssl_name name; 
Default:  proxy_ssl_name $proxy_host;
...
Allows overriding the server name used to verify the certificate 
proxied HTTPS server and to be passed through SNI when establishing
a connection with the proxied HTTPS server.

Make NGINX verify upstream SSL certificate against a custom domain?

1 Answers1