grpc_ssl_verify
The `grpc_ssl_verify` directive configures whether to verify the SSL certificate of a gRPC server when making requests.
Description
The grpc_ssl_verify directive is used within the NGINX server configuration to control the verification process of SSL certificates for gRPC backend servers. This directive accepts a flag argument that specifies if SSL certificate verification should be performed during gRPC requests. When set to 'on', NGINX will verify the SSL certificate presented by the upstream gRPC server against the CA certificates configured in the system, ensuring that the connection is secure and that the server's identity is valid.
The directive can be placed in http, server, or location contexts, allowing for flexible configuration based on the hierarchy of requests. If the verification is enabled and the server's certificate is invalid or cannot be verified, NGINX will refuse to establish the connection. Conversely, setting this directive to 'off' disables the verification process, which can be useful for testing but poses a security risk in production environments where man-in-the-middle attacks are a concern.
Keep in mind that when grpc_ssl_verify is enabled, it relies on the CA certificates available in the NGINX build, which can be customized by specifying the ssl_trusted_certificate directive. Therefore, proper configuration of your trusted certificates is essential for the correct operation of this directive and secure communication with gRPC services.
Config Example
location /api {
grpc_pass grpc://backend-grpc;
grpc_ssl_verify on;
}Make sure to provide the correct CA certificates using the ssl_trusted_certificate directive when enabling verification.
Disabling verification ('off') might expose the service to security risks; use it only in trusted environments.