proxy_ssl_crl
The `proxy_ssl_crl` directive specifies a Certificate Revocation List (CRL) file for validating certificates in SSL proxy connections.
Description
The proxy_ssl_crl directive is used within the NGINX configuration to designate a file that contains a Certificate Revocation List (CRL). This CRL is crucial for establishing secure proxy connections, particularly when dealing with SSL/TLS certificates. It allows NGINX to check the validity of the server's SSL certificate against the list of revoked certificates, enhancing security by preventing the use of compromised certificates. The directive accepts one argument, which should be the file path to the CRL in PEM format.
This directive can be set in any of the http, server, or location contexts, making it quite flexible for differing levels of application architecture. The SSL certificate validation process occurs whenever NGINX establishes an SSL connection to a proxied server. If the server's certificate is found in the CRL, the connection will be terminated with an error, thus negating any potential security risks associated with using a revoked certificate.
Config Example
location /api {
proxy_pass https://backend;
proxy_ssl_crl /etc/nginx/crl.pem;
}Ensure the CRL file is updated regularly to avoid using old revocation data.
The file path must be absolute; relative paths may cause errors.
Make sure the CRL file is in the correct PEM format.