proxy_ssl_verify
The `proxy_ssl_verify` directive controls the verification of the SSL certificate for proxied connections.
Description
The proxy_ssl_verify directive is used within NGINX to specify whether SSL certificate verification should be performed when establishing a connection to a proxied server. This directive can take a flag argument, where 'on' enables verification, and 'off' disables it. By default, if this directive is not specified, SSL verification is turned off ('off'). When enabled, NGINX will use the system's SSL libraries to verify the validity of the target server's SSL certificate against trusted Certificate Authorities (CAs). This step is crucial for applications that rely on secure connections, as it ensures that the certificate is valid and has not been tampered with or revoked, thus protecting users from man-in-the-middle attacks.
When configuring this directive, it's important to also take into account the chain of trust — the path leading from the server's certificate back to a trusted root CA. If intermediate CA certificates are necessary for the verification process, they should be provided in the appropriate configuration. If SSL verification fails, NGINX will reject the connection to the proxied server and log an error message, allowing administrators to take appropriate action. Therefore, it is advisable to carefully manage SSL certificates and their trust chains when using proxy_ssl_verify in production environments.
Config Example
location /api {
proxy_pass https://backend-server;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
}Ensure that the relevant CA certificates are installed and correctly configured for SSL verification to succeed.
If SSL verification fails, NGINX will refuse the connection, which can lead to service outages if not properly handled.
Be careful when switching from 'off' to 'on' to avoid unexpected verification failures. Always verify the certificates during testing.