proxy_ssl_verify_depth
The `proxy_ssl_verify_depth` directive sets the verification depth for SSL certificate chains during proxying.
Description
The proxy_ssl_verify_depth directive is used in conjunction with SSL/TLS connections when NGINX acts as a reverse proxy for backend servers that have SSL certificates. This directive specifically controls how many intermediate certificates can be in the chain that leads to a valid, trusted root certificate during the validation process.
When a client connects to a server via HTTPS, SSL certificate verification can include multiple layers of certificates, such as root certificates, intermediate certificates, and more. The proxy_ssl_verify_depth directive allows the administrator to define the maximum number of these intermediate certificates that can be traversed before the verification process fails. If a value of 0 is set, it means that only the end-entity certificate will be verified and not any of the intermediates.
This directive is crucial for establishing a secure connection, as it helps in confirming the legitimacy of SSL certificates presented by upstream servers and can help in preventing man-in-the-middle attacks. Properly configuring the depth ensures that only valid certificate chains are accepted, thus maintaining the integrity and security of the proxied connections.
Config Example
location /api {
proxy_pass https://backend;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
}Setting the verify depth too low may allow untrusted certificates to pass verification if they are only a few layers away from the root.
The directive does not configure certificate verification itself; make sure to also use proxy_ssl_verify on; for it to take effect.