tls_verify_host
The `tls_verify_host` directive configures trust validation of hostnames when establishing TLS connections in the Proxy-Wasm context in NGINX.
Description
The tls_verify_host directive is part of the NGINX Proxy-Wasm support, allowing users to enforce hostname validation during TLS handshakes for outgoing connections. When enabled, NGINX will check that the hostname of the server being connected to matches the Common Name (CN) or Subject Alternative Name (SAN) fields in the server's TLS certificate. This is crucial for preventing man-in-the-middle attacks and ensuring that the client is communicating with the intended server.
This directive takes a single argument, which is either "on" or "off". When set to "on" (or simply enabled), NGINX will perform the hostname verification. Conversely, setting it to "off" disables this verification process. It is generally recommended to enable this directive to maintain secure connections, especially when the NGINX server is acting as a reverse proxy or gateway.
Behaviorally, if tls_verify_host is enabled and the hostname verification fails, NGINX will not establish the connection and will log an error indicating the reason for the failure. This helps ensure that only secure connections to valid hosts are permitted, thus maintaining the integrity of the web service being provided through NGINX.
Config Example
http {
server {
listen 9000;
location / {
proxy_pass https://backend.server;
tls_verify_host on;
}
}
}Make sure to enable the directive when working with outbound TLS connections to prevent potential security issues.
Failure to match the hostname can lead to connection failures; ensure your server certificates are correctly configured.