Verified Commit 95a3f8ad authored by tr's avatar tr
Browse files

Add a CA certificate to verify the backend

parent cabdda4f
Pipeline #6586 passed with stages
in 19 minutes and 37 seconds
......@@ -29,6 +29,7 @@ Environment
* `TLS_CERT`: TLS certificate file. Defaults to `_`.
* `BACKEND`: Proxy pass to this backend. Defaults to `_`.
* `BACKEND_VERIFY`: Verify the certificate of the backend. Defaults to `on`.
* `BACKEND_VERIFY_CA`: Set the path to the CA certificate. Defaults to `/etc/pki/tls/cert.pem`.
* `PROXY_TIMEOUT`: Set the proxy read, connect and send timeout. Defaults to `90s`.
If `TLS_KEY` and `TLS_CERT` are set to a value, and those files do not exist,
......
......@@ -31,6 +31,7 @@ if [ -n "$BACKEND" ]; then
-e "/client_max_body_size.*/a \ \ proxy_ssl_protocols TLSv1.3;" \
-e "/client_max_body_size.*/a \ \ proxy_ssl_session_reuse on;" \
-e "/client_max_body_size.*/a \ \ proxy_ssl_verify ${BACKEND_VERIFY:-on};" \
-e "/client_max_body_size.*/a \ \ proxy_ssl_trusted_certificate ${BACKEND_VERIFY_CA:-/etc/pki/tls/cert.pem};" \
-e "/root\ .*/d" \
-e "/^\ \ location\ \/\ {$/a \ \ \ \ proxy_pass $BACKEND;" \
-e "/^\ \ location\ \/\ {$/a \ \ \ \ proxy_request_buffering off;" \
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment