You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Syntax: proxy_ssl_verify_depth number;
Default: proxy_ssl_verify_depth 1;
Context: http, server, location
This directive appeared in version 1.7.0.
Sets the verification depth in the proxied HTTPS server certificates chain.
1-1. Preparation
a. Root CA certificate
a-1. Root CA openssl config file
# openssl_root.conf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
# Mandatory option
new_certs_dir = $dir/newcerts # new certificates
database = $dir/index.txt # index file
serial = $dir/serial # serial number file
private_key = $dir/private/ca.www.root_ca.com.key # CA private key
certificate = $dir/certs/ca.www.root_ca.com.crt # CA cert
default_md = sha512
policy = policy_loose
[ policy_loose ]
# "match" then the field value must match the same field in the CA certificate.
# "supplied" then it must be present.
# "optional" then it may be present.
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ v3_ca ]
basicConstraints = critical, CA:true # This cert is CA certificate.
[ v3_intermediate_ca ]
basicConstraints = critical, CA:true # This intermediate cert is CA certificate.
[ server_cert ]
basicConstraints = CA:FALSE
# openssl_intermediate_ca.conf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./intermediate
# Mandatory option
new_certs_dir = $dir/newcerts # new certificates
database = $dir/index.txt # index file
serial = $dir/serial # serial number file
private_key = $dir/private/int.www.intermediate_ca.com.key # CA private key
certificate = $dir/certs/int.www.intermediate_ca.com.crt # CA cert
default_md = sha512
policy = policy_loose
[ policy_loose ]
# "match" then the field value must match the same field in the CA certificate.
# "supplied" then it must be present.
# "optional" then it may be present.
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ v3_ca ]
basicConstraints = critical, CA:true # This cert is CA certificate.
[ v3_intermediate_ca ]
basicConstraints = critical, CA:true # This intermediate cert is CA certificate.
[ server_cert ]
basicConstraints = CA:FALSE
b-2. make directory
mkdir intermediate
cd intermediate
mkdir newcerts certs private csr
touch index.txt
touch index.txt.attr
echo 2000 > serial
# openssl_next_intermediate_ca.conf
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./next_intermediate
# Mandatory option
new_certs_dir = $dir/newcerts # new certificates
database = $dir/index.txt # index file
serial = $dir/serial # serial number file
private_key = $dir/private/int.www.next_intermediate_ca.com.key # CA private key
certificate = $dir/certs/int.www.next_intermediate_ca.com.crt # CA cert
default_md = sha512
policy = policy_loose
[ policy_loose ]
# "match" then the field value must match the same field in the CA certificate.
# "supplied" then it must be present.
# "optional" then it may be present.
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ v3_ca ]
basicConstraints = critical, CA:true # This cert is CA certificate.
[ v3_intermediate_ca ]
basicConstraints = critical, CA:true # This intermediate cert is CA certificate.
[ server_cert ]
basicConstraints = CA:FALSE
c-2. make directory
mkdir intermediate/next_intermediate
cd intermediate/next_intermediate
mkdir newcerts certs private csr
touch index.txt
touch index.txt.attr
echo 3000 > serial
# openssl_server.conf
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.my_server.org
DNS.2 = *.my_server.net
$ curl proxy_domain_name
<!DOCTYPE html><html><head><title>Welcome to nginx!</title><style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style></head><body><h1>Welcome to nginx!</h1><p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p><p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p></body></html>
$