DougReeder

DougReeder

Reverse_proxy_plug appears to not use :verify and :cacerts arguments

We’re using ReverseProxyPlug in a Phoenix server, and we have been configuring it like so:

opts =
  ReverseProxyPlug.init(
    upstream: url,
    allowed_origins: allowed_origins,
    proxy_url: "#{cors_scheme}://#{cors_host}:#{cors_port}",
    # We need to force the host
    # used for ssl verification here so that the connection isn't rejected.
    # Note that we have to convert the authority to a charlist, since this uses Erlang's `ssl` module
    # internally, which expects a charlist.
    client_options: [
      ssl: [
        {:server_name_indication, to_charlist(authority)},
        {:versions, [:"tlsv1.2", :"tlsv1.3"]}
      ]
    ]
  )

Thus, we’ve been getting the log message

~c"Server authenticity is not verified since certificate path validation is not enabled"
Reason: ~c"The option {verify, verify_peer} and one of the options ‘cacertfile’ or ‘cacerts’ are required to enable this."

So, I’ve updated to

opts =
  ReverseProxyPlug.init(
    upstream: url,
    allowed_origins: allowed_origins,
    proxy_url: "#{cors_scheme}://#{cors_host}:#{cors_port}",
    # We need to force the host
    # used for ssl verification here so that the connection isn't rejected.
    # Note that we have to convert the authority to a charlist, since this uses Erlang's `ssl` module
    # internally, which expects a charlist.
    client_options: [
      ssl: [
        {:server_name_indication, to_charlist(authority)},
        {:versions, [:"tlsv1.2", :"tlsv1.3"]},
        {:verify, :verify_peer},
        {:partial_chain, :auto},
        {:cacerts, :public_key.cacerts_get()}
      ]
    ]
  )

I’ve ensured that root certificates are installed on the system, and are used by openssl:

$ openssl s_client -connect www.archive.org:443

Verify return code: 0 (ok)

But now the proxy request fails, sending a status 502, and we’re still getting the log message

~c"Server authenticity is not verified since certificate path validation is not enabled"
Reason: ~c"The option {verify, verify_peer} and one of the options ‘cacertfile’ or ‘cacerts’ are required to enable this."

What should I look at to debug this?

Where Next?

Popular in Questions Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
tduccuong
Hi, is there any work on GUI with Elixir, that is similar to Electron/Javascript? My idea is to bundle Phoenix and BEAM into a single se...
New
nobody
How to bind a phoenix app to a specific ip address? could not find anything about that, nowhere, unfortunately, but for me this is quite...
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
yawaramin
In the Dialyzer docs ( dialyzer — OTP 29.0.2 (dialyzer 6.0.1) ), there is a way to turn off a specific warning for a function: -dialyzer...
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

Other popular topics Top

skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
greenz1
I have a phoenix application from which a user can download multiple(5-6) files of size 1MB. I couldn’t find anything related to sending ...
New
minhajuddin
I have seen a lot of code which picks the first element from a list using Enum.at(0) instead of List.first. Is there a reason why people ...
New
vegabook
I’m brand new to Phoenix and I have stripped one of the demo applications to the bone. I just want to get an svg up on the screen. Here i...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
gausby
I asked this very same question on twitter and got some interesting feedback, but I thought it would be a good question to ask here as we...
1207 39297 209
New
fayddelight
I tried installing elixir 1.11.2 erlang 23.3.4 via asdf in my zsh shell. Enabled the versions locally and globally. When I list them ...
New
nobody
Hi! In PHP: $_SERVER[‘SERVER_ADDR’] - in Elixir? Searched the docs for ip address and the web, no good results. Thanks!
New
axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 47930 226
New
jononomo
For some reason my phoenix channels are working for me in my local dev environment, but as soon as I deploy via Docker, I get a 403 error...
New

We're in Beta

About us Mission Statement