DougReeder
Reverse_proxy_plug appears to not use :verify and :cacerts arguments
We’re using ReverseProxyPlug in a Phoenix server, and we have been configuring it like so:
opts =
ReverseProxyPlug.init(
upstream: url,
allowed_origins: allowed_origins,
proxy_url: "#{cors_scheme}://#{cors_host}:#{cors_port}",
# We need to force the host
# used for ssl verification here so that the connection isn't rejected.
# Note that we have to convert the authority to a charlist, since this uses Erlang's `ssl` module
# internally, which expects a charlist.
client_options: [
ssl: [
{:server_name_indication, to_charlist(authority)},
{:versions, [:"tlsv1.2", :"tlsv1.3"]}
]
]
)
Thus, we’ve been getting the log message
~c"Server authenticity is not verified since certificate path validation is not enabled"
Reason: ~c"The option {verify, verify_peer} and one of the options ‘cacertfile’ or ‘cacerts’ are required to enable this."
So, I’ve updated to
opts =
ReverseProxyPlug.init(
upstream: url,
allowed_origins: allowed_origins,
proxy_url: "#{cors_scheme}://#{cors_host}:#{cors_port}",
# We need to force the host
# used for ssl verification here so that the connection isn't rejected.
# Note that we have to convert the authority to a charlist, since this uses Erlang's `ssl` module
# internally, which expects a charlist.
client_options: [
ssl: [
{:server_name_indication, to_charlist(authority)},
{:versions, [:"tlsv1.2", :"tlsv1.3"]},
{:verify, :verify_peer},
{:partial_chain, :auto},
{:cacerts, :public_key.cacerts_get()}
]
]
)
I’ve ensured that root certificates are installed on the system, and are used by openssl:
$ openssl s_client -connect www.archive.org:443
…
Verify return code: 0 (ok)
But now the proxy request fails, sending a status 502, and we’re still getting the log message
~c"Server authenticity is not verified since certificate path validation is not enabled"
Reason: ~c"The option {verify, verify_peer} and one of the options ‘cacertfile’ or ‘cacerts’ are required to enable this."
What should I look at to debug this?
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








