Reverse proxy requests are made without upstream server validation #742
Description
Whenever a reverse proxy request is made (for example, to Icosa) the following message is logged:
~c"Server authenticity is not verified since certificate path validation is not enabled"
Reason: ~c"The option {verify, verify_peer} and one of the options ‘cacertfile’ or ‘cacerts’ are required to enable this."
Our existing code for redirect initializes ReverseProxyPlug so:
opts =
ReverseProxyPlug.init(
upstream: url,
allowed_origins: allowed_origins,
proxy_url: "#{cors_scheme}://#{cors_host}:#{cors_port}",
# We need to force the host
# used for ssl verification here so that the connection isn't rejected.
# Note that we have to convert the authority to a charlist, since this uses Erlang's `ssl` module
# internally, which expects a charlist.
client_options: [
ssl: [
{:server_name_indication, to_charlist(authority)},
{:versions, [:"tlsv1.2", :"tlsv1.3"]}
]
]
)
To validate the upstream server, this configuration would appear to be correct:
opts =
ReverseProxyPlug.init(
upstream: url,
allowed_origins: allowed_origins,
proxy_url: "#{cors_scheme}://#{cors_host}:#{cors_port}",
# We need to force the host
# used for ssl verification here so that the connection isn't rejected.
# Note that we have to convert the authority to a charlist, since this uses Erlang's `ssl` module
# internally, which expects a charlist.
client_options: [
ssl: [
{:server_name_indication, to_charlist(authority)},
{:versions, [:"tlsv1.2", :"tlsv1.3"]},
{:verify, :verify_peer},
{:partial_chain, :auto},
{:cacerts, :public_key.cacerts_get()}
]
]
)
... along with installing certificate authority certificates, that is, in TurkeyDockerfile, changing
RUN apk update && apk add --no-cache bash openssl-dev openssl jq libstdc++ coreutils
to
RUN apk update && apk add --no-cache bash openssl-dev openssl jq libstdc++ coreutils ca-certificates
And verifying that with
kubectl exec -it reticulum-6d8b76ddb5-pr42s -- sh
then
openssl s_client -connect www.archive.org:443
which returns (among other things)
Verify return code: 0 (ok)
However, with this, proxy requests fail with a 502 status, and the message is still logged:
~c"Server authenticity is not verified since certificate path validation is not enabled"
Reason: ~c"The option {verify, verify_peer} and one of the options ‘cacertfile’ or ‘cacerts’ are required to enable this."
So, it's not clear what all needs to be done to validate upstream servers when reverse proxying.