add docs about ssl verify for proxy pass http client

leafo · leafo · commit 6dbfb5b1ebc8 · 2026-01-27T09:57:53.000-08:00
diff --git a/docs/utilities.md b/docs/utilities.md
@@ -671,6 +671,26 @@ location /proxy {
 > This code ensures that the correct headers are set for the subrequest that is
 > created.
 
+#### Enabling SSL Verification
+
+By default, nginx's `proxy_pass` does not verify SSL certificates. To enable
+SSL verification, add the following directives to your `/proxy` location:
+
+```nginx
+location /proxy {
+  # ... existing configuration ...
+
+  proxy_ssl_verify on;
+  proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+}
+```
+
+The path to the CA certificates file varies by operating system:
+
+* Debian/Ubuntu/Gentoo/Arch Linux: `/etc/ssl/certs/ca-certificates.crt`
+* RHEL/CentOS/Fedora: `/etc/pki/tls/certs/ca-bundle.crt`
+* Alpine: `/etc/ssl/cert.pem`
+
 Additionally, in the nginx `location` that processes your Lapis requests, you
 need to define the `$_url` variable, which will hold the request URL.
 
diff --git a/lapis/nginx/http.moon b/lapis/nginx/http.moon
@@ -25,6 +25,10 @@
 --     resolver 8.8.8.8;
 --     proxy_http_version 1.1;
 --     proxy_pass $_url;
+--
+--     # Enable SSL certificate verification
+--     proxy_ssl_verify on;
+--     proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
 -- }
 --
 --
