From 8d738c962b73a655798d0a5be9b217446c54a566 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Fri, 29 Jan 2021 20:43:32 +0200
Subject: [PATCH] Validate secure proxied servers.

Use the CA certificate bundle and set the verification depth (for
intermediate certificates). Right now for Vouch.
---
 conf.d/global.conf | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/conf.d/global.conf b/conf.d/global.conf
index 02ef4da..a6472ba 100644
--- a/conf.d/global.conf
+++ b/conf.d/global.conf
@@ -1,7 +1,11 @@
 # The resolver for the Docker network.
-resolver        127.0.0.11 valid=30s;
-gzip            on;
-tcp_nopush      on;
-tcp_nodelay     on;
-server_tokens   off;
-include         snippets/common-headers.conf;
+resolver                        127.0.0.11 valid=30s;
+gzip                            on;
+tcp_nopush                      on;
+tcp_nodelay                     on;
+server_tokens                   off;
+include                         snippets/common-headers.conf;
+# Validate proxied SSL connections.
+proxy_ssl_trusted_certificate   /etc/ssl/certs/ca-certificates.crt;
+proxy_ssl_verify                on;
+proxy_ssl_verify_depth          4;
-- 
GitLab