Skip to content

Add proxy_ssl_verify and related nginx directives to OIDC configuration #8538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add proxy_ssl_verify and related nginx directives to OIDC configuration #8538

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions internal/configs/oidc/oidc.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,12 @@
proxy_cache jwk; # Cache the JWK Set received from IdP
proxy_cache_valid 200 12h; # How long to consider keys "fresh"
proxy_cache_use_stale error timeout updating; # Use old JWK Set if cannot reach IdP
proxy_ssl_server_name on; # For SNI to the IdP

proxy_ssl_verify on; # Enforce TLS certificate verification
proxy_ssl_verify_depth 2; # Allow intermediate CA chains of depth 2
proxy_ssl_server_name on; # Send SNI to IdP host
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Use system CA bundle
Copy link

Copilot AI Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The hardcoded path /etc/ssl/certs/ca-certificates.crt assumes a Debian/Ubuntu-based system. This path may not exist on other Linux distributions (e.g., RHEL/CentOS uses /etc/pki/tls/certs/ca-bundle.crt, Alpine uses /etc/ssl/cert.pem). Consider making this configurable or documenting the platform requirement.

Copilot uses AI. Check for mistakes.

proxy_method GET; # In case client request was non-GET
proxy_set_header Content-Length ""; # ''
proxy_pass $oidc_jwt_keyfile; # Expecting to find a URI here
Expand Down Expand Up @@ -42,7 +47,11 @@
# Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
proxy_pass_request_headers off;

proxy_ssl_server_name on; # For SNI to the IdP
proxy_ssl_verify on; # Enforce TLS certificate verification
proxy_ssl_verify_depth 2; # Allow intermediate CA chains of depth 2
proxy_ssl_server_name on; # Send SNI to IdP host
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Use system CA bundle

proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization $arg_secret_basic;
proxy_pass $oidc_token_endpoint;
Expand All @@ -57,7 +66,11 @@
# Exclude client headers to avoid CORS errors with certain IdPs (e.g., Microsoft Entra ID)
proxy_pass_request_headers off;

proxy_ssl_server_name on; # For SNI to the IdP
proxy_ssl_verify on; # Enforce TLS certificate verification
proxy_ssl_verify_depth 2; # Allow intermediate CA chains of depth 2
proxy_ssl_server_name on; # Send SNI to IdP host
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; # Use system CA bundle

proxy_set_header Content-Type "application/x-www-form-urlencoded";
proxy_set_header Authorization $arg_secret_basic;
proxy_pass $oidc_token_endpoint;
Expand Down
Loading