Disable Peer verification for the proxy

Proxy module does attempt to verify if service does contain the host name of the peer in destination CNs/SAN [1]. At the moment we disable the check, as leaving it in place might have an unexpected impact on deployments with user-provided certificates which needs to be re-issued to add management_address to CNs. [1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeername Closes-Bug: #2115487 Change-Id: Ida475087736984a2f9237d3c7b1a509166d3a623 Signed-off-by: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
2025-07-10 12:50:32 +02:00
parent acf461ec7d
commit ef750725f5
2 changed files with 5 additions and 0 deletions
--- a/releasenotes/notes/skyline_tls_scenario-b74769614d94b0df.yaml
+++ b/releasenotes/notes/skyline_tls_scenario-b74769614d94b0df.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Skyline is now functional for scenario with internal TLS coverage.
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -86,6 +86,7 @@ _skyline_service_locations: |-

 _skyline_proxy_ssl_options:
  - "SSLProxyEngine On"
+  - "SSLProxyCheckPeerName off"
  - "SSLProxyProtocol {{ skyline_ssl_protocol }}"
  - "{{ skyline_ssl_cipher_suite_tls12 | ternary('SSLProxyCipherSuite '  ~ skyline_ssl_cipher_suite_tls12, '') }}"
  - "{{ skyline_ssl_cipher_suite_tls13 | ternary('SSLProxyCipherSuite TLSv1.3 ' ~ skyline_ssl_cipher_suite_tls13, '') }}"