From 8bdc64ae6892e0a86efb242985b9cfee06c6610f Mon Sep 17 00:00:00 2001
From: Davide Principi <davide.principi@nethesis.it>
Date: Tue, 12 Mar 2024 19:13:08 +0100
Subject: [PATCH] Fix nginx.conf with TLS verification

When tls_verify is "on", our Nginx configuration seems limited to one
backend server only, because the proxy_ssl_name value must match the
TLS certificate name.

Furthermore we must add the ca-certificates bundle provided by the
container image, for the upstream certificate chain verification.
---
 imageroot/templates/nginx.conf.j2 | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/imageroot/templates/nginx.conf.j2 b/imageroot/templates/nginx.conf.j2
index 82a0a38..89747ba 100644
--- a/imageroot/templates/nginx.conf.j2
+++ b/imageroot/templates/nginx.conf.j2
@@ -17,11 +17,15 @@ stream {
         listen 127.0.0.1:{{ item.listen_port }};
 
         proxy_ssl {{ 'on' if item.tls == '1' else 'off' }};
-        proxy_ssl_verify {{ 'on' if item.tls_verify == '1' else 'off' }};
+        {%- if item.tls_verify == '1' %}
+        proxy_ssl_verify on;
         proxy_ssl_verify_depth {{ item.tls_verify_depth | default('2') }};
+        proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
+        proxy_ssl_name {{ (item.servers|first).host }};
+        {%- endif %}
     }
     upstream {{ item.domain | replace('.', '_') }} {
-    {%- for server in item.servers %}
+    {%- for server in ([item.servers[0]] if item.tls_verify == '1' else item.servers) %}
         server {{ server.host + ':' + server.port + ('    backup' if not server.is_local and not loop.index0 == 0 else '') }}; # origin {{ server.origin }}
     {%- endfor %}
     }