Portus, missing certificate validation on proxified https traffic

[Raphael Geissert <atomo64 () gmail com>]

Hi,

Taking another look at portus, this time at the nginx sample
configuration[1], I noticed that it doesn't enable certificate
validation of the proxified traffic that is forwarded to portus and
registry.

Given that the documentation claims the examples are of "A
production-ready setup where all communication is encrypted."[2], I
plan to request a CVE id.

The details:

The example nginx configuration is based on running nginx as a
reverse-proxy of portus and (docker) registry. The docker-compose
provided along the nginx config sets up a certificate[3] for both
components (first smell: only one certificate).

The one an only certificate is also configured on the reverse proxy,
and a decent ciphers list among other security-related http headers
are setup.

But there's no single proxy_ssl_* directive in the whole nginx
configuration (second smell). Meaning that proxy_ssl_verify is off
(nginx default).

Has anyone reviewed portus? this is the second missing certificate
verification I noticed.

CC'ing the SUSE security team.

Oh and it appears that this one comes from the
Portus-On-OracleLinux7[4] repo from which "[they] borrowed a lot of
the NGinx configuration"[2] :
https://github.com/Djelibeybi/Portus-On-OracleLinux7/blob/f2e7a167f6325a0247eb1ca49a962478daf49a8b/nginx/proxy.conf#L57

CC'ing Avi Miller.

[1]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/nginx/nginx.conf
[2]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/README.md
[3]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/docker-compose.yml#L21
[4] https://github.com/Djelibeybi/Portus-On-OracleLinux7


Cheers,
-- 
Raphael Geissert