Hello!
I want to proxy ssl connections to a backend without a certicate but it
isn't working:
server {
listen x.x.x.x:443;
location / {
proxy_pass https://y.y.y.y:443;
}
}
I tried to use an approach like this (client auth with self generated
cert), but it didn't work too:
server {
listen x.x.x.x:443 ssl;
ssl on;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client optional;
location / {
proxy_pass https://y.y.y.y:443;
}
}
Must I have the customer certificate to proxy this kind of request or
there
is another way to do this?
Tks!
Edmund
on 2012-11-22 04:22
on 2012-11-22 04:27
On Thu, Nov 22, 2012 at 10:21 AM, Edmund Lhot <edmund.lhot@gmail.com> wrote: > } > > I tried to use an approach like this (client auth with self generated cert), > but it didn't work too: > How is it not working? > location / { > proxy_pass https://y.y.y.y:443; > > } > } > > Must I have the customer certificate to proxy this kind of request or there > is another way to do this? > I think the one you want is tcp layer proxying/balancing which is not what nginx can do. Try using HAProxy instead.
on 2012-11-22 04:48
On Thu, Nov 22, 2012 at 1:27 AM, Edho Arief <edho@myconan.net> wrote: > > proxy_pass https://y.y.y.y:443; > > } > > } > > > > I tried to use an approach like this (client auth with self generated > cert), > > but it didn't work too: > > > > How is it not working? > 2012/11/22 01:34:00 [error] 17649#0: *234 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: z.z.z.z, server: x.x.x.x:443 > > > > In this way proxy worked but not using the backend certificate, so I got these messages in my browser. :( The identity of this website has not been verified. Server's certificate does not match the URL. Server's certificate is not trusted. > I think the one you want is tcp layer proxying/balancing which is not > what nginx can do. Try using HAProxy instead. > I'll try. Tks.
on 2012-11-22 04:56
> In this way proxy worked but not using the backend certificate, so I got > these messages in my browser. :( > The identity of this website has not been verified. > Server's certificate does not match the URL. > Server's certificate is not trusted. You need to use/configure the same SSL certificates on nginx as on the backend eg just proxy_pass'ing to backend won't work. But is there a reason for "talking" to backend via https? The common approach (also better performance) is offloading the SSL to nginx and proxying via plain http. > I think the one you want is tcp layer proxying/balancing which is not what > nginx can do. Not exactly true https://github.com/yaoweibin/nginx_tcp_proxy_module , but that is kind of another topic. rr
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.