We currently have a backend server that listens for SSL requests, and
(using
SNI) chooses to pass them on to the correct place, or alternatively will
serve the requested HTTPS.
Our current configuration is slow (not painfully, just slower than we’d
like), and we figured having NGINX do some of the work would speed
things
up.
Can NGINX pass through some HTTPS requests (by domain) without modifying
anything (by checking SNI in the initial packet)? Most (all?) websites
indicate that I should decode and encode the traffic (which is not be
possible because of cases such as https://google.com/).
So ultimately, what would be ideal for us is:
NGINX sits on network boundary, listening for SSL/TLS connections
When a new connection comes in, NGINX decides to pass on the TLS
connection without touching it OR serve it as a regular HTTPS website
(OR
depends on domain)
Lastly, is there any current way to achieve X-FORWARDED-FOR with HTTPS?
I
understand it can’t go into the actual HTTPS request, but figured it
could
be sent BEFORE the HTTPS decode packet. (the receiving end would have to
understand this also)
indicate that I should decode and encode the traffic (which is not be
be sent BEFORE the HTTPS decode packet. (the receiving end would have to
understand this also)
For all those things, haproxy is way more adequate.
While HAProxy is able to do some of those things (not sure about
X-FORWARDED-FOR workarounds?)
Yes, haproxy supports and pushes the PROXY protocol for this exact
reason.
I’d still prefer to use NGINX where possible
(for other reasons, such as PageSpeed support, etc)
Well, you can’t use PageSpeed if you forward SSL encrypted TCP traffic,
can you? Perhaps you need a combination between the two?
For example, SNI based routing on a first (HAProxy) layer, passing the
SSL encrypted traffic either to nginx, for decryption/pagepspeed, etc or
directly to a backend (based on SNI).
Is NGINX able to do any of the things mentioned in the question?
I don’t think so, mainly because nginx’ focus is http/https, not TCP
forwarding.
I think you’re right. The combination of three may be optimal at this
time.
I’ll see what I come up with - I hadn’t heard of the PROXY protocol
before
(was thinking of something similar though). That’s made my life plenty
easier!
While HAProxy is able to do some of those things (not sure about
X-FORWARDED-FOR workarounds?), I’d still prefer to use NGINX where
possible
(for other reasons, such as PageSpeed support, etc)
Is NGINX able to do any of the things mentioned in the question?
Specifically, can it sort by SNI hostname without becoming an SSL
endpoint?
If not, is there a reason why? (has it been decided by the community
that
it’s not a good idea, or it just hasn’t been developed?)
I’ve seen a few similar questions around, but no definitive answer.
One most imporatant thing, we site working with https from 2 months but
after configuer the sftp with openssl , it created the problem.
i did the old settings of sshd_config, as it is as its worked, but still
facing the issue.
