NGINX SSL passthrough without certificate

We currently have a backend server that listens for SSL requests, and
(using
SNI) chooses to pass them on to the correct place, or alternatively will
serve the requested HTTPS.

Our current configuration is slow (not painfully, just slower than we’d
like), and we figured having NGINX do some of the work would speed
things
up.

Can NGINX pass through some HTTPS requests (by domain) without modifying
anything (by checking SNI in the initial packet)? Most (all?) websites
indicate that I should decode and encode the traffic (which is not be
possible because of cases such as https://google.com/).

So ultimately, what would be ideal for us is:

  1. NGINX sits on network boundary, listening for SSL/TLS connections
  2. When a new connection comes in, NGINX decides to pass on the TLS
    connection without touching it OR serve it as a regular HTTPS website
    (OR
    depends on domain)

Lastly, is there any current way to achieve X-FORWARDED-FOR with HTTPS?
I
understand it can’t go into the actual HTTPS request, but figured it
could
be sent BEFORE the HTTPS decode packet. (the receiving end would have to
understand this also)

Posted at Nginx Forum:

Hi,

indicate that I should decode and encode the traffic (which is not be
be sent BEFORE the HTTPS decode packet. (the receiving end would have to
understand this also)

For all those things, haproxy is way more adequate.

Regards,

Lukas

Hi,

Hi Lukas,

While HAProxy is able to do some of those things (not sure about
X-FORWARDED-FOR workarounds?)

Yes, haproxy supports and pushes the PROXY protocol for this exact
reason.

I’d still prefer to use NGINX where possible
(for other reasons, such as PageSpeed support, etc)

Well, you can’t use PageSpeed if you forward SSL encrypted TCP traffic,
can you? Perhaps you need a combination between the two?

For example, SNI based routing on a first (HAProxy) layer, passing the
SSL encrypted traffic either to nginx, for decryption/pagepspeed, etc or
directly to a backend (based on SNI).

Is NGINX able to do any of the things mentioned in the question?

I don’t think so, mainly because nginx’ focus is http/https, not TCP
forwarding.

Regards,

Lukas

Lukas,

I think you’re right. The combination of three may be optimal at this
time.

I’ll see what I come up with - I hadn’t heard of the PROXY protocol
before
(was thinking of something similar though). That’s made my life plenty
easier!

Thanks mate :slight_smile:

Posted at Nginx Forum:

Hi Lukas,

While HAProxy is able to do some of those things (not sure about
X-FORWARDED-FOR workarounds?), I’d still prefer to use NGINX where
possible
(for other reasons, such as PageSpeed support, etc)

Is NGINX able to do any of the things mentioned in the question?
Specifically, can it sort by SNI hostname without becoming an SSL
endpoint?
If not, is there a reason why? (has it been decided by the community
that
it’s not a good idea, or it just hasn’t been developed?)

I’ve seen a few similar questions around, but no definitive answer.

Thanks,
OzJD

Posted at Nginx Forum:

One most imporatant thing, we site working with https from 2 months but
after configuer the sftp with openssl , it created the problem.
i did the old settings of sshd_config, as it is as its worked, but still
facing the issue.

Posted at Nginx Forum:

Hi Team,

I am facing a issue regarding the ssl in nginx , find below the error
logs
:

2014/09/05 19:23:36 [emerg] 18774#0:
SSL_CTX_use_PrivateKey_file(“/etc/nginx/ssl/server.crt”) failed (SSL:
error:0906D06C:PEM routines:PEM_read_bio:no start line
error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib)
2014/09/05 19:23:36 [emerg] 18775#0:
SSL_CTX_use_PrivateKey_file(“/etc/nginx/ssl/server.crt”) failed (SSL:
error:0906D06C:PEM routines:PEM_read_bio:no start line
error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib)
2014/09/05 19:26:51 [emerg] 18977#0:
SSL_CTX_use_PrivateKey_file(“/etc/nginx/ssl/server.crt”) failed (SSL:
error:0906D06C:PEM routines:PEM_read_bio:no start line
error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib)
2014/09/05 19:26:51 [emerg] 18978#0:
SSL_CTX_use_PrivateKey_file(“/etc/nginx/ssl/server.crt”) failed (SSL:
error:0906D06C:PEM routines:PEM_read_bio:no start line
error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib)

had donethe google but can’t resolve, only you guies can help me, its
very
urgent.

Thank & Regards
Vijay kr
[email protected]

Posted at Nginx Forum:

“no start line error” is pretty specific.

The first line with any text on should read

-----BEGIN CERTIFICATE-----

with 5 dashes before and after the text.

On Fri, 2014-09-05 at 10:11 -0400, vk1dadhich wrote:

2014/09/05 19:23:36 [emerg] 18775#0:
routines:SSL_CTX_use_PrivateKey_file:PEM lib)


nginx mailing list
[email protected]
nginx Info Page


Steve H. BSc(Hons) MIITP

Linkedin: http://www.linkedin.com/in/steveholdoway
Skype: sholdowa


nginx mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx