SSL proxy without certificate

Server NGINX
1

Hello!

I want to proxy ssl connections to a backend without a certicate but it
isn’t working:

server {
listen x.x.x.x:443;
location / {
proxy_pass https://y.y.y.y:443;
}
}

I tried to use an approach like this (client auth with self generated
cert), but it didn’t work too:

server {

    listen x.x.x.x:443 ssl;

    ssl                  on;
    ssl_certificate      /etc/nginx/certs/server.crt;
    ssl_certificate_key  /etc/nginx/certs/server.key;
    ssl_client_certificate /etc/nginx/certs/ca.crt;
    ssl_verify_client optional;

    location / {
        proxy_pass https://y.y.y.y:443;

    }

}

Must I have the customer certificate to proxy this kind of request or
there
is another way to do this?

Tks!

Edmund

2

On Thu, Nov 22, 2012 at 10:21 AM, Edmund L. [email protected]
wrote:

}

I tried to use an approach like this (client auth with self generated cert),
but it didn’t work too:

How is it not working?

    location / {
        proxy_pass https://y.y.y.y:443;

    }

}

Must I have the customer certificate to proxy this kind of request or there
is another way to do this?

I think the one you want is tcp layer proxying/balancing which is not
what nginx can do. Try using HAProxy instead.

3

On Thu, Nov 22, 2012 at 1:27 AM, Edho A. [email protected] wrote:

  proxy_pass https://y.y.y.y:443;

}
}

I tried to use an approach like this (client auth with self generated
cert),
but it didn’t work too:

How is it not working?

2012/11/22 01:34:00 [error] 17649#0: *234 no “ssl_certificate” is
defined
in server listening on SSL port while SSL handshaking, client: z.z.z.z,
server: x.x.x.x:443

In this way proxy worked but not using the backend certificate, so I got
these messages in my browser. :frowning:

The identity of this website has not been verified.
Server’s certificate does not match the URL.
Server’s certificate is not trusted.

I think the one you want is tcp layer proxying/balancing which is not
what nginx can do. Try using HAProxy instead.

I’ll try. Tks.

4

In this way proxy worked but not using the backend certificate, so I got
these messages in my browser. :frowning:
The identity of this website has not been verified.
Server’s certificate does not match the URL.
Server’s certificate is not trusted.

You need to use/configure the same SSL certificates on nginx as on the
backend eg just proxy_pass’ing to backend won’t work.

But is there a reason for “talking” to backend via https?
The common approach (also better performance) is offloading the SSL to
nginx
and proxying via plain http.

I think the one you want is tcp layer proxying/balancing which is not what
nginx can do.

Not exactly true GitHub - yaoweibin/nginx_tcp_proxy_module: add the feature of tcp proxy with nginx, with health check and status monitor ,
but
that is kind of another topic.

rr