Forum: NGINX Proxy to upstream HTTPS server *without* any keys/certs in nginx

569740d396088cee5d60bb6e04e5268d?d=identicon&s=25 Gary Chodos (Guest)
on 2013-09-24 19:56
(Received via mailing list)
Hello,

We are researching which tools would allow us to do what is described in
the subject.

After searching the archives here and in other places like
stackoverflow,
there seems to be conflicting info on whether this is possible.  Perhaps
it
was not doable early in nginx's life but is now?  Based on the below
link
(which notes the upstream and reverse proxy modules), can we now have
nginx
listen on 443, and pass browser requests to it on to an upstream HTTPS
server which actually serves content, has the certs/keys and takes care
of
SSL handshake etc?  In our use case we cannot house any keys/certs on
the
nginx box so must proxy everything (including SSL) to the upstream https
box, as if the end user (who makes the request from the browser) hit the
upstream server directly, and doesn't have any missing or mismatching
certificate errors.

http://stackoverflow.com/questions/15394904/nginx-...

I hope my question is clear.  Thanks for your help.

Gary
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2013-09-24 20:24
(Received via mailing list)
On 24 Sep 2013 18:55, "Gary Chodos" <gchodos@gmail.com> wrote:
>
> Hello,
>
> We are researching which tools would allow us to do what is described in
the subject.
>
> After searching the archives here and in other places like stackoverflow,
there seems to be conflicting info on whether this is possible.  Perhaps
it
was not doable early in nginx's life but is now?  Based on the below
link
(which notes the upstream and reverse proxy modules), can we now have
nginx
listen on 443, and pass browser requests to it on to an upstream HTTPS
server which actually serves content, has the certs/keys and takes care
of
SSL handshake etc?

I don't believe so, no.

> In our use case we cannot house any keys/certs on the nginx box so
must proxy everything (including SSL) to the upstream https box, as if
the
end user (who makes the request from the browser) hit the upstream
server
directly, and doesn't have any missing or mismatching certificate
errors.

It sounds like you just need a TCP-layer proxy. I suggest HAProxy in TCP
mode.

>
http://stackoverflow.com/questions/15394904/nginx-...

I don't believe the answer there is correct. I don't believe you can
reverse-proxy an SSL connection into nginx without terminating it first,
using local certs.

I will happily be shown I'm wrong, however :-)

HTH,
Jonathan
569740d396088cee5d60bb6e04e5268d?d=identicon&s=25 Gary Chodos (Guest)
on 2013-09-25 16:58
(Received via mailing list)
On Tuesday, September 24, 2013, Jonathan Matthews wrote:

> possible.  Perhaps it was not doable early in nginx's life but is now?
> directly, and doesn't have any missing or mismatching certificate errors.
>
> It sounds like you just need a TCP-layer proxy. I suggest HAProxy in TCP
> mode.
>

Bingo!  This works perfectly.  Thanks.

Gary
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.