Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can i proxy to SSL backend without specifiyng cert files?

Tags:

nginx

reverse-proxy

ssl

playframework-2.1

I have an Play 2.1.x application which signs itself using JKS. It's up, running and available at domain.com:9443, I need to proxy it with nginx, as there will be more apps on the same machine, (therefore can't run it just on port 443) I added the nginx config in hope that proxy_pass with https will allow me to just proxy it to client

upstream backend-secure {
    server 0.0.0.0:9443;
}

server {
        listen 443 ssl;
        server_name domain.com;

        proxy_redirect          off;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;


        location / {
                proxy_pass  https://backend-secure;
        }

}

Unfortunately when trying to open https://domain.com in browser I only get log in nginx/error.log like:

no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 123.123.123.123, server: 0.0.0.0:443

Is there a way to make it working or only option is using common way for nginx SSL + using http backend?

Edit: It's EV, multidomain certificate if it matters.

like image 580
biesior Avatar asked Feb 28 '14 09:02

biesior

People also ask

Does reverse proxy need SSL Certificate?

You can (and maybe should) also encrypt the traffic between your reverse proxy and the upstream servers using certificates, depending on your network layout. For this, you still need a certificate for every upstream server, but they could also be self-signed (but shouldn't).

Can proxy server intercept SSL?

To intercept SSL connections, the proxy server replaces the certificate from the original server with a new certificate signed by an internal private-hosted root CA. Your browser must trust the internal private-hosted root CA to validate the certificate returned by the proxy server.

How does SSL work with reverse proxy?

An SSL terminating reverse proxy is simply a web server that is configured to accept encrypted https requests from clients, and to forward them as unencrypted http requests to another backend process, and to relay the unencrypted results from the backend process back to the client via the encrypted channel.

1 Answers

The only option for proxy is to have the certificate inside nginx. Another option would be to just TCP forward the connection outside of ngnix, but then you will not get any of the X-Real-IP, X-Forwarded-For etc stuff.

like image 96
Steffen Ullrich Avatar answered Sep 22 '22 05:09

Steffen Ullrich
Sign in to Comment

Related questions

Websocket header missing
what is solution of this error:-Requests to this API must be over SSL
Haproxy ssl configuration - install root and intermediate certificate
How to enable HTTPS on WCF RESTful Service?
Enable Apache SSL in Docker for local development
How to setup Spring/Heroku/postgres SSL datasource
AWS ACM wildcard ssl certificate not working on domain
Does Tomcat support TLS v1.2?
POST request with a self-signed certificate
SSL handshake exception: "Algorithm constraints check failed: MD5withRSA"
TLSv1.3 - is it available now in Java 8?
how to resolve jsoup error: unable to find valid certification path to requested target
While using pandas got error urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
Unable to send an email using SMTP (Getting javax.mail.MessagingException: Could not convert socket to TLS;)
Enable https in a rails app on a thin server
Mutual certificates authentication fails with error 403.16
Cannot connect to APNS: return code 20 (unable to get local issuer certificate)
Connecting a client to a TCP server using TLS 1.2
Reading PEM public key into iOS
Android DownloadManager and SSL (https)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!