Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how not to ssl terminate at NginX load balacner

Tags:

nginx

I want to know how to have NginX (load balancer) accept traffic on 443 and forward it to port 443 on the load balanced web server nodes.

I am using NginX as a load balancer where the SSL termination occurs at NginX level. And then NginX sends unencrypted traffic to my web serves at port 80.

This is my current ngnx configuration:

upstream appserver {
    server 10.0.1.132;
    server 10.0.1.243;
}

server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate      /etc/nginx/cert.pem;
    ssl_certificate_key  /etc/nginx/cert.key;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    location / {
        proxy_pass http://appserver;
    }
}

I have gone through: Nginx load balance with upstream SSL

My real issue is, If I want NginX to listen traffic on 443, then I need to configure the ssl termination on nignx. Else nginx service won't start and will complain about missing ssl cert/keys.

In short, I want Nginx to simply accept traffic on 443 and forward it to 443 on load balanced Web server nodes. Then let my webservers do the SSL work.

The best practice is to do SSL offloading at load balancer level but I want to do otherwise.

Thanks.

like image 247
slayedbylucifer Avatar asked Oct 20 '22 21:10

slayedbylucifer


1 Answers

This requires Layer 4 snooping/routing on NGINX's part, which is apparently not entirely supported. NGINX seems to support SNI, but for some reason I could not prevent it from terminating the TLS connection.

I ended up using HAProxy.

like image 149
Morpheu5 Avatar answered Oct 31 '22 21:10

Morpheu5