Welcome! Log In Create A New Profile


Can nginx use SNI to reverse-proxy *without* terminating SSL?

Posted by cmundi 
Can nginx use SNI to reverse-proxy *without* terminating SSL?
July 21, 2012 04:01AM
Hello Friends,

I am on a mission. I want a load-balancing reverse-proxy-by-SNI for multiple domains over HTTPS, where each domain runs a group of separate ReSTful webapp servers via proxy-by-name.

At this point, some of you are asking, "What???" and some more of you are asking "Why???" Let me try to answer both questions.

Each of N apps has its own URL for HTTPS: https://www.app-1.org, https://www.app-2.org, https://www.app-3.org, ... https://www.app-N.org and each of these N domains is is served by M separate but equivalent servers. So there exists a total of N*M servers. (More generally, each app may have a distinct number of servers, but that does not matter now.)

Now you say, "Easy! Use SNI." Then I say, "Thanks, but I do not want to terminate SSL on the load-balancer." I need communication to remain encrypted all the way to the app servers. So I need the app servers to negotiate SSL, which means each app servers will need to serve a copy of the cert for its domain. The nginx is just doing ordinary load-balancing but with a twist: the server pool is partitioned on the domains and matched to the SNI data.

All I want from nginx is Layer 4 routing using information leaked (by design) from Layer 7 by SNI. Said another way, I want nginx to use the SNI information provided by the User Agent to *route* the request but *defer* TLS/SSL negotialion to the upstream server. So I'm actually asking nginx to do *less* work than usual with SNI.

Can I do this with nginx?

Thank you for reading, and thank you for your help.
Re: Can nginx use SNI to reverse-proxy *without* terminating SSL?
May 09, 2017 04:44PM
Did you find a solution to this? I believe I have a similar setup.
Re: Can nginx use SNI to reverse-proxy *without* terminating SSL?
May 09, 2017 04:53PM
You can with stream {}
See the docs at nginx

nginx for Windows http://nginx-win.ecsds.eu/
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 66
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready