stream for TLS passthrough to multiple servers, each with their own certificate
March 11, 2020 07:45AM
I am trying to configure nginx to act as a load balancer for a group of servers, using TLS passthrough. I have corporate-issued certificates for the load balancer, as well as each of the three back-end servers. My current configuration is below.

stream {
upstream backend {
hash $remote_addr consistent;
server myserver1.example.com;
server myserver2.example.com;
server myserver3.example.com;
}

server {
listen 443;
ssl_certificate /path/to/loadbalancercert.pem;
ssl_certificate_key /path/to/loadbalancerkey.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_timeout 24h;
proxy_pass backend;
}
}
My issue is that while it will redirect to the three servers, in round robin, the browser warns that the certificate is untrusted, because the host for the back-end servers doesn't match the load balancer CN. I have configured the load balancer's certificate to include the hostname for each of the three back-end servers as a SAN. Any ideas how to get this to work?
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 125
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready