Welcome! Log In Create A New Profile

Advanced

NGINX Configuration to proxy SSL certificate to Upstream Servers

Posted by selvamp 
NGINX Configuration to proxy SSL certificate to Upstream Servers
February 24, 2022 11:26PM
Hi.

I'm trying to host NGINX as a Load-Balancer in front of two instances of Keycloak Auth Server. Each Keycloak Server has a Keystore and Truststore to store the .crt and .key files.
First Keycloak instance runs on ports 8080 and 8443 (HTTPS port) and the second runs on ports 8180 and 8543 (HTTPS port). My requirement is to simply host NGINX as a load-balancer to proxy all SSL certificates (client certificates) sent in the request by the client to the Upstream (Keycloak Server Instances). I don't want NGINX to terminate SSL/TLS but to simply proxy/forward the certificates to the Keycloak Instances.
I have attached the docker-compose.yml and nginx.conf file for reference. Support on this would be of great help to me. Thanks in advance!

Regards,
Prashanth
Attachments:
open | download - docker-compose-cluster.yml (2.7 KB)
open | download - nginx.conf (985 bytes)
Re: NGINX Configuration to proxy SSL certificate to Upstream Servers
February 25, 2022 09:25AM
Additionally, this is the modified nginx.conf file for reference. Any support or assistance would be of great help.



upstream keycloak_backend {

server kc1:8443;
server kc2:8443;

}

server {

listen 443 default ssl;
server_name localhost;
access_log /tmp/nginx_reverse_access.log;
error_log /tmp/nginx_reverse_error.log;
root /usr/local/nginx/html;
index index.html;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_certificate /etc/nginx/ssl/localhost.crt;
ssl_certificate_key /etc/nginx/ssl/localhost.key;
ssl_verify_client off;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_pass https://keycloak_backend;

proxy_ssl_session_reuse off;
proxy_ssl_server_name on;

}
}



Cheers,
Prashanth
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 134
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready