Welcome! Log In Create A New Profile

Advanced

Re: SSL pass through

Jonathan Matthews
January 02, 2013 04:28PM
On 2 January 2013 21:14, zuger <nginx-forum@nginx.us> wrote:
> Thank you for the quick answer. I will be a little more precise.
>
> I would like to forward https requests to different backend server based on
> the hostname header, e.g. https://machine1.domain.com should be forwarded to
> https://10.0.0.1 and https://machine2.domain.com to https://10.0.0.2.

You can't do this HTTP-level routing inside nginx without allowing
nginx to terminate the SSL connection, which would require the
certificates to be available to nginx at startup/reload.

Have a read of https://wiki.apache.org/httpd/NameBasedSSLVHosts for a
decent discussion of the generic (HTTPd-agnostic) possibilities and
problems.

> You mentioned something like a tcp port forwarder. Is this tcp port
> forwarding part of the NGINX configuration or something outside NGINX?

I would personally use HAProxy in TCP mode for this purpose, however
there's a non-trivial operational/PCI-DSS/code problem that crops up
when you *don't* terminate your SSL at network edge: you lose
visibility of the client's IP address at the point at which you *do*
terminate the SSL. You lose this visibility regardless of any
X-Forwarded-For headers you might use. The HAProxy "PROXY" protocol is
a possible fix for this, but it's not yet available in a stable
release of HAProxy.

Basically, terminate your SSL at the edge. Or get people who
understand your problem/app domain, SSL, and security to design a
solution for you.

Cheers,
Jonathan
--
Jonathan Matthews // Oxford, London, UK
http://www.jpluscplusm.com/contact.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

SSL pass through

zuger January 02, 2013 12:18PM

Re: SSL pass through

Francis Daly January 02, 2013 12:44PM

Re: SSL pass through

zuger January 02, 2013 04:14PM

Re: SSL pass through

Jonathan Matthews January 02, 2013 04:28PM

SSL termination and HAProxy

zuger January 02, 2013 05:12PM

Re: SSL termination and HAProxy

Jonathan Matthews January 02, 2013 05:30PM

Re: SSL pass through

BronyGuo August 14, 2017 09:36PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 103
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready