Welcome! Log In Create A New Profile


Re: SSL termination and HAProxy

Jonathan Matthews
January 02, 2013 05:30PM
On 2 January 2013 22:12, zuger <nginx-forum@nginx.us> wrote:
> Thank you Jonathan.
> Your explanations were very helpful and the link to "NameBasedSSLVHosts"
> also.

Glad it helped, Zuger.

> I will now evaluate the two scenarios. Teminate SSL in NGINX and forward
> http to the backend servers or use HAProxy.

SSL termination at the edge (I suggest in nginx) will save you much
grief, over time. I would only be considering passing SSL through to a
back-end layer if I had to for specific security reasons, such as
PCI-DSS compliance or because the machine at the network edge was
untrusted somehow.

Do note: with nginx you can proxy_pass to a *different* SSL FQDN,
after having terminated the SSL connection. I.e.

server {
listen 443;
server_name external-domain.com
# ssl cert config options which I can't remember off the top of my head ...
location / {
proxy_pass https://my-internal-service-name-which-is-still-ssl-encrypted.internal.fqdn:443;

This way, you unwrap the SSL for long enough to route it correctly,
but then encrypt it again to ensure the communication between nginx
and the backend service is secure. This still requires the cert/key
for "external-domain.com" on the nginx server, however.

Do be aware that this setup *won't* allow you to exclude the nginx
machine from being part of your PCI-DSS CDE, I believe. (If that was
meaningless to you, just ignore it!)

Also be aware that, if your nginx machine is actually untrusted, this
doesn't help. Any attacker who gets control of the box still gets
access to your certs and can sniff any "SSL" traffic s/he likes.

> Did I understood correctly that when I use HAProxy I do not have to
> terminate SSL at HAProxy server? SSL will then be terminated at the backend
> servers?

[ NB: I'm only suggesting HAP as that's what I'd use in the scenario
you painted. Other TCP-Level Load Balancers Are Available. ]

HAProxy only learned to speak SSL in a recent-ish development version.
If you need to use a stable release (1.4) then you *cannot* terminate
SSL with it, and would have to pass the TCP connection through to
something that owned the appropriate SSL certificates.

Jonathan Matthews // Oxford, London, UK

nginx mailing list
Subject Author Posted

SSL pass through

zuger January 02, 2013 12:18PM

Re: SSL pass through

Francis Daly January 02, 2013 12:44PM

Re: SSL pass through

zuger January 02, 2013 04:14PM

Re: SSL pass through

Jonathan Matthews January 02, 2013 04:28PM

SSL termination and HAProxy

zuger January 02, 2013 05:12PM

Re: SSL termination and HAProxy

Jonathan Matthews January 02, 2013 05:30PM

Re: SSL pass through

BronyGuo August 14, 2017 09:36PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 122
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready