So it sounds like if I want to decrypt incoming traffic and upstream
traffic I would put them in the same block like this ?
server {
######################################################################
# This is acting like the server side to decrypt the incoming
traffic
######################################################################
listen 443 ssl; # 'ssl' parameter tells NGINX to decrypt the
traffic
server_name _; # any server
# root cert in PEM format
ssl_certificate /etc/ssl/certs/server.crt;
# root private key
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
# can tweak caching stradegy if needed
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
ssl_handshake_timeout 30s;
######################################################################
# This is acting like the client side and re-encrypting
######################################################################
proxy_ssl on;
# ssl client cert
proxy_ssl_certificate /etc/ssl/certs/backend.crt;
# ssl client private key
proxy_ssl_certificate_key /etc/ssl/certs/backend.key;
proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
# if requires trusted cert
# proxy_ssl_trusted_certificate
/etc/ssl/certs/trusted_ca_cert.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
log_format replay '[$time_local] $server_name $status $content_type
$request_method XX_HOST_XX$request_uri Authorization:"$http_authorization"
$request_body_file';
client_body_in_file_only on;
access_log /var/log/nginx/request_response.log replay;
location / {
proxy_pass https://backend; # 'https' prefix tells NGINX to
encrypt the traffic
}
}
On Tue, Apr 25, 2017 at 8:13 PM, Reinis Rozitis <r@roze.lv> wrote:
> > so if I put both of these in one server block so that the incoming is
> de-crypted and the outgoing is decrypted. Do I put both the server and
> client certs in the same server block ?
> confused.
>
> Depends on what setup/requirements you actually have:
>
> - If your backend server requires authentication then you have to provide
> a client certificate via proxy_ssl_certificate (http://nginx.org/en/docs/
> http/ngx_http_proxy_module.html#proxy_ssl_certificate ).
>
> - If your clients need to authenticate versus your nginx proxy then you
> use ssl_verify_client / ssl_trusted_certificate (
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
> ).
>
> - If your backend requires passing through the user certificates it's a
> bit tricky as depending on backend it might or might not work
> https://trac.nginx.org/nginx/ticket/857
>
> rr
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
