Welcome! Log In Create A New Profile

Advanced

Re: Force SSL redirection to target service host for all protocols

Francis Daly
July 08, 2020 03:56AM
On Fri, Jul 03, 2020 at 09:12:56AM -0400, siva.pannier wrote:

Hi there,

> I want all my client applications make call to the service host via proxy.
> And the hosted services are TLSv1.2 enabled. Clients are not in a position
> to upgrade. Hence I want to enforce the SSL encryption when the call
> routed/redirected to the target from proxy.

I may be misunderstanding the terminology, but I think your scenario is
that your clients speak their protocol over a "normal" (non-encrypted)
network connection; and your (upstream) servers allow the protocol both
directly over a "normal" connection, or over a SSL-wrapped connection.

An you want your clients to talk to nginx without encryption, and for
nginx to talk to upstream with encryption.

If nginx does not already have a dedicated module for the protocol you
care about, then possibly the "stream" module with "proxy_ssl" will work
for you.

http://nginx.org/en/docs/stream/ngx_stream_proxy_module.html

That *does* depend on the nature of the protocol, of course -- if the
protocol does not easily allow proxying, then it is not going to easily
work through the nginx stream proxy.

> I have seen few blogs that talks about HTTP to HTTPS redirection. I want to
> do that for all protocols like TCPS, UDPS(DTLS), SMTPS, IIOPS.
>
> Can you please share your suggestions on this?

If my protocol writes IP addresses or ports within the content payload,
then a "blind" traffic-forwarder (as "stream" mostly is) will probably
not be able to reliably proxy things that use my protocol.

For the specific protocols you care about: can they be proxied?

I suspect that the list will be interested in the results of your testing,
if you are willing to share them.

Thanks,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Force SSL redirection to target service host for all protocols

siva.pannier July 03, 2020 09:12AM

Re: Force SSL redirection to target service host for all protocols

siva.pannier July 06, 2020 12:15AM

Re: Force SSL redirection to target service host for all protocols

Francis Daly July 08, 2020 03:56AM

Re: Force SSL redirection to target service host for all protocols

siva.pannier July 10, 2020 10:49AM

Re: Force SSL redirection to target service host for all protocols

siva.pannier July 13, 2020 02:57PM

Re: Force SSL redirection to target service host for all protocols

Francis Daly July 14, 2020 09:18AM

Re: Force SSL redirection to target service host for all protocols

siva.pannier July 14, 2020 09:55AM

Re: Force SSL redirection to target service host for all protocols

Francis Daly July 14, 2020 10:02AM

Re: Force SSL redirection to target service host for all protocols

siva.pannier July 15, 2020 09:16AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 68
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready