Welcome! Log In Create A New Profile

Advanced

Re: nginx load balance TLS elasticsearch

Francis Daly
March 15, 2022 07:54PM
On Mon, Mar 14, 2022 at 03:15:43PM -0400, borys_85 wrote:

Hi there,

> Thanks I've already found this missed curly bracket, but

Good that you found the fix :-)

> I'm forcing in my environment setup on nginx for Elasticsearch:
> -what I have a problem with the correct configuration for connect NGINX over
> TLS to my nodes
>
> below You can find my configuration,maybe You can point me out what's wrong
> in this part, I'm using also crt and key per node so there I need to
> break it down into groups/location
> Do You have some examples config with TLS?

I'm not sure what exactly you want.

If the client should talk to nginx using https, then you need
"listen _port_ ssl" in this server{}, along with ssl_certificate and
ssl_certificate_key accessible in this server{}. The client will have
to trust that certificate.

If nginx should talk to upstream using https for some requests, then
you need proxy_pass https://_upstream_server_ in the location{} for
those requests; if *that* upstream server wants nginx to authenticate
using a client certificate, then you need proxy_ssl_certificate and
proxy_ssl_certificate_key accessible in this location{}.

(And if you want nginx to validate the certificate provided by that
upstream server, you want proxy_ssl_trusted_certificate accessible in
this location{}.)


In the example config included, your "listen 9200" means that nginx is
listening for http not https, and the proxy_pass means that nginx is
talking https to the upstream servers.

Your "listen 9201 ssl" means that nginx is listening for https not http,
and the proxy_pass means that nginx is talking http to the upstream
servers.

And the same for the 9238 and 9210 server{}s.

Once you decide how the client should talk to nginx (http or https),
and how nginx should talk to upstream (http or https), you can set the
"listen" and "proxy_pass" directives appropriately; and then you can
make one test request from the client and see what the response is.

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org
Subject Author Posted

nginx load balance TLS elasticsearch

borys_85 March 14, 2022 01:55PM

Re: nginx load balance TLS elasticsearch

borys_85 March 14, 2022 01:58PM

Re: nginx load balance TLS elasticsearch

borys_85 March 14, 2022 02:32PM

Re: nginx load balance TLS elasticsearch

Francis Daly March 14, 2022 02:40PM

Re: nginx load balance TLS elasticsearch

borys_85 March 14, 2022 03:15PM

Re: nginx load balance TLS elasticsearch

borys_85 March 14, 2022 03:55PM

Re: nginx load balance TLS elasticsearch

Francis Daly March 15, 2022 07:54PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 89
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready