1

I want to proxy https requests to a certain domain to another address:

server {
    server_name site1;
    listen 443;
    ssl on;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://172.17.0.1:44110;
    }
}

Nginx complains with:

nginx: [emerg] no "ssl_certificate" is defined for the "ssl" directive in /etc/nginx/nginx.conf:33

The point is that the certificate is actually on the proxied server.

How can I tell nginx to not terminate the ssl layer, and simply proxy it to the configured url?

What I am looking for is something similar to this, but with server_name support.

blueFast
  • 41,341
  • 63
  • 198
  • 344

2 Answers2

0

You should probably have to add:

proxy_ssl_session_reuse off;

see here

Gustavo Topete
  • 1,246
  • 1
  • 9
  • 15
0

What you want to do is not possible in NGINX so far as I know. I actually had written out an answer that turned out to have duplicated the link you provided to another StackOverflow answer. If you consider what you are asking, it is in effect for NGINX to be able to Man-in-the-Middle the communication between the client browser and your origin. I don't think you really want this to be possible as it would make SSL/TLS quite useless.

You will either need to do what the linked StackOverflow answer does with the stream module, or you will need to move the certificate to be hosted by NGINX.

Cloudflare has created "Keyless" SSL which allows for the private material to be hosted elsewhere, but only the origin side of it is open source. You would have to modify NGINX to be able to implement the proxy side of the protocol, though perhaps someone else has done that as well. This is likely overkill for your needs.

Joshua DeWald
  • 3,079
  • 20
  • 16
  • 1
    Actually, my formulation was a bit unclear. What I want is for nginx to not terminate ssl (since it has no cert in the setup that I am aiming), but to *route* the requests to the right endpoint based on server name (domain), and letting ssl to terminate there. What nginx needs to do this is to be able to see the domain to which the requests are being sent. My understanding is that in the ssl layer the *communication content* is encrypted, but the endpoints (source / destination IPs and domains) are visible to the intermediate devices. – blueFast Mar 06 '18 at 06:43
  • 1
    I see, so in effect you want to route based on the Server Name Indication headers (note: this still isn't 100% supported by all browsers). While that would be cool, I'm not sure there is anything out of the box to support this within NGINX, as the `stream` module doesn't deal with hostnames at all. So you would need to have something custom in place. – Joshua DeWald Mar 06 '18 at 16:39