1

I'm totally new to NGINX.

I would like to use the free version (not nginx plus) to load balance (reverse proxy) between 3 servers and the connection must be SSL / 443.

Do i put the SSL certificate on the NGINX load balancer server or do I put 3 x SSL certs on the 3 web servers individually? I've heard mixed reviews. I'm looking for best performance.

Additional info: i'm using a wildcard SSL cert and the web other web servers are IIS with IP_Hash to keep sessions on the same web servers.

Jamie GF
  • 17
  • 1
  • 1
  • 7

2 Answers2

1

Open your configuration file again for edit.

sudo nano /etc/nginx/conf.d/load-balancer.conf

Then add the following server segment to the end of the file.

server {
   listen 443 ssl;
   server_name domain_name;
   ssl_certificate /etc/letsencrypt/live/domain_name/cert.pem;
   ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

   location / {
      proxy_pass http://backend;
   }
}

Then save the file, exit the editor and restart nginx again.

sudo systemctl restart nginx

With the HTTPS-enabled you also have the option to enforce encryption to all connections to your load balancer

server {
   listen 80;
   server_name domain_name;
   return 301 https://$server_name$request_uri;

   #location / {
   #   proxy_pass http://backend;
   #}
}

Save the file again after you have made the changes. Then restart nginx.

sudo systemctl restart nginx
Arpit Jain
  • 1,217
  • 8
  • 27
0

This question was asked already in the StackExchange network, but I'm going to try and answer your question anyway.

The performance impact should be noticeable, but it really depends on what you're running.

One thing to consider using multiple certificates, is that once the request hits the load balancer, it stays secure inside the datacenter/network.

This is useful, in cases where you don't own the hardware and don't have physical access to the machines/datacenter. This is because there are probably multiple people running servers and applications in a shared space and you can't know for sure if someone in that network is snooping around and watching the traffic. You just can't be sure that's not going to happen.

Using only one certificate (for the load balancer) is called 'SSL Offloading' and you can and should find out more about it here:

Tom
  • 4,070
  • 4
  • 22
  • 50