I have the following Nginx configuration to balance the load among different nodes. However, when I try to redirect the traffic I obtain 502 Bad gateway.
By reading the error log I found out that the problem is related to the fact that my Nginx load balancer is trying to verify the validity of the X509 certificate NOT for the various nodes (backend1.example.com,backend2.example.com), but for the name of the upstream backend.example.com (without the number), leading to the error shown below.
How can I tell nginx to use the hostname of the forwarded node, instead of the one of the upstream?
ERROR LOG:
upstream SSL certificate does not match "backend.example.com" while SSL handshaking to upstream...
CONFIGURATION:
upstream backend.example.com {
least_conn;
server backend1.example.com:443
server backend2.example.com:443
}
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
server_name example.com;
location / {
proxy_pass https://backend.example.com;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_ssl_session_reuse on;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_set_header Host $host;
}
ssl_certificate /etc/letsencrypt/.../fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/.../privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Best Answer
According to
nginxdevelopers you need to share the same TLS certificate between all backend servers. See the following bug report https://trac.nginx.org/nginx/ticket/1307#comment:5