I am currently using the following (simplified) configuration to proxy http and https connections over the same port (required by aws elastic beanstalk):
server {
listen 777 ssl;
server_name foo.com;
ssl_certificate /etc/nginx/ssl/foo.crt;
ssl_certificate_key /etc/nginx/ssl/foo;
root /usr/share/nginx/www;
index index.html index.htm;
error_page 418 = @upstream;
error_page 497 = @upstream;
location / {
return 418;
}
location @upstream {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
}
}
I want to change upstream to uwsgi and let uwsgi handle ssl because it would simplify deployment.
How can I adjust my configuration to work for SNI HTTPS and HTTP without Nginx decrypting the ssl traffic?
Best Answer
NO, you can't do with Nginx. By default, Nginx is always decrypting content, so Nginx can apply request routing. Some solution that can be tried:
There are 3rd party module called nginx_tcp_proxy_module. I haven't tried it yet. Because that module do proxy on network layer, so it will passing request without decryption.
The preferred solution is use HAProxy. This tutorial suggest that you can do TCP proxy with SNI capabilities.
Sidenote
By default, Nginx always act as SSL offloading/decryption process on proxy. Here some the advantages doing SSL offloading (taken from here)