Nginx load balance with upstream SSL

nginxssl

Trying to setup Nginx as load balancer for https servers. The upstream serves over port 443 with SSL certificates configured. How to configure Nginx, so that the SSL certificate configuration is handled only on the upstream servers and not in the Nginx server?

Best Answer

You need to use Upstream module, and Reverse Proxy module. To reverse proxy to the https upstream, use this

proxy_pass  https://backend;

where backend is an uptream block.

However, if I were doing this, I'd terminate ssl on the nginx server, and make upstream app servers doing what they are good at: serving the content, instead of worrying about ssl encryption/decryption overhead. Setting up ssl termination on nginx is also very simple using the SSL module. A very good case study is also given here.

Related Solutions

How are ssl certificates verified

Here is a very simplified explanation:

Your web browser downloads the web server's certificate, which contains the public key of the web server. This certificate is signed with the private key of a trusted certificate authority.
Your web browser comes installed with the public keys of all of the major certificate authorities. It uses this public key to verify that the web server's certificate was indeed signed by the trusted certificate authority.
The certificate contains the domain name and/or ip address of the web server. Your web browser confirms with the certificate authority that the address listed in the certificate is the one to which it has an open connection.
Your web browser generates a shared symmetric key which will be used to encrypt the HTTP traffic on this connection; this is much more efficient than using public/private key encryption for everything. Your browser encrypts the symmetric key with the public key of the web server then sends it back, thus ensuring that only the web server can decrypt it, since only the web server has its private key.

Note that the certificate authority (CA) is essential to preventing man-in-the-middle attacks. However, even an unsigned certificate will prevent someone from passively listening in on your encrypted traffic, since they have no way to gain access to your shared symmetric key.

Git – SSL certificate rejected trying to access GitHub over HTTPS behind firewall

The problem is that you do not have any of Certification Authority certificates installed on your system. And these certs cannot be installed with cygwin's setup.exe.

Update: Install Net/ca-certificates package in cygwin (thanks dirkjot)

There are two solutions:

Actually install root certificates. Curl guys extracted for you certificates from Mozilla.

cacert.pem file is what you are looking for. This file contains > 250 CA certs (don't know how to trust this number of ppl). You need to download this file, split it to individual certificates put them to /usr/ssl/certs (your CApath) and index them.

Here is how to do it. With cygwin setup.exe install curl and openssl packages execute:
```
$ cd /usr/ssl/certs
$ curl http://curl.haxx.se/ca/cacert.pem |
  awk '{print > "cert" (1+n) ".pem"} /-----END CERTIFICATE-----/ {n++}'
$ c_rehash
```
Important: In order to use c_rehash you have to install openssl-perl too.
Ignore SSL certificate verification.

WARNING: Disabling SSL certificate verification has security implications. Without verification of the authenticity of SSL/HTTPS connections, a malicious attacker can impersonate a trusted endpoint (such as GitHub or some other remote Git host), and you'll be vulnerable to a Man-in-the-Middle Attack. Be sure you fully understand the security issues and your threat model before using this as a solution.
```
$ env GIT_SSL_NO_VERIFY=true git clone https://github...
```

Best Answer

Related Solutions

How are ssl certificates verified

Git – SSL certificate rejected trying to access GitHub over HTTPS behind firewall

Related Topic