SSL pass through

Jonathan Matthews contact at
Wed Jan 2 21:25:59 UTC 2013

On 2 January 2013 21:14, zuger <nginx-forum at> wrote:
> Thank you for the quick answer. I will be a little more precise.
> I would like to forward https requests to different backend server based on
> the hostname header, e.g. should be forwarded to
> and to

You can't do this HTTP-level routing inside nginx without allowing
nginx to terminate the SSL connection, which would require the
certificates to be available to nginx at startup/reload.

Have a read of for a
decent discussion of the generic (HTTPd-agnostic) possibilities and

> You mentioned something like a tcp port forwarder. Is this tcp port
> forwarding part of the NGINX configuration or something outside NGINX?

I would personally use HAProxy in TCP mode for this purpose, however
there's a non-trivial operational/PCI-DSS/code problem that crops up
when you *don't* terminate your SSL at network edge: you lose
visibility of the client's IP address at the point at which you *do*
terminate the SSL.  You lose this visibility regardless of any
X-Forwarded-For headers you might use. The HAProxy "PROXY" protocol is
a possible fix for this, but it's not yet available in a stable
release of HAProxy.

Basically, terminate your SSL at the edge. Or get people who
understand your problem/app domain, SSL, and security to design a
solution for you.

Jonathan Matthews // Oxford, London, UK

More information about the nginx mailing list