Proxy to upstream HTTPS server *without* any keys/certs in nginx

Jonathan Matthews contact at
Tue Sep 24 18:23:54 UTC 2013

On 24 Sep 2013 18:55, "Gary Chodos" <gchodos at> wrote:
> Hello,
> We are researching which tools would allow us to do what is described in
the subject.
> After searching the archives here and in other places like stackoverflow,
there seems to be conflicting info on whether this is possible.  Perhaps it
was not doable early in nginx's life but is now?  Based on the below link
(which notes the upstream and reverse proxy modules), can we now have nginx
listen on 443, and pass browser requests to it on to an upstream HTTPS
server which actually serves content, has the certs/keys and takes care of
SSL handshake etc?

I don't believe so, no.

> In our use case we cannot house any keys/certs on the nginx box so
must proxy everything (including SSL) to the upstream https box, as if the
end user (who makes the request from the browser) hit the upstream server
directly, and doesn't have any missing or mismatching certificate errors.

It sounds like you just need a TCP-layer proxy. I suggest HAProxy in TCP


I don't believe the answer there is correct. I don't believe you can
reverse-proxy an SSL connection into nginx without terminating it first,
using local certs.

I will happily be shown I'm wrong, however :-)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list