Proxy to upstream HTTPS server *without* any keys/certs in nginx

Gary Chodos gchodos at
Wed Sep 25 14:57:42 UTC 2013

On Tuesday, September 24, 2013, Jonathan Matthews wrote:

> On 24 Sep 2013 18:55, "Gary Chodos" <gchodos at <javascript:_e({},
> 'cvml', 'gchodos at');>> wrote:
> >
> > Hello,
> >
> > We are researching which tools would allow us to do what is described in
> the subject.
> >
> > After searching the archives here and in other places like
> stackoverflow, there seems to be conflicting info on whether this is
> possible.  Perhaps it was not doable early in nginx's life but is now?
>  Based on the below link (which notes the upstream and reverse proxy
> modules), can we now have nginx listen on 443, and pass browser requests to
> it on to an upstream HTTPS server which actually serves content, has the
> certs/keys and takes care of SSL handshake etc?
> I don't believe so, no.
> > In our use case we cannot house any keys/certs on the nginx box so
> must proxy everything (including SSL) to the upstream https box, as if the
> end user (who makes the request from the browser) hit the upstream server
> directly, and doesn't have any missing or mismatching certificate errors.
> It sounds like you just need a TCP-layer proxy. I suggest HAProxy in TCP
> mode.

Bingo!  This works perfectly.  Thanks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list