N00b - confused ssl

Joel Parker joel.parker.gm at gmail.com
Wed Apr 26 11:42:16 UTC 2017


So it sounds like if I want to decrypt incoming traffic and upstream
traffic I would put them in the same block like this ?

server {

######################################################################
        # This is acting like the  server side  to decrypt the incoming
traffic

######################################################################

        listen 443 ssl;    # 'ssl' parameter tells NGINX to decrypt the
traffic
        server_name _;        # any server

        # root cert in PEM format
        ssl_certificate        /etc/ssl/certs/server.crt;

        # root private key
        ssl_certificate_key    /etc/ssl/certs/server.key;

        ssl_protocols    TLSv1.2;
        ssl_ciphers    HIGH:!aNULL:!MD5;

        # can tweak caching stradegy if needed
        ssl_session_cache    shared:SSL:20m;
        ssl_session_timeout    4h;
        ssl_handshake_timeout    30s;


######################################################################
        # This is acting like the client side and re-encrypting

######################################################################

        proxy_ssl    on;

        # ssl client cert
        proxy_ssl_certificate    /etc/ssl/certs/backend.crt;

        # ssl client private key
        proxy_ssl_certificate_key    /etc/ssl/certs/backend.key;
        proxy_ssl_protocols    SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        proxy_ssl_ciphers    HIGH:!aNULL:!MD5;

        # if requires trusted cert
        # proxy_ssl_trusted_certificate
/etc/ssl/certs/trusted_ca_cert.crt;

        proxy_ssl_verify    on;
        proxy_ssl_verify_depth    2;
        proxy_ssl_session_reuse    on;

        log_format replay '[$time_local] $server_name $status $content_type
$request_method XX_HOST_XX$request_uri Authorization:"$http_authorization"
$request_body_file';

        client_body_in_file_only on;
        access_log /var/log/nginx/request_response.log replay;

        location / {
            proxy_pass https://backend; # 'https' prefix tells NGINX to
encrypt the traffic
        }
    }

On Tue, Apr 25, 2017 at 8:13 PM, Reinis Rozitis <r at roze.lv> wrote:

> > so if I put both of these in one server block so that the incoming is
> de-crypted and the outgoing is decrypted. Do I put both the server and
> client certs in the same server block ?
> confused.
>
> Depends on what setup/requirements you actually have:
>
> - If your backend server requires authentication then you have to provide
> a client certificate via proxy_ssl_certificate (http://nginx.org/en/docs/
> http/ngx_http_proxy_module.html#proxy_ssl_certificate ).
>
> - If your clients need to authenticate versus your nginx proxy then you
> use ssl_verify_client / ssl_trusted_certificate (
> http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
> ).
>
> - If your backend requires passing through the user certificates it's a
> bit tricky as depending on backend it might or might not work
> https://trac.nginx.org/nginx/ticket/857
>
> rr
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170426/97c2de9c/attachment.html>


More information about the nginx mailing list