SSL passtrough
Francis Daly
francis at daoine.org
Wed Feb 2 13:29:35 UTC 2022
On Fri, Jan 28, 2022 at 10:22:42AM -0300, Daniel Armando Rodriguez via nginx wrote:
Hi there,
> I have a RP in front of several services and now need to add SSL passtrough
> for some of them. So, with this goal set up this config
>
> stream {
> map $ssl_preread_server_name $name {
> sub1.DOMAIN sub1;
> sub2.DOMAIN sub2;
> sub3.DOMAIN sub3;
> sub4.DOMAIN sub4;
> }
Side point -- you might want a "default" there too, in case the incoming
name is not one of the expected set.
> upstream sub1 {
> server x.y.z.1:443;
> }
>
> upstream sub2 {
> server x.y.z.1:443;
> }
>
> upstream sub3 {
> server x.y.z.1:443;
> }
>
> upstream sub4 {
> server x.y.z.1:443;
> }
>
> server {
> listen 443;
> proxy_pass $name;
> ssl_preread on;
> }
> }
>
> And yes, four subdomains are hosted in the same VM. This has to do with the
> peculiarities of the software used.
I guess that this is not the entire config? Because this is "send
everything to the same upstream", which should not need any special
handling -- just proxy_pass there always.
> In order to catch HTTP traffic, and redirect, add this to each subdomain
> server.
>
> server {
> listen 80;
> return 301 https://$host$request_uri;
> }
That part would be in the http{} section, not the stream{} section.
And all of the usual caveats about "the rest of the config might matter too" apply.
But...
> Is this the right way to go or am I missing something?
...that config more-or-less matches the example config at
https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html,
so it looks right to me.
Do you see a problem when you try using it?
> Also tryied to upgrade nginx using Debian repo but wasn't possible.
> Currently installed 1.14.2 under Debian Buster
If you can show the commands that you ran, and the response that you got,
someone might be able to show why things failed.
Good luck with it,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list