nginx load balance TLS elasticsearch

Francis Daly francis at daoine.org
Tue Mar 15 23:49:13 UTC 2022 

On Mon, Mar 14, 2022 at 03:15:43PM -0400, borys_85 wrote:

Hi there,

> Thanks I've already found this missed curly bracket, but 

Good that you found the fix :-)

> I'm forcing in my environment setup on nginx for Elasticsearch:
> -what I have a problem with the correct configuration for connect NGINX over
> TLS to my nodes
> 
> below You can find my configuration,maybe You can point me out what's wrong
> in this part, I'm using also crt and key per node so there I need to
> break it down into groups/location
> Do You have some examples config with TLS?

I'm not sure what exactly you want.

If the client should talk to nginx using https, then you need
"listen _port_ ssl" in this server{}, along with ssl_certificate and
ssl_certificate_key accessible in this server{}. The client will have
to trust that certificate.

If nginx should talk to upstream using https for some requests, then
you need proxy_pass https://_upstream_server_ in the location{} for
those requests; if *that* upstream server wants nginx to authenticate
using a client certificate, then you need proxy_ssl_certificate and
proxy_ssl_certificate_key accessible in this location{}.

(And if you want nginx to validate the certificate provided by that
upstream server, you want proxy_ssl_trusted_certificate accessible in
this location{}.)


In the example config included, your "listen 9200" means that nginx is
listening for http not https, and the proxy_pass means that nginx is
talking https to the upstream servers.

Your "listen 9201 ssl" means that nginx is listening for https not http,
and the proxy_pass means that nginx is talking http to the upstream
servers.

And the same for the 9238 and 9210 server{}s.

Once you decide how the client should talk to nginx (http or https),
and how nginx should talk to upstream (http or https), you can set the
"listen" and "proxy_pass" directives appropriately; and then you can
make one test request from the client and see what the response is.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list