<div dir="ltr">So it sounds like if I want to decrypt incoming traffic and upstream traffic I would put them in the same block like this ?<br><br>server {<br>        ######################################################################<br>        # This is acting like the  server side  to decrypt the incoming traffic<br>        ######################################################################<br><br>        listen 443 ssl;    # 'ssl' parameter tells NGINX to decrypt the traffic<br>        server_name _;        # any server<br><br>        # root cert in PEM format <br>        ssl_certificate        /etc/ssl/certs/server.crt;<br><br>        # root private key<br>        ssl_certificate_key    /etc/ssl/certs/server.key;<br><br>        ssl_protocols    TLSv1.2;<br>        ssl_ciphers    HIGH:!aNULL:!MD5;<br><br>        # can tweak caching stradegy if needed<br>        ssl_session_cache    shared:SSL:20m;<br>        ssl_session_timeout    4h;<br>        ssl_handshake_timeout    30s;<br><br>        ######################################################################<br>        # This is acting like the client side and re-encrypting<br>        ######################################################################<br><br>        proxy_ssl    on;<br><br>        # ssl client cert<br>        proxy_ssl_certificate    /etc/ssl/certs/backend.crt;<br><br>        # ssl client private key<br>        proxy_ssl_certificate_key    /etc/ssl/certs/backend.key;<br>        proxy_ssl_protocols    SSLv3 TLSv1 TLSv1.1 TLSv1.2;    <br>        proxy_ssl_ciphers    HIGH:!aNULL:!MD5;<br><br>        # if requires trusted cert<br>        # proxy_ssl_trusted_certificate    /etc/ssl/certs/trusted_ca_cert.crt;<br><br>        proxy_ssl_verify    on;<br>        proxy_ssl_verify_depth    2;<br>        proxy_ssl_session_reuse    on;<br><br>        log_format replay '[$time_local] $server_name $status $content_type $request_method XX_HOST_XX$request_uri Authorization:"$http_authorization" $request_body_file';<br><br>        client_body_in_file_only on;<br>        access_log /var/log/nginx/request_response.log replay;<br><br>        location / {<br>            proxy_pass <a href="https://backend">https://backend</a>; # 'https' prefix tells NGINX to encrypt the traffic<br>        }<br>    }<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 25, 2017 at 8:13 PM, Reinis Rozitis <span dir="ltr"><<a href="mailto:r@roze.lv" target="_blank">r@roze.lv</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> so if I put both of these in one server block so that the incoming is de-crypted and the outgoing is decrypted. Do I put both the server and client certs in the same server block ?<br>
confused.<br>
<br>
</span>Depends on what setup/requirements you actually have:<br>
<br>
- If your backend server requires authentication then you have to provide a client certificate via proxy_ssl_certificate (<a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate" rel="noreferrer" target="_blank">http://nginx.org/en/docs/<wbr>http/ngx_http_proxy_module.<wbr>html#proxy_ssl_certificate</a> ).<br>
<br>
- If your clients need to authenticate versus your nginx proxy then you use ssl_verify_client / ssl_trusted_certificate ( <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client" rel="noreferrer" target="_blank">http://nginx.org/en/docs/http/<wbr>ngx_http_ssl_module.html#ssl_<wbr>verify_client</a> ).<br>
<br>
- If your backend requires passing through the user certificates it's a bit tricky as depending on backend it might or might not work <a href="https://trac.nginx.org/nginx/ticket/857" rel="noreferrer" target="_blank">https://trac.nginx.org/nginx/<wbr>ticket/857</a><br>
<br>
rr<br>
<br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
</blockquote></div><br></div>