<div dir="ltr">So it sounds like if I want to decrypt incoming traffic and upstream traffic I would put them in the same block like this ?<br><br>server {<br> ######################################################################<br> # This is acting like the server side to decrypt the incoming traffic<br> ######################################################################<br><br> listen 443 ssl; # 'ssl' parameter tells NGINX to decrypt the traffic<br> server_name _; # any server<br><br> # root cert in PEM format <br> ssl_certificate /etc/ssl/certs/server.crt;<br><br> # root private key<br> ssl_certificate_key /etc/ssl/certs/server.key;<br><br> ssl_protocols TLSv1.2;<br> ssl_ciphers HIGH:!aNULL:!MD5;<br><br> # can tweak caching stradegy if needed<br> ssl_session_cache shared:SSL:20m;<br> ssl_session_timeout 4h;<br> ssl_handshake_timeout 30s;<br><br> ######################################################################<br> # This is acting like the client side and re-encrypting<br> ######################################################################<br><br> proxy_ssl on;<br><br> # ssl client cert<br> proxy_ssl_certificate /etc/ssl/certs/backend.crt;<br><br> # ssl client private key<br> proxy_ssl_certificate_key /etc/ssl/certs/backend.key;<br> proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; <br> proxy_ssl_ciphers HIGH:!aNULL:!MD5;<br><br> # if requires trusted cert<br> # proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;<br><br> proxy_ssl_verify on;<br> proxy_ssl_verify_depth 2;<br> proxy_ssl_session_reuse on;<br><br> log_format replay '[$time_local] $server_name $status $content_type $request_method XX_HOST_XX$request_uri Authorization:"$http_authorization" $request_body_file';<br><br> client_body_in_file_only on;<br> access_log /var/log/nginx/request_response.log replay;<br><br> location / {<br> proxy_pass <a href="https://backend">https://backend</a>; # 'https' prefix tells NGINX to encrypt the traffic<br> }<br> }<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 25, 2017 at 8:13 PM, Reinis Rozitis <span dir="ltr"><<a href="mailto:r@roze.lv" target="_blank">r@roze.lv</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">> so if I put both of these in one server block so that the incoming is de-crypted and the outgoing is decrypted. Do I put both the server and client certs in the same server block ?<br>
confused.<br>
<br>
</span>Depends on what setup/requirements you actually have:<br>
<br>
- If your backend server requires authentication then you have to provide a client certificate via proxy_ssl_certificate (<a href="http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate" rel="noreferrer" target="_blank">http://nginx.org/en/docs/<wbr>http/ngx_http_proxy_module.<wbr>html#proxy_ssl_certificate</a> ).<br>
<br>
- If your clients need to authenticate versus your nginx proxy then you use ssl_verify_client / ssl_trusted_certificate ( <a href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client" rel="noreferrer" target="_blank">http://nginx.org/en/docs/http/<wbr>ngx_http_ssl_module.html#ssl_<wbr>verify_client</a> ).<br>
<br>
- If your backend requires passing through the user certificates it's a bit tricky as depending on backend it might or might not work <a href="https://trac.nginx.org/nginx/ticket/857" rel="noreferrer" target="_blank">https://trac.nginx.org/nginx/<wbr>ticket/857</a><br>
<br>
rr<br>
<br>
______________________________<wbr>_________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx</a><br>
</blockquote></div><br></div>