SSL proxy without certificate

Edmund Lhot edmund.lhot at gmail.com
Thu Nov 22 03:48:13 UTC 2012


On Thu, Nov 22, 2012 at 1:27 AM, Edho Arief <edho at myconan.net> wrote:

> On Thu, Nov 22, 2012 at 10:21 AM, Edmund Lhot <edmund.lhot at gmail.com>
> wrote:
> > Hello!
> >
> > I want to proxy ssl connections to a backend without a certicate but it
> > isn't working:
> >
> > server {
> >   listen x.x.x.x:443;
> >   location / {
> >       proxy_pass https://y.y.y.y:443;
> >   }
> > }
> >
> > I tried to use an approach like this (client auth with self generated
> cert),
> > but it didn't work too:
> >
>
> How is it not working?
>

2012/11/22 01:34:00 [error] 17649#0: *234 no "ssl_certificate" is defined
in server listening on SSL port while SSL handshaking, client: z.z.z.z,
server: x.x.x.x:443


>
> > server {
> >
> >         listen x.x.x.x:443 ssl;
> >
> >         ssl                  on;
> >         ssl_certificate      /etc/nginx/certs/server.crt;
> >         ssl_certificate_key  /etc/nginx/certs/server.key;
> >         ssl_client_certificate /etc/nginx/certs/ca.crt;
> >         ssl_verify_client optional;
> >
> >         location / {
> >             proxy_pass https://y.y.y.y:443;
> >
> >         }
> > }
> >
> > Must I have the customer certificate to proxy this kind of request or
> there
> > is another way to do this?
> >
>
>
In this way proxy worked but not using the backend certificate, so I got
these messages in my browser.   :(

The identity of this website has not been verified.
 • Server's certificate does not match the URL.
 • Server's certificate is not trusted.



> I think the one you want is tcp layer proxying/balancing which is not
> what nginx can do. Try using HAProxy instead.
>

I'll try. Tks.

>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20121122/7132536c/attachment.html>


More information about the nginx mailing list