SSL pass through

[Jonathan Matthews]

On 2 January 2013 21:14, zuger <nginx-forum at nginx.us> wrote:
> Thank you for the quick answer. I will be a little more precise.
>
> I would like to forward https requests to different backend server based on
> the hostname header, e.g. https://machine1.domain.com should be forwarded to
> https://10.0.0.1 and https://machine2.domain.com to https://10.0.0.2.

You can't do this HTTP-level routing inside nginx without allowing
nginx to terminate the SSL connection, which would require the
certificates to be available to nginx at startup/reload.

Have a read of https://wiki.apache.org/httpd/NameBasedSSLVHosts for a
decent discussion of the generic (HTTPd-agnostic) possibilities and
problems.

> You mentioned something like a tcp port forwarder. Is this tcp port
> forwarding part of the NGINX configuration or something outside NGINX?

I would personally use HAProxy in TCP mode for this purpose, however
there's a non-trivial operational/PCI-DSS/code problem that crops up
when you *don't* terminate your SSL at network edge: you lose
visibility of the client's IP address at the point at which you *do*
terminate the SSL.  You lose this visibility regardless of any
X-Forwarded-For headers you might use. The HAProxy "PROXY" protocol is
a possible fix for this, but it's not yet available in a stable
release of HAProxy.

Basically, terminate your SSL at the edge. Or get people who
understand your problem/app domain, SSL, and security to design a
solution for you.

Cheers,
Jonathan
-- 
Jonathan Matthews // Oxford, London, UK
http://www.jpluscplusm.com/contact.html