SSL termination and HAProxy

Jonathan Matthews contact at
Wed Jan 2 22:29:16 UTC 2013

On 2 January 2013 22:12, zuger <nginx-forum at> wrote:
> Thank you Jonathan.
> Your explanations were very helpful and the link to "NameBasedSSLVHosts"
> also.

Glad it helped, Zuger.

> I will now evaluate the two scenarios. Teminate SSL in NGINX and forward
> http to the backend servers or use HAProxy.

SSL termination at the edge (I suggest in nginx) will save you much
grief, over time. I would only be considering passing SSL through to a
back-end layer if I had to for specific security reasons, such as
PCI-DSS compliance or because the machine at the network edge was
untrusted somehow.

Do note: with nginx you can proxy_pass to a *different* SSL FQDN,
after having terminated the SSL connection. I.e.

server {
  listen 443;
  # ssl cert config options which I can't remember off the top of my head ...
  location / {
    proxy_pass https://my-internal-service-name-which-is-still-ssl-encrypted.internal.fqdn:443;

This way, you unwrap the SSL for long enough to route it correctly,
but then encrypt it again to ensure the communication between nginx
and the backend service is secure. This still requires the cert/key
for "" on the nginx server, however.

Do be aware that this setup *won't* allow you to exclude the nginx
machine from being part of your PCI-DSS CDE, I believe. (If that was
meaningless to you, just ignore it!)

Also be aware that, if your nginx machine is actually untrusted, this
doesn't help. Any attacker who gets control of the box still gets
access to your certs and can sniff any "SSL" traffic s/he likes.

> Did I understood correctly that when I use HAProxy I do not have to
> terminate SSL at HAProxy server? SSL will then be terminated at the backend
> servers?

[ NB: I'm only suggesting HAP as that's what I'd use in the scenario
you painted. Other TCP-Level Load Balancers Are Available. ]

HAProxy only learned to speak SSL in a recent-ish development version.
If you need to use a stable release (1.4) then you *cannot* terminate
SSL with it, and would have to pass the TCP connection through to
something that owned the appropriate SSL certificates.

Jonathan Matthews // Oxford, London, UK

More information about the nginx mailing list