SSL Passthrough
Francis Daly
francis at daoine.org
Fri Feb 17 21:51:20 UTC 2017
On Fri, Feb 17, 2017 at 02:52:53PM -0500, agforte wrote:
Hi there,
> I have the following setup:
>
> PRIVATE SERVER <--> NGINX <--> PUBLIC SERVER
>
> I need the NGINX server to work as both reverse and forward proxy with SSL
> passthrough.
That's not going to work without a lot of patching of the nginx source.
nginx is not a forward proxy.
If you can rephrase your requirements in terms of things that nginx can
do, it might be possible to find a design that works.
If you can rephrase your requirements in terms of requests and responses
(I am not sure what exactly you are trying to do as-is), it may be
possible to come up with a solution -- but if the solution is "use this
non-nginx product in this particular way", you may be happier looking
for confirmation elsewhere.
> stream {
Note: "stream" is (effectively) a tcp-forwarder. nginx does not know or
care about what is inside the packets. "proxying", in the sense of http,
does not apply.
> while on the private server it says:
> Post https://<PUBLIC_SERVER_IP>:8080/subscribe: malformed HTTP response
> "\x15\x03\x01\x00\x02\x02\x16"
Searching the web for \x15\x03\x01\x00\x02\x02\x16 suggests that that
is what you get back when you make a http request to a https server.
> PRIVATE_SRV ? NGINX HTTP 161 CONNECT <PUBLIC_SRV_IP>:8080 HTTP/1.1
That "CONNECT" is what a http client does when it is configured to use
a http-proxy to connect to a https service.
> Do you have any suggestion on how to debug this? Is the fact that I am using
> HTTPS POST matter? Does it matter for NGINX that I am not using the default
> port 443 for SSL?
Your nginx config means that nginx does not care about http or https;
it just copies packets.
You'll want to rethink your design, in order to find something that can
do what you want.
Good luck with it,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list