SSL Passthrough

Francis Daly francis at daoine.org
Fri Feb 17 21:51:20 UTC 2017


On Fri, Feb 17, 2017 at 02:52:53PM -0500, agforte wrote:

Hi there,

> I have the following setup:
> 
>   PRIVATE SERVER <--> NGINX <--> PUBLIC SERVER
> 
> I need the NGINX server to work as both reverse and forward proxy with SSL
> passthrough.

That's not going to work without a lot of patching of the nginx source.

nginx is not a forward proxy.

If you can rephrase your requirements in terms of things that nginx can
do, it might be possible to find a design that works.

If you can rephrase your requirements in terms of requests and responses
(I am not sure what exactly you are trying to do as-is), it may be
possible to come up with a solution -- but if the solution is "use this
non-nginx product in this particular way", you may be happier looking
for confirmation elsewhere.

> stream {

Note: "stream" is (effectively) a tcp-forwarder. nginx does not know or
care about what is inside the packets. "proxying", in the sense of http,
does not apply.

> while on the private server it says: 
> Post https://<PUBLIC_SERVER_IP>:8080/subscribe: malformed HTTP response
> "\x15\x03\x01\x00\x02\x02\x16"

Searching the web for \x15\x03\x01\x00\x02\x02\x16 suggests that that
is what you get back when you make a http request to a https server.

> PRIVATE_SRV ? NGINX   HTTP 161 CONNECT <PUBLIC_SRV_IP>:8080 HTTP/1.1 

That "CONNECT" is what a http client does when it is configured to use
a http-proxy to connect to a https service.

> Do you have any suggestion on how to debug this? Is the fact that I am using
> HTTPS POST matter? Does it matter for NGINX that I am not using the default
> port 443 for SSL?

Your nginx config means that nginx does not care about http or https;
it just copies packets.

You'll want to rethink your design, in order to find something that can
do what you want.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org


More information about the nginx mailing list