Force SSL redirection to target service host for all protocols

Francis Daly francis at
Wed Jul 8 07:54:48 UTC 2020

On Fri, Jul 03, 2020 at 09:12:56AM -0400, siva.pannier wrote:

Hi there,

> I want all my client applications make call to the service host via proxy.
> And the hosted services are TLSv1.2 enabled. Clients are not in a position
> to upgrade. Hence I want to enforce the SSL encryption when the call
> routed/redirected to the target from proxy.

I may be misunderstanding the terminology, but I think your scenario is
that your clients speak their protocol over a "normal" (non-encrypted)
network connection; and your (upstream) servers allow the protocol both
directly over a "normal" connection, or over a SSL-wrapped connection.

An you want your clients to talk to nginx without encryption, and for
nginx to talk to upstream with encryption.

If nginx does not already have a dedicated module for the protocol you
care about, then possibly the "stream" module with "proxy_ssl" will work
for you.

That *does* depend on the nature of the protocol, of course -- if the
protocol does not easily allow proxying, then it is not going to easily
work through the nginx stream proxy.

> I have seen few blogs that talks about HTTP to HTTPS redirection. I want to
> do that for all protocols like TCPS, UDPS(DTLS), SMTPS, IIOPS. 
> Can you please share your suggestions on this?

If my protocol writes IP addresses or ports within the content payload,
then a "blind" traffic-forwarder (as "stream" mostly is) will probably
not be able to reliably proxy things that use my protocol.

For the specific protocols you care about: can they be proxied?

I suspect that the list will be interested in the results of your testing,
if you are willing to share them.


Francis Daly        francis at

More information about the nginx mailing list