Force SSL redirection to target service host for all protocols

Mon Jul 13 18:57:34 UTC 2020

Hi there,

I have tried doing TCP redirection to a backend TCP server with SSL enabled
following the below URL.

https://docs.nginx.com/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream/

My TCP (non-ssl) client is able to hit the TCP Server (SSL enabled) via the
Nginx (proxy_ssl) but buffered reader gets back only 'null'

Client code:
##########
Socket socket = new Socket(hostname, port);
InputStream input = socket.getInputStream();
BufferedReader reader = new BufferedReader(new InputStreamReader(input));
String time = reader.readLine(); //returns only null
System.out.println(time);

Server code:
#########
    ServerSocketFactory ssf = SSLServerSocketFactory.getDefault();
    int port = 8091;
    ServerSocket ss = ssf.createServerSocket(port);

    while (true) {
      Socket sock = ss.accept();
      try {
    	  System.out.println("New client connected");
          //BufferedReader br = new BufferedReader(new
InputStreamReader(sock.getInputStream()));
          //String data = br.readLine();
          PrintWriter pw = new PrintWriter(sock.getOutputStream());
          pw.println(new Date().toString() + " from port: "+port);
          pw.flush();
          pw.close();
          sock.close();
    ....
    ....

Nginx Conf:
############
stream {
    upstream backend {
        server backend1.example.com:12345;
   }

    server {
        listen     8091;
        proxy_pass backend;
        proxy_ssl  on;

        proxy_ssl_certificate         /etc/ssl/certs/backend.crt;
        proxy_ssl_certificate_key     /etc/ssl/certs/backend.key;
        proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
        proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;

        proxy_ssl_verify        on;
        proxy_ssl_verify_depth  2;
        proxy_ssl_session_reuse on;
    }
}

can somebody please suggest what is wrong with the above configuration?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288541,288680#msg-288680