reverse proxy: do I really have to store ssl certificates on the proxy ?
Francis Daly
francis at daoine.org
Mon Jan 11 19:13:20 UTC 2021
On Mon, Jan 11, 2021 at 04:48:39AM -0500, iw2lsi wrote:
Hi there,
> I'm using a rPI to reverse proxy http services to several other rPI
> according to the domain and/or host names... now I'm switching to https and
> I wonder if I can keep the ssl certificates and keys on the destination
> machines or if I really have to put them on the machine that is managing the
> (reverse) proxy.
"The thing that is terminating the ssl connection" needs to have the
ssl certificate and key.
The certificate is public and says "this is me"; access to the key is
needed to convince a client that it really is me.
In the common case, where your nginx does "http{}"-level reverse proxying,
you need all of the certificates and keys on the front-facing nginx
server.
If it suits your model, you could instead do "stream{}"-level reverse
proxying, using ssl_preread (http://nginx.org/r/ssl_preread) and the
example on that page. In that case, the front-facing nginx listening on
this port would not do any ssl termination, or anything related to http;
it would just send the opaque https stream to whichever back-end servers
you configure.
So in that case, that nginx would not make use of certificates or
keys. nginx would basically be a tcp-pass-through system, and the
individual back-end servers would do all of the https side of things.
Cheers,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list