reverse proxy: do I really have to store ssl certificates on the proxy ?

Francis Daly francis at
Mon Jan 11 19:13:20 UTC 2021

On Mon, Jan 11, 2021 at 04:48:39AM -0500, iw2lsi wrote:

Hi there,

> I'm using a rPI to reverse proxy http services to several other rPI
> according to the domain and/or host names... now I'm switching to https and
> I wonder if I can keep the ssl certificates and keys on the destination
> machines or if I really have to put them on the machine that is managing the
> (reverse) proxy.

"The thing that is terminating the ssl connection" needs to have the
ssl certificate and key.

The certificate is public and says "this is me"; access to the key is
needed to convince a client that it really is me.

In the common case, where your nginx does "http{}"-level reverse proxying,
you need all of the certificates and keys on the front-facing nginx

If it suits your model, you could instead do "stream{}"-level reverse
proxying, using ssl_preread ( and the
example on that page. In that case, the front-facing nginx listening on
this port would not do any ssl termination, or anything related to http;
it would just send the opaque https stream to whichever back-end servers
you configure.

So in that case, that nginx would not make use of certificates or
keys. nginx would basically be a tcp-pass-through system, and the
individual back-end servers would do all of the https side of things.


Francis Daly        francis at

More information about the nginx mailing list