nginx load balance TLS elasticsearch

Francis Daly francis at
Tue Mar 15 23:49:13 UTC 2022

On Mon, Mar 14, 2022 at 03:15:43PM -0400, borys_85 wrote:

Hi there,

> Thanks I've already found this missed curly bracket, but 

Good that you found the fix :-)

> I'm forcing in my environment setup on nginx for Elasticsearch:
> -what I have a problem with the correct configuration for connect NGINX over
> TLS to my nodes
> below You can find my configuration,maybe You can point me out what's wrong
> in this part, I'm using also crt and key per node so there I need to
> break it down into groups/location
> Do You have some examples config with TLS?

I'm not sure what exactly you want.

If the client should talk to nginx using https, then you need
"listen _port_ ssl" in this server{}, along with ssl_certificate and
ssl_certificate_key accessible in this server{}. The client will have
to trust that certificate.

If nginx should talk to upstream using https for some requests, then
you need proxy_pass https://_upstream_server_ in the location{} for
those requests; if *that* upstream server wants nginx to authenticate
using a client certificate, then you need proxy_ssl_certificate and
proxy_ssl_certificate_key accessible in this location{}.

(And if you want nginx to validate the certificate provided by that
upstream server, you want proxy_ssl_trusted_certificate accessible in
this location{}.)

In the example config included, your "listen 9200" means that nginx is
listening for http not https, and the proxy_pass means that nginx is
talking https to the upstream servers.

Your "listen 9201 ssl" means that nginx is listening for https not http,
and the proxy_pass means that nginx is talking http to the upstream

And the same for the 9238 and 9210 server{}s.

Once you decide how the client should talk to nginx (http or https),
and how nginx should talk to upstream (http or https), you can set the
"listen" and "proxy_pass" directives appropriately; and then you can
make one test request from the client and see what the response is.

Good luck with it,

Francis Daly        francis at

More information about the nginx mailing list