nginx ssl stream termination for MySQL backends

Maxim Dounin mdounin at
Sat Jan 7 17:56:34 UTC 2023


On Sat, Jan 07, 2023 at 10:48:31PM +0530, Vishwas Bm wrote:

> Below is the use case which I am trying:
> client--->nginx stream(ssl termination) ---> MySQL Db
> Connection between nginx and MySQL db is unencrypted.
> When I send ssl request using MySQL client, I am getting ssl handshake
> timeout error. I do not see client hello from client in tcpdump capture.
> Is the above usecase valid with nginx?
> Has someone tried this configuration ?

The MySQL protocol uses an internal SSL handshake establishment, 
which is only happens if both client and server agree to use it.  
That is, it works similarly to STARTTLS in SMTP.  See here for 

As such, it is not possible to do simple SSL offloading, 
something that nginx stream module can do for you, but rather a 
protocol-specific implementation is needed.

Maxim Dounin

More information about the nginx mailing list