nginx ssl stream termination for MySQL backends

Maxim Dounin mdounin at mdounin.ru
Sat Jan 7 17:56:34 UTC 2023


Hello!

On Sat, Jan 07, 2023 at 10:48:31PM +0530, Vishwas Bm wrote:

> Below is the use case which I am trying:
> 
> client--->nginx stream(ssl termination) ---> MySQL Db
> 
> Connection between nginx and MySQL db is unencrypted.
> 
> When I send ssl request using MySQL client, I am getting ssl handshake
> timeout error. I do not see client hello from client in tcpdump capture.
> 
> Is the above usecase valid with nginx?
> Has someone tried this configuration ?

The MySQL protocol uses an internal SSL handshake establishment, 
which is only happens if both client and server agree to use it.  
That is, it works similarly to STARTTLS in SMTP.  See here for 
details:

https://dev.mysql.com/doc/dev/mysql-server/latest/page_protocol_basic_tls.html

As such, it is not possible to do simple SSL offloading, 
something that nginx stream module can do for you, but rather a 
protocol-specific implementation is needed.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list