nginx: forward ssl connection to another server

ssl nginx https forward

16,352

Solution 1

Try to proxy the tcp traffic instead of the http traffic

stream {
    server {
        listen SRC_IP:SRC_PORT;
        proxy_pass DST_IP:DST_PORT;
   }
}

for more details refer to the nginx documentation https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/

Solution 2

Here's a configuration that might work. Proxy through the master and forward everything to Server3. Use the ssl port but turn ssl off.

server {
    listen      443;
    server_name  myserver.mydomain.whatever;

    ssl         off;

    access_log      /var/log/nginx/myserver.access.log;
    error_log       /var/log/nginx/myserver.error.og;

    keepalive_timeout   60;

    location / {
        set $fixed_destination $http_destination;
        if ( $http_destination ~* ^https(.*)$ )
        {
            set $fixed_destination http$1;
        }

        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_set_header    Destination $fixed_destination;
        # Fix the “It appears that your reverse proxy set up is broken" error.
        # might need to explicity set https://localip:port
        proxy_pass          $fixed_destination;
        # force timeout if backend died.
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_read_timeout  90;
        proxy_redirect http:// https://;
    }
}

16,352

Author by

J J

Technology navigator & problem solver - critical projects and challenging situations are my specialty

Updated on July 24, 2022

Comments

J J almost 2 years

I have a master nginx server deciding on the incoming server name where to route requests to. For two secondary servers this master nginx server is also holding ssl certificates and keys. The 3rd server is holding his own certificates and keys because there is a frequent update process for those.

My question is now how I can configure the master nginx server to forward all requests to server 3 which are coming in for this server. I cannot copy the certificates and keys from server 3 to the master server as they change too often.
J J over 8 years

Thanks for your help. I'm not quite sure if I get everything right. What am I supposed to do with the server definition for listen 80;? Redirect it to 443 on the master nginx server and then use your code example? Where in your example do you specify to which IP internally the request is forwarded to?
J J over 8 years

I tested it both ways. Either I get an error in the nginx log saying 2015/10/22 11:34:21 [error] 18229#0: *57916 invalid URL prefix in "", client: xxx.xxx.xxx.xxx, server: my_server_name, request: "GET / HTTP/1.1$ or the browser directly says that no secure connection could be established and refuses to connect.
wolfhammer over 8 years

Looks like it's not possible. Nginx does not do forward proxy. https and nginx as forward proxy.