Answer the question
In order to leave comments, you need to log in
How can I reverse-procurse with SSL in nginx without intermediate encryption, using the same key/certificate on both servers?
Background:
There is a web server called example.com that lives at 1.1.1.1. This is the main server.
There is an nginx-based reverse proxy that serves the same example.com domain at 2.2.2.2 on the other side of the world.
The DNS has an A record for the example.com domain with both addresses - both 1.1.1.1 and 2.2.2.2
Everything works fine via HTTP, the logs show that individual clients connect to one server, individual clients - to another server.
Off for the curious:
This was done to increase the availability of servers.
As soon as they did this, the "Site is not available" error disappeared from the clients.
Of course, at the same time, the download speed on clients connecting through a reverse proxy is significantly lower than that of those connected to the main server. But this is not controlled by us - it is decided by the browser.
I guess the browser is just trying to establish a connection with both servers. Whoever answers first - with that browser in the future and works.
Continuation of background:
On server 1.1.1.1, HTTPS is enabled and works fine.
At the same time, server 1.1.1.1 also serves via HTTP, but I would like to refuse this.
On server 2.2.2.2, HTTPS is enabled and works fine.
At the same time, server 2.2.2.2 also serves via HTTP, but I would like to refuse this.
Question:
How to make it encrypted exactly 1 time.
Now we are forced to support an encrypted connection on 2.2.2.2, but to save resources, the reverse proxy goes to 1.1.1.1 without encryption.
It is not a problem to enable encryption for communication between 1.1.1.1 and 2.2.2.2, but this will:
a) Encrypt nginx on 2.2.2.2
b) Decrypt ngixn on 2.2.2.2
c) Encrypt nginx to connect to 1.1.1.1
d) Encrypt the main server, the one on 1.1.1.1
e) Decrypts the main server, the one on 1.1.1.1
Now we at least save a little due to the absence of steps c), d) and e) when the client connection goes through 1.1.1.1
All the instructions in these your internets talk about how to encrypt on nginx, and give the already decrypted to the server behind the proxy. Or how to encrypt between proxy and main server.
I would like to have a one-time end-to-end encryption, performed once on 2.2.2.2 and extensible only on 1.1.1.1.
While the client could still randomly connect to either 1.1.1.1 or 2.2.2.2, but only via HTTPS with encryption. Normal HTTP will then be disabled.
Since both servers serve the same domain, it is logical that the key / certificate for both servers will be the same.
Note: The
proxy caches part of the requests.
That is, he himself decrypts the request and gives the answer to the client for part of the files.
This also needs to be taken into account.
Answer the question
In order to leave comments, you need to log in
This is possible, but
1. There will be no caching on the second server. (it does not decrypt the request-response - and does not know the uri)
2. You will lose the IP of clients working through the second server.
And this is done through ngx_stream_proxy_module
It is available from version 1.9.0
In my opinion, it is much better to allow port 80 only for inter-server requests at the firewall level and leave everything as it is.
raise gre/ipip/ipsec between servers and proxy to the address inside the tunnel without encryption, encryption can be raised once at the tunnel level
despite the fact that the question is about your nginx, if you don’t bind to your server and the regulations allow, then take some service like cloudflare.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question