Does anyone know requirements for how to configure Nginx to re-encrypt connections to backend server?

Hopefully this topic isn’t too out in left field.

I use nginx usually as a reverse SSL terminating proxy. SSL connections are typically offloaded at the reverse proxy and the connection is forwarded to the backend server usually over an unencrypted connection (which in my case is usually the http protocol).

I’ve read nginx is capable of actually re-encrypting the connection to the backend server using a different certificate. Although I’m referring to backend servers as servers usually located within the LAN, I believe nginx refers to these backend servers as upstream servers (If I’m incorrect in this terminology please correct me). I’m specifically referencing the guide here published by nginx: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream/

I’m having two issues with setting this up:

  1. It appears in order to set this up properly - you need client/server certificates. Client/server certificates are different than Let’s encrypt certificates. I believe to generate client/server certificates it’s most likely you’ll need to become your own CA and then generate a client/server pair. I don’t know if this guide is accurate, however it seems fairly comprehensive on how to generate these particular types of certificates: https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html

Once these certificates are created however, I’m not exactly sure what to do with them, or how to configure the reverse proxy on the front or backend to use the client certificates. In my case a nginx reverse proxy would be re-encrypting to a backend nginx server – so I’d have to configure both ends to use these certificates (or so I believe).

  1. I’ve also been told in various forums there is a “hacky way” to get around the client/server certificate connundrum. This method would “encrypt” the connection to the backend server but wouldn’t verify the authenticity of the backend. For this method to work, I’ve been told you need to do 3 things.

  2. A SSL certificate (such as an LE cert) installed on the backend reverse proxy/web server or backend application

  3. Adjust the appropriate server block of the virtual domain on the “frontend” nginx reverse proxy to proxy_pass https://backend.domain.com instead of proxy_pass http://backend.domain.com on the main or initial reverse proxy. The SSL certificate installed on the backend machine would have the corresponding name as backend.domain.com

  4. *** Totally optional step *** Add the following to directives under the proxy_pass https: line configured in step #2 (none of these are required since the default setting for proxy_ssl_verify is off
    proxy_ssl_protocols TLSv1.2 TLSv1.3;
    proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    proxy_ssl_session_reuse on;
    proxy_ssl_verify off;
    proxy_ssl_server_name on;

    #proxy_ssl_trusted_certificate ??? <<self signed client certificate???>>;
    #proxy_ssl_verify on;
    #proxy_ssl_verify_depth 2;

I’m just curious if anyone is familiar with setting the re-encryption up using the “correct” method rather than the “hacky” method – or is the hacky method not actually all the hacky? Or am I just totally way out in left field here?

I’d terminate ssl on the nginx server, upstream app servers can then just serve the content, instead of worrying about ssl encryption/decryption overhead. Setting up ssl termination using the SSL module is the way to go. A very good case study here https://www.nginx.com/resources/wiki/start/topics/examples/SSL-Offloader/

Hope it helps.

found this also https://serverfault.com/questions/583374/configure-nginx-as-reverse-proxy-with-upstream-ssl

Hey @Jamest65 I appreciate your help on this one. I honestly forgot I wrote this post since it was about 10 months ago. I’ve learned a lot about reverse proxies since this time and I appreciate the resources. I was able to make everything work in the end. I’m not sure if it was this project of another but I think I ended up switching to traefik just because it does automated ssl cert management and I was working a lot with docker. With nginx I’ve mostly tried to convert to nginx proxy manager since it provides a GUI with automated certificate management as well. For client/server certificates I’ve learned a thing or two about generating proper SSL certs with SNI.

Thanks for your recommendations.

Hi @kevdog it came up on the forum in my email, didn’t realise it was that far back. Your welcome and thanks for the background. I too like the simplicity that Nginx offers.