Does anyone know requirements for how to configure Nginx to re-encrypt connections to backend server?

Hopefully this topic isn’t too out in left field.

I use nginx usually as a reverse SSL terminating proxy. SSL connections are typically offloaded at the reverse proxy and the connection is forwarded to the backend server usually over an unencrypted connection (which in my case is usually the http protocol).

I’ve read nginx is capable of actually re-encrypting the connection to the backend server using a different certificate. Although I’m referring to backend servers as servers usually located within the LAN, I believe nginx refers to these backend servers as upstream servers (If I’m incorrect in this terminology please correct me). I’m specifically referencing the guide here published by nginx: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream/

I’m having two issues with setting this up:

  1. It appears in order to set this up properly - you need client/server certificates. Client/server certificates are different than Let’s encrypt certificates. I believe to generate client/server certificates it’s most likely you’ll need to become your own CA and then generate a client/server pair. I don’t know if this guide is accurate, however it seems fairly comprehensive on how to generate these particular types of certificates: https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html

Once these certificates are created however, I’m not exactly sure what to do with them, or how to configure the reverse proxy on the front or backend to use the client certificates. In my case a nginx reverse proxy would be re-encrypting to a backend nginx server – so I’d have to configure both ends to use these certificates (or so I believe).

  1. I’ve also been told in various forums there is a “hacky way” to get around the client/server certificate connundrum. This method would “encrypt” the connection to the backend server but wouldn’t verify the authenticity of the backend. For this method to work, I’ve been told you need to do 3 things.

  2. A SSL certificate (such as an LE cert) installed on the backend reverse proxy/web server or backend application

  3. Adjust the appropriate server block of the virtual domain on the “frontend” nginx reverse proxy to proxy_pass https://backend.domain.com instead of proxy_pass http://backend.domain.com on the main or initial reverse proxy. The SSL certificate installed on the backend machine would have the corresponding name as backend.domain.com

  4. *** Totally optional step *** Add the following to directives under the proxy_pass https: line configured in step #2 (none of these are required since the default setting for proxy_ssl_verify is off
    proxy_ssl_protocols TLSv1.2 TLSv1.3;
    proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    proxy_ssl_session_reuse on;
    proxy_ssl_verify off;
    proxy_ssl_server_name on;

    #proxy_ssl_trusted_certificate ??? <<self signed client certificate???>>;
    #proxy_ssl_verify on;
    #proxy_ssl_verify_depth 2;

I’m just curious if anyone is familiar with setting the re-encryption up using the “correct” method rather than the “hacky” method – or is the hacky method not actually all the hacky? Or am I just totally way out in left field here?