So it sounds like if I want to decrypt incoming traffic and upstream traffic I would put them in the same block like this ?
server { ###################################################################### # This is acting like the server side to decrypt the incoming traffic ###################################################################### listen 443 ssl; # 'ssl' parameter tells NGINX to decrypt the traffic server_name _; # any server # root cert in PEM format ssl_certificate /etc/ssl/certs/server.crt; # root private key ssl_certificate_key /etc/ssl/certs/server.key; ssl_protocols TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; # can tweak caching stradegy if needed ssl_session_cache shared:SSL:20m; ssl_session_timeout 4h; ssl_handshake_timeout 30s; ###################################################################### # This is acting like the client side and re-encrypting ###################################################################### proxy_ssl on; # ssl client cert proxy_ssl_certificate /etc/ssl/certs/backend.crt; # ssl client private key proxy_ssl_certificate_key /etc/ssl/certs/backend.key; proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; proxy_ssl_ciphers HIGH:!aNULL:!MD5; # if requires trusted cert # proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; proxy_ssl_session_reuse on; log_format replay '[$time_local] $server_name $status $content_type $request_method XX_HOST_XX$request_uri Authorization:"$http_authorization" $request_body_file'; client_body_in_file_only on; access_log /var/log/nginx/request_response.log replay; location / { proxy_pass https://backend; # 'https' prefix tells NGINX to encrypt the traffic } } On Tue, Apr 25, 2017 at 8:13 PM, Reinis Rozitis <r...@roze.lv> wrote: > > so if I put both of these in one server block so that the incoming is > de-crypted and the outgoing is decrypted. Do I put both the server and > client certs in the same server block ? > confused. > > Depends on what setup/requirements you actually have: > > - If your backend server requires authentication then you have to provide > a client certificate via proxy_ssl_certificate (http://nginx.org/en/docs/ > http/ngx_http_proxy_module.html#proxy_ssl_certificate ). > > - If your clients need to authenticate versus your nginx proxy then you > use ssl_verify_client / ssl_trusted_certificate ( > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client > ). > > - If your backend requires passing through the user certificates it's a > bit tricky as depending on backend it might or might not work > https://trac.nginx.org/nginx/ticket/857 > > rr > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx