how not to ssl terminate at NginX load balacner

5
votes

I want to know how to have NginX (load balancer) accept traffic on 443 and forward it to port 443 on the load balanced web server nodes.

I am using NginX as a load balancer where the SSL termination occurs at NginX level. And then NginX sends unencrypted traffic to my web serves at port 80.

This is my current ngnx configuration:

upstream appserver {
    server 10.0.1.132;
    server 10.0.1.243;
}

server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate      /etc/nginx/cert.pem;
    ssl_certificate_key  /etc/nginx/cert.key;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    location / {
        proxy_pass http://appserver;
    }
}

I have gone through: Nginx load balance with upstream SSL

My real issue is, If I want NginX to listen traffic on 443, then I need to configure the ssl termination on nignx. Else nginx service won't start and will complain about missing ssl cert/keys.

In short, I want Nginx to simply accept traffic on 443 and forward it to 443 on load balanced Web server nodes. Then let my webservers do the SSL work.

The best practice is to do SSL offloading at load balancer level but I want to do otherwise.

Thanks.

3
nginx
What you're asking is called MITM attack: en.wikipedia.org/wiki/Man-in-the-middle_attack That is exactly what SSL/TLS prevents.VBart
Agree. So does it mean, if one wants to use a load-balancer (any load balancer per se, not just NginX), the he must configure SSL termination at the load-balancer level? I ma specifically talking about this answer where it was suggested to have backend SSL as well. My requirement is not as hard as PCI folks demand. I'm just trying to understand the whole concept.slayedbylucifer
If you want to use layer 7 load balancer like nginx, then it needs to unencrypt connection to get access to requests, and you must specify keys/certs in nginx.conf. After that it can be encrypted again before sending to backends (using proxy_pass https://appserver). Other way you can balance TLS on TCP layer using one of L4 balancers.VBart
Ok. thanks for the explanation.slayedbylucifer

3 Answers

2
votes

This requires Layer 4 snooping/routing on NGINX's part, which is apparently not entirely supported. NGINX seems to support SNI, but for some reason I could not prevent it from terminating the TLS connection.

I ended up using HAProxy.

1
votes

For this you need to use stream instead of http.

0
votes

It is possible but this requires an extra module namely ngx_stream_ssl_preread_module it is available as of Nginx 1.11.5

It allows access to the SNI from which you can extract server name found in the client's ClientHello message via the $ssl_preread_server_name variable based on that you can route a TCP ("stream") connection to another enpoint. The downside is that you can only rely on the hostname for routing.

The documentation for the module provides an example of how to do that.