Is it possible to let upstream servers handle SSL certificates behind an Nginx server?

2
votes

I have a Nginx server handling http request and doing proxy pass to some node servers upstream, if the domain name match one of the enabled sites, all packets are redirected to one node server, only if the channel is SSL, otherwise 301 to the https version:

server {
    listen         80;
    server_name    something.com
    return 301     https://$host$request_uri;
}

server {
    listen 433;
    server_name something.com;

    ssl_certificate           /etc/nginx/cert.crt;
    ssl_certificate_key       /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header X-NginX-Proxy true;

      proxy_pass http://127.0.0.1:3000/;
      proxy_redirect off;
    }
 }

All that works, but the certificates management, the SSL handshake and so are made by Nginx. I will like to have each node server upstream to manage their own SSL preferences so I don't depend on Nginx to do this. My node servers already support https requests but I don't understand if it is possible to tell Nginx:

  • Listen to 80, if something comes do a 301 to the https version of it.

  • Listen to 433, don't worry for SSL, just proxy pass everything to localhost:3000

  • And the node server listening to port 3000 handles SSL

1
node.jssslnginxhttps
If you have only one site and want node to handle SSL, why don't you just make node to listen to port 443? - Alexey Ten
The accepted answer is not accurate anymore: see stackoverflow.com/questions/46412934/… - fragmentedreality

1 Answers

0
votes

Listen to 433, don't worry for SSL, just proxy pass everything to localhost:3000

No, not with nginx, you will have to use port forwarding for that.

nginx would either have to use some SSL key and possibly proxy the traffic to some Node app using SSL, this will mean that both Node and nginx would have to manage their own SSL keys (nginx for the client-nginx connection and Node app for the nginx-nodeApp connection).

Or nginx could use HTTP without SSL to proxy the request to Node that uses SSL, and this will mean that the client-nginx connection would be insecure and only the nginx-NodeApp connection would be secure. Also it would mean that https://www.example.com/ would not work - though http://www.example.com:443/ would.

If you want Node to handle the SSL keys and not the reverse proxy (as it is usually done) then you would have to use port forwarding on the TCP/IP level to pass the traffic to the Node app, without using a reverse proxy (nginx) at all.

Usually a reverse proxy is used so that the apps wouldn't have to handle the SSL keys used for client connections (among other things). If you want the Node apps to use the SSL keys and not the reverse proxy then you should reconsider using a reverse proxy in the first place.