Sometimes you may need to setup SSL passthrough for your NGINX load balancer/reverse proxy server to pass the encrypted data to backend servers. Here are the steps to implement SSL/TLS passthrough in NGINX server.
By default, the SSL encrypted data terminates at load balancer and only decrypted data is passed to back end servers. This can pose a security issue, in case, someone is snooping into your private networks, or on the traffic between your load balancer and back end servers. So, sometimes you may need to pass the encrypted data as-is to your back end servers for more security.
How to Configure SSL/TLS passthrough in NGINX
Here are the steps to configure SSL/TLS passthrough in NGINX.
1. Install NGINX with ngx_stream_core_module
You need to install NGINX with ngx_stream_core_module to setup SSL passthrough. Depending on your Linux distribution, run the following commands.
Ubuntu/Debian
Get PGP Key using wget and install it
$ cd /tmp/ $ sudo wget https://nginx.org/keys/nginx_signing.key $ sudo apt-key add nginx_signing.key
Create a config file.
$ sudo vi /etc/apt/sources.list.d/nginx.list
Add the following lines
For Ubuntu
$ sudo deb http://nginx.org/packages/ubuntu/ xenial nginx $ sudo deb-src http://nginx.org/packages/ubuntu/ xenial nginx
For Debian
$ sudo deb http://nginx.org/packages/debian/ stretch nginx $ sudo deb-src http://nginx.org/packages/debian/ stretch nginx
Install NGINX
$ sudo apt-get update $ sudo apt-get install nginx
Redhat/Fedora/CentOS
Setup the RHEL/CentOS repository
$ sudo vi /etc/yum.repos.d/nginx.repo
Add the following lines. Replace “OS” below with rhel or centos depending on your distribution. Replace “OSRELEASE” with 6 or 7, for 6.x or 7.x versions, respectively.
[nginx] name=nginx repo baseurl=http://nginx.org/packages/OS/OSRELEASE/$basearch/ gpgcheck=0 enabled=1
Here is an example for CentOS 7.x is as follows:
[nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/7/$basearch/ gpgcheck=0 enabled=1
Save and close the file. Run the following commands to install NGINX.
$ sudo yum update $ sudo yum install nginx
Also read : How to Fix NGINX: Too Many Open Files Error
2. Configure NGINX Load Balancer
Open NGINX configuration file in a text editor.
$ sudo vi /etc/nginx/nginx.conf
Add the following line after http block.
include /etc/nginx/passthrough.conf;
Here is what it will look like
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
...
}
include /etc/nginx/passthrough.conf;
Save and close the file.
Create the file we have included above in NGINX configuration.
$ sudo vi include /etc/nginx/passthrough.conf;
Add the following lines. Replace 192.168.2.150 and 192.168.2.151 with the IP addresses of your back end servers. Please note, both these servers must run on port 443 (HTTPS) for SSL/TLS passthrough. You can also rename backend_servers cluster name as per your requirement.
## tcp LB and SSL passthrough for backend ##
stream {
upstream backend_servers {
server 192.168.2.150:443 max_fails=3 fail_timeout=10s;
server 192.168.2.151:443 max_fails=3 fail_timeout=10s;
}
log_format basic '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
access_log /var/log/nginx/access.log basic;
error_log /var/log/nginx/error.log;
server {
listen 443;
proxy_pass backend_servers;
proxy_next_upstream on;
}
}
Basically, the load balancer’s server block listens to port 443. It uses proxy_pass directive to pass the incoming https requests to backend_servers cluster. The back end servers in our cluster is listening on port 443, in turn, which receives the encrypted requests as-is.
Also read : How to List NGINX Modules & Compiled Flags
3. Restart NGINX Server
Test NGINX configuration.
$ sudo nginx -t
If you don’t get any error message, restart NGINX web server to apply changes.
$ sudo systemctl reload nginx
Also read : How to Rsync Files between two servers
4. Update firewall
Update firewall rules of your NGINX Load balancer server to allow traffic on port 80 and 443. You can skip this step if they are already open.
$ sudo ufw allow http $ sudo ufw allow https
5. Backend Server Configuration
We need to also configure backend servers at IP 192.168.2.150 and 192.168.2.151 mentioned in Step 2. We have assumed that you have NGINX servers running at both 192.168.2.150 and 192.168.2.151 IP addresses. On first server 192.168.2.150, open NGINX configuration file in a text editor.
$ sudo vi /etc/nginx/nginx.conf
Get SSL certificate from a commercial certificate provider like Symantec, RapidSSL, or from a free certificate provider Add the following lines to the server block of configuration file. Replace bundle.crt and private.key with the certificate bundle and private key files.
server {
listen 443;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/bundle.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
...
}
Here is a detailed guide about how to setup SSL configuration in NGINX
Repeat this step to configure SSL certificate for second server 192.168.2.151.
That’s it. Now NGINX load balancer will pass https request to back end servers without decrypting them.
Related posts:
Sreeram has more than 10 years of experience in web development, Python, Linux, SQL and database programming.