configure nginx passthrough

How to Configure SSL/TLS passthrough in NGINX

Team Fedingo

Sometimes you may need to setup SSL passthrough for your NGINX load balancer/reverse proxy server to pass the encrypted data to backend servers. Here are the steps to implement SSL/TLS passthrough in NGINX server.

By default, the SSL encrypted data terminates at load balancer and only decrypted data is passed to back end servers. This can pose a security issue, in case, someone is snooping into your private networks, or on the traffic between your load balancer and back end servers. So, sometimes you may need to pass the encrypted data as-is to your back end servers for more security.


How to Configure SSL/TLS passthrough in NGINX

Here are the steps to configure SSL/TLS passthrough in NGINX.


1. Install NGINX with ngx_stream_core_module

You need to install NGINX with ngx_stream_core_module to setup SSL passthrough. Depending on your Linux distribution, run the following commands.

Ubuntu/Debian

Get PGP Key using wget and install it

$ cd /tmp/
$ sudo wget https://nginx.org/keys/nginx_signing.key
$ sudo apt-key add nginx_signing.key

Create a config file.

$ sudo vi /etc/apt/sources.list.d/nginx.list

Add the following lines

For Ubuntu

$ sudo deb http://nginx.org/packages/ubuntu/ xenial nginx
$ sudo deb-src http://nginx.org/packages/ubuntu/ xenial nginx

For Debian

$ sudo deb http://nginx.org/packages/debian/ stretch nginx
$ sudo deb-src http://nginx.org/packages/debian/ stretch nginx

Install NGINX

$ sudo apt-get update
$ sudo apt-get install nginx

Redhat/Fedora/CentOS

Setup the RHEL/CentOS repository

$ sudo vi /etc/yum.repos.d/nginx.repo

Add the following lines. Replace “OS” below with rhel or centos depending on your distribution. Replace “OSRELEASE” with 6 or 7, for 6.x or 7.x versions, respectively.

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/OS/OSRELEASE/$basearch/
gpgcheck=0
enabled=1

Here is an example for CentOS 7.x is as follows:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1

Save and close the file. Run the following commands to install NGINX.

$ sudo yum update
$ sudo yum install nginx

Also read : How to Fix NGINX: Too Many Open Files Error


2. Configure NGINX Load Balancer

Open NGINX configuration file in a text editor.

$ sudo vi /etc/nginx/nginx.conf

Add the following line after http block.

include /etc/nginx/passthrough.conf;

Here is what it will look like

user  nginx;
worker_processes  1;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
...
}
include /etc/nginx/passthrough.conf;

Save and close the file.

Create the file we have included above in NGINX configuration.

$ sudo vi include /etc/nginx/passthrough.conf;

Add the following lines. Replace 192.168.2.150 and 192.168.2.151 with the IP addresses of your back end servers. Please note, both these servers must run on port 443 (HTTPS) for SSL/TLS passthrough. You can also rename backend_servers cluster name as per your requirement.

## tcp LB  and SSL passthrough for backend ##
stream {
    upstream backend_servers {
        server 192.168.2.150:443 max_fails=3 fail_timeout=10s;
        server 192.168.2.151:443 max_fails=3 fail_timeout=10s;
    }

log_format basic '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log /var/log/nginx/access.log basic;
    error_log  /var/log/nginx/error.log;

    server {
        listen 443;
        proxy_pass backend_servers;
        proxy_next_upstream on;
    }
}

Basically, the load balancer’s server block listens to port 443. It uses proxy_pass directive to pass the incoming https requests to backend_servers cluster. The back end servers in our cluster is listening on port 443, in turn, which receives the encrypted requests as-is.

Also read : How to List NGINX Modules & Compiled Flags


3. Restart NGINX Server

Test NGINX configuration.

$ sudo nginx -t

If you don’t get any error message, restart NGINX web server to apply changes.

$ sudo systemctl reload nginx

Also read : How to Rsync Files between two servers


4. Update firewall

Update firewall rules of your NGINX Load balancer server to allow traffic on port 80 and 443. You can skip this step if they are already open.

$ sudo ufw allow http
$ sudo ufw allow https


5. Backend Server Configuration

We need to also configure backend servers at IP 192.168.2.150 and 192.168.2.151 mentioned in Step 2. We have assumed that you have NGINX servers running at both 192.168.2.150 and 192.168.2.151 IP addresses. On first server 192.168.2.150, open NGINX configuration file in a text editor.

$ sudo vi /etc/nginx/nginx.conf

Get SSL certificate from a commercial certificate provider like Symantec, RapidSSL, or from a free certificate provider Add the following lines to the server block of configuration file. Replace bundle.crt and private.key with the certificate bundle and private key files.

server {
    listen 443;
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate /etc/nginx/ssl/bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/private.key;
    ...
}

Here is a detailed guide about how to setup SSL configuration in NGINX

Repeat this step to configure SSL certificate for second server 192.168.2.151.

That’s it. Now NGINX load balancer will pass https request to back end servers without decrypting them.

Related posts:

Set NGINX to Catch All Unhandled Virtual Hosts
Difference between $host and $http_host in NGINX
NGINX: Protect Static Files with Authentication
How to Block URL Parameters in NGINX
NGINX Block File Extension
NGINX Prevent Host Header Attack
How to Fix 'Plain HTTP Request Was Sent to HTTPS Port' in NGINX
How to Serve Static Files in NodeJS using NGINX

Leave a Reply

Your email address will not be published. Required fields are marked *