Overview
--------
- Nginx can act as
SSL endpoint/termination
- once client request
is received via encrypted channel (SSL), connection is
closed and requests is passed to the backend
server via unencrypted channel
- can be performed on
HTTP and TCP connections
client - encrypted (SSL)
-> Nginx proxy server
|
|
|--- unencrypted --> backend
server
Requiremements
--------------
* Nginx Plus R6 or
later
* A load-balanced
upstream group with several TCP servers
* SSL certificates
and a private key (obtained or self-generated)
Configuration
-------------
Configuration is
similar to SSL setup in the previous discussion but with the
addition of
`proxy_pass` directive
|
Standard settings
|
server {
listen 443 ssl;
proxy_pass backend;
# public key (shared to others)
# private key (must be kept private
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
|
Speeding up TCP connections
---------------------------
- SSL handshake is
series of messages between client and server to verify that
the connection is trusted
- default SSL
handshake timeout is 60 seconds
- you can change it
via `ssl_handshake_timeout`
- must not be set too
low (results in handshake failure) or too high (long time
wait for handshake to complete)
|
manually specifying
SSL handshake
timeout
|
server {
…
ssl_handshake_timeout 10s;
}
|
No comments:
Post a Comment