Thursday, May 20, 2021

Secure TCP to Upstream

Overview 
-------- 

 

- TCP connection to upstream servers (group of proxied/backend servers) can be 

  secured using SSL 

- requirements: 

    a. Nginx PLUS R6 and later or NGINX Open Source compiled with 

       `--with-stream` and `with-stream_ssl_module` 

    b. upstream group of servers / proxied TCP servers 

    c. SSL certificate and a private key 

- setup is similar in securing HTTPS to upstream but `stream` context is used instead 

 

Complete Example 

---------------- 

 

stream { 

 

    upstream backend { 

        server backend1.example.com:12345; 

        server backend2.example.com:12345; 

        server backend3.example.com:12345; 

   } 

 

    server { 

        listen     12345; 

        proxy_pass backend; 

        proxy_ssl  on; 

 

        proxy_ssl_certificate         /etc/ssl/certs/backend.crt; 

        proxy_ssl_certificate_key     /etc/ssl/certs/backend.key; 

        proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2; 

        proxy_ssl_ciphers             HIGH:!aNULL:!MD5; 

        proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt; 

 

        proxy_ssl_verify        on; 

        proxy_ssl_verify_depth  2; 

        proxy_ssl_session_reuse on; 

    } 

} 

 

 

-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)