N00b - confused ssl

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

N00b - confused ssl

Joel Parker
I am reading this doc : https://www.nginx.com/blog/nginx-ssl/  and it shows how to either terminate (de-crypt) ssl or how to receive un-encrypted traffic over port 80 for example and encrypt it before sending to the upstream servers.

From the doc:

listen 443 ssl;

*** tells nginx to decrypt the incoming traffic

proxy_pass https://backends;

*** and https tells nginx to encrypt the traffic going to the upstream servers

so if I put both of these in one server block so that the incoming is de-crypted and the outgoing is decrypted. Do I put both the server and client certs in the same server block ?

confused.

Joel

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: N00b - confused ssl

Reinis Rozitis
> so if I put both of these in one server block so that the incoming is de-crypted and the outgoing is decrypted. Do I put both the server and client certs in the same server block ?
confused.

Depends on what setup/requirements you actually have:

- If your backend server requires authentication then you have to provide a client certificate via proxy_ssl_certificate (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate ).

- If your clients need to authenticate versus your nginx proxy then you use ssl_verify_client / ssl_trusted_certificate ( http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client ).

- If your backend requires passing through the user certificates it's a bit tricky as depending on backend it might or might not work https://trac.nginx.org/nginx/ticket/857 

rr

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: N00b - confused ssl

Joel Parker
So it sounds like if I want to decrypt incoming traffic and upstream traffic I would put them in the same block like this ?

server {
        ######################################################################
        # This is acting like the  server side  to decrypt the incoming traffic
        ######################################################################

        listen 443 ssl;    # 'ssl' parameter tells NGINX to decrypt the traffic
        server_name _;        # any server

        # root cert in PEM format
        ssl_certificate        /etc/ssl/certs/server.crt;

        # root private key
        ssl_certificate_key    /etc/ssl/certs/server.key;

        ssl_protocols    TLSv1.2;
        ssl_ciphers    HIGH:!aNULL:!MD5;

        # can tweak caching stradegy if needed
        ssl_session_cache    shared:SSL:20m;
        ssl_session_timeout    4h;
        ssl_handshake_timeout    30s;

        ######################################################################
        # This is acting like the client side and re-encrypting
        ######################################################################

        proxy_ssl    on;

        # ssl client cert
        proxy_ssl_certificate    /etc/ssl/certs/backend.crt;

        # ssl client private key
        proxy_ssl_certificate_key    /etc/ssl/certs/backend.key;
        proxy_ssl_protocols    SSLv3 TLSv1 TLSv1.1 TLSv1.2;   
        proxy_ssl_ciphers    HIGH:!aNULL:!MD5;

        # if requires trusted cert
        # proxy_ssl_trusted_certificate    /etc/ssl/certs/trusted_ca_cert.crt;

        proxy_ssl_verify    on;
        proxy_ssl_verify_depth    2;
        proxy_ssl_session_reuse    on;

        log_format replay '[$time_local] $server_name $status $content_type $request_method XX_HOST_XX$request_uri Authorization:"$http_authorization" $request_body_file';

        client_body_in_file_only on;
        access_log /var/log/nginx/request_response.log replay;

        location / {
            proxy_pass https://backend; # 'https' prefix tells NGINX to encrypt the traffic
        }
    }

On Tue, Apr 25, 2017 at 8:13 PM, Reinis Rozitis <[hidden email]> wrote:
> so if I put both of these in one server block so that the incoming is de-crypted and the outgoing is decrypted. Do I put both the server and client certs in the same server block ?
confused.

Depends on what setup/requirements you actually have:

- If your backend server requires authentication then you have to provide a client certificate via proxy_ssl_certificate (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate ).

- If your clients need to authenticate versus your nginx proxy then you use ssl_verify_client / ssl_trusted_certificate ( http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client ).

- If your backend requires passing through the user certificates it's a bit tricky as depending on backend it might or might not work https://trac.nginx.org/nginx/ticket/857

rr

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: N00b - confused ssl

Reinis Rozitis
> So it sounds like if I want to decrypt incoming traffic and upstream
> traffic I would put them in the same block like this ?

Seems fine.

p.s. just if you trust your backend there is in general no need to use
proxy_ssl_verify    on;
When it’s off (by default) nginx will be fine with whatever certificate the
backend server provides as far the the connection is via ssl/tls.


rr

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx