Routing Http2 traffic without decrypting tls packets

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Routing Http2 traffic without decrypting tls packets

Jayarajan, Keerthi (AT ASP RTC)

Hi,

 

I’m working in blockchain project for Honeywell. We have blockchain nodes hosted in our cloud. These nodes should connect and talk to external node and vice versa. We are using Nginx as Reverse proxy server through which external node can connect to our nodes. We are using Hyperledger fabric blockchain framework which works on grpc protocol using http2. I found Nginx 1.15.2 supports http2. So I installed it and tested sample grpc application(without tls) successfully. Now, I need external node to talk to our node reverse proxied via Nginx. But our nodes are tls encrypted and client authentication is enabled. I want the external node to talk to internal node as if the Nginx was not there. It should forward everything based on the hostname without decrypting the packets. I tried this ssl_preread directive but It says not allowed for http2. Can you please technically tell how this can be accomplished. Looking forward for your support. If this is feasible, we would like to go with Nginx Plus for production.

 

Thanks and Regards

Keerthi


_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Routing Http2 traffic without decrypting tls packets

Ruslan Ermilov
On Mon, Sep 02, 2019 at 05:45:59PM +0000, Jayarajan, Keerthi (AT ASP RTC) wrote:

> Hi,
>
> I'm working in blockchain project for Honeywell. We have blockchain nodes
> hosted in our cloud. These nodes should connect and talk to external node and
> vice versa. We are using Nginx as Reverse proxy server through which external
> node can connect to our nodes. We are using Hyperledger fabric blockchain
> framework which works on grpc protocol using http2. I found Nginx 1.15.2
> supports http2. So I installed it and tested sample grpc application(without
> tls) successfully. Now, I need external node to talk to our node reverse
> proxied via Nginx. But our nodes are tls encrypted and client authentication
> is enabled. I want the external node to talk to internal node as if the Nginx
> was not there. It should forward everything based on the hostname without
> decrypting the packets. I tried this ssl_preread directive but It says not
> allowed for http2. Can you please technically tell how this can be
> accomplished. Looking forward for your support. If this is feasible, we would
> like to go with Nginx Plus for production.

ngx_stream_ssl_preread_module that you mentioned above can route traffic
based on either server name requested through SNI or protocols advertised
in ALPN, or combination.  The documentation for the module has complete
examples: http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html#example
You don't need "ssl http2" in the listen directive for it to work.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx