Nginx load balance with upstream SSL

Question

Trying to setup Nginx as load balancer for https servers. The upstream serves over port 443 with SSL certificates configured. How to configure Nginx, so that the SSL certificate configuration is handled only on the upstream servers and not in the Nginx server?

Answer 1

As far as I understood from reading relevant discussion on Nginx forum, this is not possible because Nginx needs to terminate upstream SSL connection anyway. If you insist on using Nginx you're left only to replicate SSL configuration and make certificates and key available to Nginx.

The discussion I linked concluded that HAProxy is much better tool for SSL upstream passthrough. Here's relevant post I've found about configuring HAProxy for such purpose. Because I have zero HAProxy experience I can't summarise its configuration or general viability of the solution leaving it to the reader.

Update

Since 1.9.2 Nginx supports HAProxy's proxy protocol.

Answer 2

seems now possible according to https://www.nginx.com/resources/admin-guide/nginx-tcp-ssl-upstreams/ (1.9.4+)

Answer 3

You need to use Upstream module, and Reverse Proxy module. To reverse proxy to the https upstream, use this

proxy_pass  https://backend;

where backend is an uptream block.

However, if I were doing this, I'd terminate ssl on the nginx server, and make upstream app servers doing what they are good at: serving the content, instead of worrying about ssl encryption/decryption overhead. Setting up ssl termination on nginx is also very simple using the SSL module. A very good case study is also given here.