Reputation: 209
SSL port unification with nginx and SNI
I have a number of separate SSL servers on my internal network which I want to expose to the public Internet on a single IP address and port. All my clients are guaranteed to support the server_name TLS extension (a.k.a.Server Name Indication or SNI).
What I imagine is, that nginx will look at the TLS client hello message of an incoming connection and figure out which internal IP to forward the connection to. Then nginx acts as a TCP tunnel, i.e. nginx itself is not participating in any TLS sessions (even though it peeks into incoming TLS client hello messages!), and needs no SSL cert or private key of its own.
In other words, the TLS session is initiated on the client, passes-thru nginx (which multiplexes the destinations using the server_name information in TLS client hello) and terminates in the destination server.
Can this be done with nginx and how? If not, are you aware of some other proxy software that can do this?
Best Regards,
rkpr
Upvotes: 2
Views: 716
Answers (1)
Reputation: 209
It seems haproxy can do exactly that like this:
use-server srv1 if { req_ssl_sni -i hostname1 }
server srv1 192.168.0.1:443 weight 0
Upvotes: 3
Related Questions
- How to use one ssl certificate for different ports on nginx
- How to configure NGINX SSL (SNI)
- Configuring SSL with Nginx
- nginx ssl rejecting non matched server_name requests
- nginx stream_ssl_preread module unable to read ssl_preread_server_name
- NGINX: Setup SSL Certificate for multiple ports using 1 domain name
- Nginx TLS-SNI: Use hostname dependent SSL for HTTPS
- nginx using wrong ssl certificate
- Serving multiple domains in one box with SNI
- How to multiple SSLs on the same server, behind a varnish layer?