NGINX SSL Forward Proxy Config

Question

I know that NGINX is not supposed to be used as a forward proxy but I have a requirement to do so ... Anyway, obviously it is not to hard to get http to work as a forward proxy but issues arise when trying to configure https. I generated some self signed certs and then try to connect to https://www.google.com and it gives me the error ERR_TUNNEL_CONNECTION_FAILED. The issue has to do with my certs somehow but I have no idea how to fix the issue. Does anyone know how to achieve this functionality ?

Here is my config

server {
    listen 443 ssl;
    root /data/www;

    ssl on;
    ssl_certificate /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/certs/server.key;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers on;

    location / {
            resolver 8.8.8.8;
            proxy_pass https://$http_host$uri$is_args$args;
    }
}

Answer 1

I was able to configure SSL/TLS forward proxying with this configuration, using the stream module.

stream {
    upstream web_server {
           server my_server_listening_on:443;
    }

    server {
        listen 443;
        proxy_pass web_server;
    }
}

Resources:

• https://nginx.org/en/docs/stream/ngx_stream_core_module.html
• https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-pass-thru

Answer 2

The reason NGINX does not support HTTPS forward proxying is because it doesn't support the CONNECT method. However, if you are interested in using it as a HTTPS forwarding proxy you can use the ngx_http_proxy_connect_module