Nginx https proxy, do not terminate ssl

Question

I want to proxy https requests to a certain domain to another address:

server {
    server_name site1;
    listen 443;
    ssl on;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://172.17.0.1:44110;
    }
}

Nginx complains with:

nginx: [emerg] no "ssl_certificate" is defined for the "ssl" directive in /etc/nginx/nginx.conf:33

The point is that the certificate is actually on the proxied server.

How can I tell nginx to not terminate the ssl layer, and simply proxy it to the configured url?

What I am looking for is something similar to this, but with server_name support.

Answer 1

What you want to do is not possible in NGINX so far as I know. I actually had written out an answer that turned out to have duplicated the link you provided to another StackOverflow answer. If you consider what you are asking, it is in effect for NGINX to be able to Man-in-the-Middle the communication between the client browser and your origin. I don't think you really want this to be possible as it would make SSL/TLS quite useless.

You will either need to do what the linked StackOverflow answer does with the stream module, or you will need to move the certificate to be hosted by NGINX.

Cloudflare has created "Keyless" SSL which allows for the private material to be hosted elsewhere, but only the origin side of it is open source. You would have to modify NGINX to be able to implement the proxy side of the protocol, though perhaps someone else has done that as well. This is likely overkill for your needs.

Answer 2

You should probably have to add:

proxy_ssl_session_reuse off; 

see here