4

Is it possible to forward some tls requests based on their domain name to another server (via nginx)?

I have a public nginx server which serves some pages via http and https (in the image b.com). Now I have a VM only reachable via the nginx server, running an apache server. Can I tell my nginx server to forward request (to a.com) to the 10.x.x.x server without touching the tls? Through SNI nginx should know which domain is requested?

I don't have the certificates for a.com on the public server.

Problem

Dirk
  • 241
  • 3
  • 9
  • Doesn't seem like nginx has the capability at this time. I believe it terminates TLS before it gets to the vhost/rev.proxy logic. There are a couple sni proxy projects on github, but I haven't tried any. – Andrew Domaszek Dec 24 '15 at 08:01
  • I really doubt Nginx will ever propose this feature: this requires that your nginx "proxy" decrypts the ssl/tls data... You should configure ssl/tls only in b.com for both a.com and b.com – moebius_eye Jan 10 '16 at 10:01
  • @moebius_eye Why should it decrypt the tls? – Dirk Jan 10 '16 at 12:15
  • Could you provide the `nginx` config you are currently using? – Castaglia Feb 12 '16 at 21:42

1 Answers1

1

As far as I know, NGINX cannot forward requests this way: it always manage the ssl handshake by itself.

However, haproxy and sniproxy seems to do the job, according to the answers given in this thread: Can a Reverse Proxy use SNI with SSL pass through?

Stéphane Pinchaux
  • 11
  • 1