1

I have 2 Nginx instances, one is listening on 80 and has a proxy_pass https://second_nginx;

The second instance is configured to listen on 443 with a self signed certificate, but also have the SSL client verify.

I'd like to create a trusted connection between them, and 'inject' the client cert/key to that proxypass so that anything going to the first instance doesn't know about it.

Is that possible ? Do I need a custom module ?

edit: I found that stunnel may be a suitable solution to add that layer in between, is it a good solution ?

Bastien974
  • 1,896
  • 12
  • 44
  • 62

1 Answers1

1

I found that stunnel may be a suitable solution to add that layer in between, is it a good solution?

I don't aware that nginx have that functionality (i.e. provide client certificate when proxying request to upstream).

The stunnel solution works in this case. You can provide certificate per service. Configure it in stunnel.conf

[upstream]
accept = localhost:4343
connect = upsteam.host:443

client = yes
cert = /path/to/public.cert
key = /path/to/private.key

And for nginx upstream config

proxy_pass        http://localhost:4343;
masegaloeh
  • 18,236
  • 10
  • 57
  • 106