How does nginx proxy https to http website(how does it work)

Question

I have been learning about SSL and been using letsencrpyt.org to offer SSL on some of my sites. So far so good and I was able to get the A rating on SSL Labs . Now that my list of domains,subdomains and web dashboards with weird ports are getting rather large. I thought I might setup nginx as a reverse proxy.

I understand how it works for both http and https but is it secure? If the connection from the upstream server to nginx is not secure then whats the point? Will chrome freak out? Will ssl labs? Won't they detect that the path from the actual server to the client is not encrypted the whole way? I could understand if you were reverse_proxy inside your LAN in a secure environment to private IP's and only the nginx was public facing but I plan on using nginx to proxy other servers, in other networks with public IP's meaning user data would still be transmitted across the internet unencrypted right?

I tried to find good information on this topic but unable too. So let's generate some =) .

Thanks, Levi

Answer 1

If you are using nginx as reverse proxy, Chrome, SSL-Labs and other clients will neither get any information about your backends nor the connection between reverse proxy and backend. What happens between reverse proxy and backend is completely intransparent to the client (as long as you are not telling them details, i.e. using additional headers). So chrome and ssllabs only could check the connection between client and reverse proxy.

It might be usefull to use HTTP for connection to your backend, if backend and reverse proxy are at the same machine or the backend is reachable via a secure local network. In those cases you might save cpu usage.

But even if the connection between reverse proxy and backend is insecure, nobody would see this from outer side. But as a responsible server-admin, you have to secure this part.

The easiest way: Just use also HTTPS between reverse proxy and backend:

proxy_pass https://xx.xx.xx.xx:443;

You could also set up a VPN between reverse proxy and backend.

Answer 2

If you are configured for only HTTP to your proxy, then you loose the advantage of encryption. SSL Labs and the browsers will notice.

You can install the same certificates on the proxy as you have on your servers. This will take more management. If the proxy is serving multiple certificates on the same IP address and port, then only browsers which support SNI will always get the correct certificate.

The most important leg is to have SSL between the browser and your proxy. This means you will need to install one or more certificates on your proxy (nginx). That will retain your rating with SSL Labs and the browsers.

Between your proxy and your servers you have a couple of options. You can use HTTPS to the server, which requires additional certificate installation. These can be be self signed. Self-signed certificates make it easier to ensure traffic is only arriving from your proxy or another internal source.

If you connect from the proxy to the servers using HTTP, you will need to inform your servers the connection arrived on a secure channel. Many web containers can be configured to use a cookie to determine if the connection arrived to your network securely. If you choose this route, strip the cookie at the proxy (at least for HTTP) connections and add it back in.

If your servers don't believe the connection is secure, they won't accept secure-only cookies. Likewise, if the browser connection is not HTTPS, they won't send secure-only cookies. Any login tokens should be using secure-only cookies

Running HTTP only in the data center is simpler, and is as secure as your internal infrastructure. People working in the data center will be able to sniff traffic relatively easily. You can mix HTTP for lower security needs, and HTTPS for higher security needs.

The proxy does add another location where a man-in-the-middle attach can be launched. Keep it secure.