0

I have a nginx reverse proxy deployed. I have few services

  1. Service A : https service with its own certificate running on port 8080.
  2. Service B: https service with its own certificate running on port 8080.

We have only 1 entry point to the application via nginx and through IP address and not dns names. We want to do the path based routing. If /servicea is requested we need to forward the request to Service A and certificates need to be of service A. Similarly for Service B.

Explored the SNI based solution but it works based on host name. How can we achieve above configuration in nginx ?

server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        listen 443 ssl;

        root /usr/share/nginx/html;
        index index.html;

        server_name localhost;
        ssl_certificate /etc/nginx/ssl/tls.crt;
        ssl_certificate_key /etc/nginx/ssl/tls.key;

        location / {
                try_files $uri $uri/ =404;
        }
        location /servicea/ {
            proxy_pass https://servicea:8080/;

        }

}
Tech_Lover
  • 77
  • 2
  • 15

1 Answers1

2

TL;DR: what you want is impossible.

TLS passthrough means that nginx is not terminating the TLS connection but just passing through the original data. This way the client does client-to-server TLS with the final server instead of client-to-nginx + nginx-to-server.

But, in case of TLS passthrough the nginx cannot see the HTTP request inside the TLS connection, since it is client-to-server encrypted. And since the path is only inside this HTTP request, nginx cannot do any path based routing.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Are there alternative solutions if we do not have dns ? since there is only one entry point. – Tech_Lover Jan 07 '21 at 17:07
  • @Tech_Lover: You need something which is different in the connection or request in order to make a decision. If the IP is the same and the domain name is the same then there is not really anything different, so no way to make a decision. – Steffen Ullrich Jan 07 '21 at 18:09
  • What if we have copy of the certificates of servicea onto nginx it self. All requests can terminate at nginx. Based on the path, can we return back specific certificate ? – Tech_Lover Jan 08 '21 at 05:20
  • @Tech_Lover: The TLS handshake includes already sending the server certificate. The HTTP request is only send after the successful TLS handshake and thus the path is only known after the server certificate was already send. It is impossible to send then another certificate. It is possible though to route this request now based on the bath to the right server. But this is transparent to the client, i.e. no new certificates are visible from the perspective of the client. This is also no longer TLS passthrough, i.e. it is client-to-nginx and nginx-to-server encryption, not client-to-server. – Steffen Ullrich Jan 08 '21 at 06:40