问题
Due to some reason, I need to set up nginx tcp load balance, but with ssl termination. I am not sure whether Nginx can do this. Since tcp is layer 4, ssl is layer 5, SSL pass-thru definitely work. But with SSL-termination? Thanks for suggestions.
回答1:
Nginx can act as L3/4 balancer with stream module: https://www.nginx.com/resources/admin-guide/tcp-load-balancing/
Because SSL still tcp - Nginx can proxy SSL traffic without termination.
Also stream module can terminate SSL traffic, but it's optional.
Example 1: TCP tunnel for IMAP over SSL without SSL termination
stream {
upstream stream_backend {
server backend1.example.com:993;
server backend2.example.com:993;
}
server {
listen 993;
proxy_pass stream_backend;
}
}
In this case, SSL termination processed by backend1/2.
Example 2: TCP tunnel for IMAP with SSL termination.
stream {
upstream stream_backend {
server backend1.example.com:443;
server backend2.example.com:443;
}
server {
listen 993 ssl;
proxy_pass stream_backend;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
}
}
In this case traffic between nginx and backend1/2 unencrypted (IMAP 443 port used).
Example 3: Receive unencrypted and encrypt it
stream {
upstream stream_backend {
server backend1.example.com:993;
server backend2.example.com:993;
}
server {
listen 443;
proxy_pass stream_backend;
proxy_ssl on;
proxy_ssl_certificate /etc/ssl/certs/backend.crt;
proxy_ssl_certificate_key /etc/ssl/certs/backend.key;
}
}
So, clients connect to our nginx without SSL and this traffic proxed to backend1/2 using SSL encryption.
来源:https://stackoverflow.com/questions/39420613/can-nginx-do-tcp-load-balance-with-ssl-termination