Using Nginx as a Secure Proxy: TLS Termination and mTLS
In the realm of secure communication and network architecture, Nginx stands as a versatile tool for managing traffic and enhancing the security of your applications. In this blog post, we'll explore two crucial scenarios where Nginx shines: TLS termination with client certificate verification and mutual TLS (mTLS) with upstream servers. We'll dive into the Nginx configuration directives, dissect their meanings, and provide insights into generating the required SSL certificates.
Scenario 1: Nginx for TLS Termination with Client Certificate Verification
When you need to terminate SSL/TLS connections and ensure the authenticity of clients, Nginx can act as a gateway, verifying client certificates before forwarding plain HTTP requests to your application. This setup is especially useful in a closed environment like an OpenShift cluster, where you want to ensure secure communication between clients and your application.
server {
listen 9000 ssl;
ssl_certificate /etc/erapemfile/public.pem;
ssl_certificate_key /etc/erakeyfile/private.key;
ssl_client_certificate /etc/eratrustfile/trust_client.crt;
ssl_verify_client on;
ssl_verify_depth 2;
location / {
proxy_pass http://app.cluster.local:9000/;
proxy_set_header Host $host;
}
}Explanation of Nginx Directives
listen 9000 ssl;: Instructs Nginx to listen on port 9000 for SSL/TLS connections.ssl_certificate: Points to the server's public certificate.ssl_certificate_key: Specifies the server's private key.ssl_client_certificate: Indicates the trusted certificate authorities for client verification.ssl_verify_client on;: Enables client certificate verification.ssl_verify_depth 2;: Sets the maximum verification depth.location /: Defines the path for which the proxy settings apply.proxy_pass: Directs requests to the specified upstream server.proxy_set_header Host $host;: Sets the Host header for the forwarded request.
Scenario 2: Nginx as an mTLS Proxy with Upstream Server
In scenarios where mTLS is required for secure communication between Nginx and an upstream server, Nginx can act as a middleware that handles the mutual authentication process.
location / {
proxy_pass https://upstreamserver;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_certificate /etc/certs/public.pem;
proxy_ssl_certificate_key /etc/certs/private.key;
proxy_ssl_trusted_certificate /certs/trust.crt;
}Explanation of Nginx Directives
proxy_pass: Redirects requests to the specified upstream server.proxy_ssl_verify: Enables verification of the upstream server's SSL/TLS certificate.proxy_ssl_verify_depth: Sets the maximum verification depth.proxy_ssl_certificate: Points to the client's public certificate.proxy_ssl_certificate_key: Specifies the client's private key.proxy_ssl_trusted_certificate: Indicates the trusted certificates for server verification.
Generating SSL Certificates
No discussion of SSL/TLS would be complete without addressing certificate generation. Below are the steps to generate self-signed certificates using OpenSSL:
Generate a private key:
openssl genpkey -algorithm RSA -out private.keyCreate a certificate signing request (CSR):
openssl req -new -key private.key -out csr.pemCreate a self-signed certificate:
openssl x509 -req -days 365 -in csr.pem -signkey private.key -out public.pemConclusion
Nginx offers a powerful gateway for enhancing the security of your applications through TLS termination and mTLS. Whether you need to ensure client authenticity or enable secure communication between services, Nginx's versatile configuration options empower you to manage SSL/TLS with ease. By dissecting the Nginx directives and understanding how they work, you're better equipped to create a robust and secure communication infrastructure within your environment.