Using Nginx as a Secure Proxy: TLS Termination and mTLS

Using Nginx as a Secure Proxy: TLS Termination and mTLS
Photo by Albert S / Unsplash

In the realm of secure communication and network architecture, Nginx stands as a versatile tool for managing traffic and enhancing the security of your applications. In this blog post, we'll explore two crucial scenarios where Nginx shines: TLS termination with client certificate verification and mutual TLS (mTLS) with upstream servers. We'll dive into the Nginx configuration directives, dissect their meanings, and provide insights into generating the required SSL certificates.

Scenario 1: Nginx for TLS Termination with Client Certificate Verification

When you need to terminate SSL/TLS connections and ensure the authenticity of clients, Nginx can act as a gateway, verifying client certificates before forwarding plain HTTP requests to your application. This setup is especially useful in a closed environment like an OpenShift cluster, where you want to ensure secure communication between clients and your application.

server {
    listen 9000 ssl;
    ssl_certificate /etc/erapemfile/public.pem;
    ssl_certificate_key /etc/erakeyfile/private.key;
    ssl_client_certificate /etc/eratrustfile/trust_client.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;
    location / {
        proxy_pass http://app.cluster.local:9000/;
        proxy_set_header Host $host;

Explanation of Nginx Directives

  • listen 9000 ssl;: Instructs Nginx to listen on port 9000 for SSL/TLS connections.
  • ssl_certificate: Points to the server's public certificate.
  • ssl_certificate_key: Specifies the server's private key.
  • ssl_client_certificate: Indicates the trusted certificate authorities for client verification.
  • ssl_verify_client on;: Enables client certificate verification.
  • ssl_verify_depth 2;: Sets the maximum verification depth.
  • location /: Defines the path for which the proxy settings apply.
  • proxy_pass: Directs requests to the specified upstream server.
  • proxy_set_header Host $host;: Sets the Host header for the forwarded request.

Scenario 2: Nginx as an mTLS Proxy with Upstream Server

In scenarios where mTLS is required for secure communication between Nginx and an upstream server, Nginx can act as a middleware that handles the mutual authentication process.

location / {
    proxy_pass https://upstreamserver;
    proxy_ssl_verify on;
    proxy_ssl_verify_depth 2;
    proxy_ssl_certificate /etc/certs/public.pem;
    proxy_ssl_certificate_key /etc/certs/private.key;
    proxy_ssl_trusted_certificate /certs/trust.crt;

Explanation of Nginx Directives

  • proxy_pass: Redirects requests to the specified upstream server.
  • proxy_ssl_verify: Enables verification of the upstream server's SSL/TLS certificate.
  • proxy_ssl_verify_depth: Sets the maximum verification depth.
  • proxy_ssl_certificate: Points to the client's public certificate.
  • proxy_ssl_certificate_key: Specifies the client's private key.
  • proxy_ssl_trusted_certificate: Indicates the trusted certificates for server verification.

Generating SSL Certificates

No discussion of SSL/TLS would be complete without addressing certificate generation. Below are the steps to generate self-signed certificates using OpenSSL:

Generate a private key:

openssl genpkey -algorithm RSA -out private.key

Create a certificate signing request (CSR):

openssl req -new -key private.key -out csr.pem

Create a self-signed certificate:

openssl x509 -req -days 365 -in csr.pem -signkey private.key -out public.pem


Nginx offers a powerful gateway for enhancing the security of your applications through TLS termination and mTLS. Whether you need to ensure client authenticity or enable secure communication between services, Nginx's versatile configuration options empower you to manage SSL/TLS with ease. By dissecting the Nginx directives and understanding how they work, you're better equipped to create a robust and secure communication infrastructure within your environment.

Subscribe to Post, Code and Quiet Time.

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.