Nginx: setup SSL reverse proxy (load balanced SSL proxy)

776px-Nginx-battleship.svgA reverse proxy is a proxy server that is installed in a server network. Typically, reverse proxies are used in front of Web servers such as Apache, IIS, and Lighttpd. How do I setup nginx web server as SSL reverse proxy?

When you’ve multiple backend web servers, encryption / SSL acceleration can be done by a reverse proxy. Nginx can act as SSL acceleration software. It provided the following benefits:

  • Easy of use : Nginx is easy to setup and upgrade.
  • Security : Nginx provide an additional layer of defense as Apache is behind the proxy. It can protect against common web-based attacks too.
  • Load Distribution : nginx use very little memory and can distribute the load to several Apache servers. It can even rewrite urls on fly.
  • Caching : Nginx act as a reverse proxy which offload the Web servers by caching static content, such as images, css, js, static html pages and much more.
  • Compression : Nginx can optimize and compress the content to speed up the load time.

Our Sample Setup

  • lb0 — Linux box directly connected to the Internet via eth1. This is master SSL load balancer.
  • lb1 — Linux box directly connected to the Internet via eth1. This is backup SSL load balancer. This will become active if master networking failed.
  • A virtual IP address that moves between lb0 and lb1. It is managed by keepalived.
  • nginx — It is installed on lb0 and lb1.
  • SSL Certificate — You need to install ssl certificates on lb0 and lb1.

For demonstration purpose I’m going to use Self-signed SSL certificate, but you can use real SSL certificate signed by CAs.

  • You’ve the SSL connection between client and Nginx.
  • Then Nginx act as proxy server and makes unencrypted connection to Apache at port 80.
  • Nginx can cache all static file and other files.

Generating Self-signed Certificate
First, create required directories:

To create a private key, enter:

Sample outputs:


Fig.01: OpenSSL — Create a Private Key
To create a CSR (Certificate Signing Request):

Sample outputs:

Fig.02: OpenSSL — Create a CSR (Certificate Signing Request)
Please enter your domain name that you want to associate with the certificate. For example, for the Command Name I entered as I’m going to use

How Do I Remove The Passphrase? (Optional)

You can remove the passphrase so nginx can start on boot without entering the passphrase. Type the following commands

Finally, you should see three files as follows (note I’ve created all files as vivek user and than moved lb0 and lb1 server /usr/local/ngnix/conf/ssl/ directory):

Sample outputs:


Fig.03: All the files in ssl directory

Sample outputs:


Fig.04: Generating The Actual Self-signed SSL Certificate

How Do I Copy SSL Certificates Files To lb1?

You need to copy those files to lb1, enter:

Configure Nginx As SSL Reverse Proxy (lb0 and lb1)

Edit nginx.conf, enter (you need to edit files on both lb0 and lb1):

Edit / append as follows:

Save and close the file. Reload nginx:

Verify port is opened:

How Do I Test And Debug SSL Certificates From The Shell Prompt?
Use the openssl command as follows:

Or better use the following command:

How Do I Cache Common Files?
Edit nginx.conf and add as follows to cache common files:

Save and close the file. Reload nginx:

Экспорт или импорт сертификата PKCS#12

Файлы PKCS#12 используются в разных приложениях типа MS IIS. Они часто имеют расширение .pfx.

Превратить pfx в pem:

Создание самоподписанного сертификата?

Создать файл mycert.pem, в котором будет и секретный ключ и открытый сертификат, основанный на нём. Сертификат будет действителен в течение 365 дней; ключ (благодаря опции -nodes) будет нешифрованным.

После вызова команды надо будет ответить на несколько вопросов: Country Name, State, City и так далее. На вопрос “Common Name” нужно отвечать именем сервера, по которому будут обращаться люди.

Можно автоматизировать ввод ответов с помощью опции -subj.