nginx certificateless stream module reverse proxy https

Posted by Chesso on Sat, 16 May 2020 16:05:28 +0200

The company's R & D is generally in the Intranet environment, but some third-party interfaces need to be called during the development.

At this time, a server can be used as nginx reverse proxy, and then the R & D machine can modify the host file to point the domain name to the server to realize proxy forwarding.

However, the normal nginx http reverse proxy proxy https needs to configure a certificate. We can't have a certificate for the domain name of a third-party interface, so we need to use the stream module of nginx.

The normal nginx reverse proxy is the seventh layer proxy, while the stream module is the fourth layer proxy, forwarding tcp/ip protocol, so no certificate is needed.

The stream module can only be supported after nginx 1.9.0. Currently, nginx-1.17.3 already contains this module by default.

However, in order to implement multiple interfaces of proxy, it is necessary to unpack and analyze the domain name and other information in the tcp package before the request can be distributed. Therefore, the NGX stream SSL preread module is also used. This module is not included in the official release package and needs to be compiled by itself.

nginx profile

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/;
events {
    worker_connections  1024;

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    #gzip  on;
    server {
        listen 80;
        location / {
            #proxy_http_version 1.1;
            #proxy_set_header Upgrade $http_upgrade;
            #proxy_set_header Connection $connection_upgrade;
    include /etc/nginx/conf.d/*.conf;

stream {
  log_format proxy '$proxy_protocol_addr $remote_addr [$time_local] '
    '$protocol $status $bytes_sent $bytes_received '
    '$session_time "$upstream_addr" '
    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

  #access_log /usr/local/nginx/logs/access.log proxy;
  #error_log /usr/local/nginx/logs/error.log info;

  map_hash_bucket_size 64;

  map $ssl_preread_server_name $backend_pool { server_cn;
    default server_baidu;

  upstream server_cn{

  upstream server_baidu{

    listen 443;
    ssl_preread on;
    proxy_pass $backend_pool;
    proxy_connect_timeout 15s;
    proxy_timeout 15s;
    proxy_next_upstream_timeout 15s;


Topics: Nginx SSL