nginx stream proxy vs http proxy for ssl termination

Solution 1:

With both methods the upstream IP address will remain hidden.

As for the rest:

  • stream is certainly faster, since less code is executed. However both are well-written C code and when you compare it with network delays, the difference might not be noticeable.
  • With stream the upstream logs will only contain one client IP address (the address of the proxy server). This can be changed with the proxy_bind directive, but requires additional networking setup. On the other hand adding an X-Forwarded-For header in the http setup is straightforward:

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
  • With stream the upstream server needs to be manually configured to consider the incoming connection secure: e.g. Tomcat requires the addition of scheme="https" and secure="true" on the <Connector> element. Using the http proxy and a X-Forwarded-Proto header the upstream server can decide whether HTTP or HTTPS was used on a per-connection basis.

The question of the security of the setup is quite opinion-based:

  • Using the http proxy, you can limit the URI paths that will be proxied, hence you will not expose to the public the administrative part of your website,
  • On the other hand, by adding additional computational strain on your system (against the alternative of accessing the upstream server directly), you are more exposed to DDoS attacks.