nginx stream proxy vs http proxy for ssl termination
Solution 1:
With both methods the upstream IP address will remain hidden.
As for the rest:
-
stream
is certainly faster, since less code is executed. However both are well-written C code and when you compare it with network delays, the difference might not be noticeable. -
With
stream
the upstream logs will only contain one client IP address (the address of the proxy server). This can be changed with the proxy_bind directive, but requires additional networking setup. On the other hand adding anX-Forwarded-For
header in thehttp
setup is straightforward:proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
With
stream
the upstream server needs to be manually configured to consider the incoming connection secure: e.g. Tomcat requires the addition ofscheme="https"
andsecure="true"
on the<Connector>
element. Using thehttp
proxy and aX-Forwarded-Proto
header the upstream server can decide whetherHTTP
orHTTPS
was used on a per-connection basis.
The question of the security of the setup is quite opinion-based:
- Using the
http
proxy, you can limit the URI paths that will be proxied, hence you will not expose to the public the administrative part of your website, - On the other hand, by adding additional computational strain on your system (against the alternative of accessing the upstream server directly), you are more exposed to DDoS attacks.