Nginx proxy based on SNI without decryption

nginx

Solution 1:

NO, you can't do with Nginx. By default, Nginx is always decrypting content, so Nginx can apply request routing. Some solution that can be tried:

  • There are 3rd party module called nginx_tcp_proxy_module. I haven't tried it yet. Because that module do proxy on network layer, so it will passing request without decryption.

  • The preferred solution is use HAProxy. This tutorial suggest that you can do TCP proxy with SNI capabilities.

Sidenote

By default, Nginx always act as SSL offloading/decryption process on proxy. Here some the advantages doing SSL offloading (taken from here)

  • Improved performance
  • Better utilization of the backend servers
  • Intelligent routing
  • Certificate management
  • Security patches

Solution 2:

It looks like this is now supported using the ngx_stream_ssl_preread_module module

Related

Reducing the size of the EDB file
Kerberos authentication through load balancer
Why can't my Linux kernel reclaim its slab memory?
OpenVPN and routing
nginx + php fpm -> 404 php pages - file not found
Nagios alerts using twitter (with twurl) not firing
Desktop virtualization
Restrict postqueue access to admin user
Ext3 Stride/Stripe-Width Calculation for 3-Disk Software RAID1E
Outlook 2010 exchange setup prompts for [email protected] rather than [email protected]
Logging Timeout'd Request in Apache 2.X
HTTPS request fails in Docker >= 1.10 with virtualized network