I'm setting up a load balancer that has to communicate with the other nodes using TLS. This is important since back-end nodes are not in a private network. The configuration is the one below.
The result is that Nginx returns 502 bad gateway, and Nginx seems not able to redirect to my domains. Furthermore, since I'm using open source version, I cannot use the resolve keyword inside upstream configuration. How can I change this configuration to have Nginx encrypt data between example.com -> backendX.example.com?
NOTICE: if I use IPs instead of URLs into the upstream block the load balancing works, but I don't think it is encrypted
ERROR:
*3 upstream SSL certificate verify error: (2:unable to get issuer certificate) while SSL handshaking to upstream, client: 0.0.0.0, server: lb.example.com
RESULT of openssl s_client -connect backend1.example.com
:
Certificate chain
0 s:CN = backend1.example.com
i:C = US, O = Let
1 s:C = US, O = Let
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
upstream example.com{
least_conn;
server backend1.example.com;
server backend2.example.com;
}
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
server_name lb.example.com;
location / {
proxy_pass https://example.com;
proxy_ssl_trusted_certificate /etc/letsencrypt/.../chain.pem;
proxy_ssl_session_reuse on;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_set_header Host $host;
}
ssl_certificate /etc/letsencrypt/.../fullchain.pem;
ssl_certificate_key /etc/letsencrypt/.../privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
resolver 8.8.8.8 8.8.4.4 valid=30s;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
upstream example.com{
least_conn;
server backend1.example.com;
server backend2.example.com;
}
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
server_name lb.example.com;
location / {
proxy_pass https://example.com;
proxy_ssl_trusted_certificate /etc/letsencrypt/.../chain.pem;
proxy_ssl_session_reuse on;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_set_header Host $host;
}
ssl_certificate /etc/letsencrypt/.../fullchain.pem;
ssl_certificate_key /etc/letsencrypt/.../privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
if ($host = lb.example.com) {
return 301 https://$host$request_uri;
}
listen 80 default_server;
listen [::]:80 default_server;
server_name lb.example.com;
return 404;
}
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful