On Mon, Mar 14, 2022 at 03:15:43PM -0400, borys_85 wrote:
Hi there,
> Thanks I've already found this missed curly bracket, but
Good that you found the fix :-)
> I'm forcing in my environment setup on nginx for Elasticsearch:
> -what I have a problem with the correct configuration for connect NGINX over
> TLS to my nodes
>
> below You can find my configuration,maybe You can point me out what's wrong
> in this part, I'm using also crt and key per node so there I need to
> break it down into groups/location
> Do You have some examples config with TLS?
I'm not sure what exactly you want.
If the client should talk to nginx using https, then you need
"listen _port_ ssl" in this server{}, along with ssl_certificate and
ssl_certificate_key accessible in this server{}. The client will have
to trust that certificate.
If nginx should talk to upstream using https for some requests, then
you need proxy_pass https://_upstream_server_ in the location{} for
those requests; if *that* upstream server wants nginx to authenticate
using a client certificate, then you need proxy_ssl_certificate and
proxy_ssl_certificate_key accessible in this location{}.
(And if you want nginx to validate the certificate provided by that
upstream server, you want proxy_ssl_trusted_certificate accessible in
this location{}.)
In the example config included, your "listen 9200" means that nginx is
listening for http not https, and the proxy_pass means that nginx is
talking https to the upstream servers.
Your "listen 9201 ssl" means that nginx is listening for https not http,
and the proxy_pass means that nginx is talking http to the upstream
servers.
And the same for the 9238 and 9210 server{}s.
Once you decide how the client should talk to nginx (http or https),
and how nginx should talk to upstream (http or https), you can set the
"listen" and "proxy_pass" directives appropriately; and then you can
make one test request from the client and see what the response is.
Good luck with it,
f
--
Francis Daly fran...@daoine.org
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
