Using Nginx as the Load Balancer with mTLS

This topic describes how to configure Nginx as your load balancer when using mTLS authentication.

You'll need server and client certificates.

Configuring Nginx configuration file

This is an example of a nginx.config file.

1. Download the latest stable version of Nginx.

2. Define client validation:

   ssl_client_certificate *.cert.pem;  
   
   ssl_verify_client on.
   
   ssl_verify_depth 2; #Sets the verification depth in the client certificates chain 

Example of nginx.config file:

user nginx;
worker_processes auto;
pid /run/nginx.pid;

load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
events {
    worker_connections 1024;
}

stream {
    error_log  /var/log/nginx/stream-error.log debug;
    log_format upstreamlog '[$time_local] $remote_addr to: $upstream_addr';
    access_log  /var/log/nginx/access.log upstreamlog;
    # access_log  /var/log/nginx/access.log  main.

    # upstream pool definition, the hash option is to establish consistent 
affinity to a particular app server from the pool, based on agent's public IP.

    upstream appservers {
        hash $remote_addr consistent;
        server 10.1.100.100:4884 max_conns=600;
        server 10.1.100.10:4884 max_conns=600;
     }

     server {
        listen 443 ssl;

    # nginx is configured with specified ciphers only
        ssl_protocols       TLSv1.2;
        ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
        ssl_certificate     /etc/nginx/secure/host.cert.pem;
        ssl_certificate_key /etc/nginx/secure/host.key.pem;
        ssl_session_cache   shared:SSL:1m;
        ssl_session_timeout 1m;

   # client certificate chain containing intermediate and root for TLS based client authentication
        ssl_client_certificate /etc/nginx/secure/client-chain.cert.pem;
        ssl_verify_client on;
        ssl_verify_depth 2;
        # ssl_crl /etc/nginx/secure/client-chain.cert.pem;

    # Proxy SSL is turned on in case of secure upstream proxy connection 
e.g. TLS traffic between nginx and app servers

        proxy_ssl off;
        proxy_ssl_verify off;
        # proxy_ssl_trusted_certificate for adding trusted upstream certificate
        # proxy_ssl_verify on; for above setting to work
        proxy_connect_timeout 5s;
        proxy_timeout 5s;
        proxy_pass appservers;
     }
}

Loading Nginx

1. Disable the Web Services Enhancements (WSE).

2. To load, run: start nginx.exe

3. To reload, run: .\nginx.exe -s reload

Related Topics:

ITM On-Prem (ObserveIT) Remote Architecture

mTLS Authentication Certification