Is it possible to setup nginx so that it proxies a HTTPS connection without decrypting it? I'm talking about something like this:
server {
listen 443 ssl;
server_name example.com;
location / {
proxy_pass https://localhost:8000;
proxy_set_header X-Real-IP $remote_addr;
}
}
I know, that nginx most likely will need a certificate to add the X-Real-IP header, but can I re-encrypt the proxy?
My motivation behind this is, that I want to pass the traffic through to my Node app, that has SPDY enabled. But for being able to use SPDY in Node, I need the decryption to reside inside the app.
You're asking about MTIM attack, which actually is what TLS trying to prevent.
No, it's not possible. Nginx will have to use the Host header to match the server_name of this server block. Without decrypting the request, nginx doesn't even know the request header information. So this server block won't even be matched.
Nginx 1.4+ also supports SPDY. http://nginx.org/en/docs/http/ngx_http_spdy_module.html. However, it doesn't support server push yet. If you don't need server push, why not just terminate SSL at nginx level?