I am trying to configure nginx to act as a load balancer for a group of servers, using TLS passthrough. I have corporate-issued certificates for the load balancer, as well as each of the three back-end servers. My current configuration is below.
stream {
upstream backend {
hash $remote_addr consistent;
server myserver1.example.com;
server myserver2.example.com;
server myserver3.example.com;
}
server {
listen 443;
ssl_certificate /path/to/loadbalancercert.pem;
ssl_certificate_key /path/to/loadbalancerkey.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_timeout 24h;
proxy_pass backend;
}
}
My issue is that while it will redirect to the three servers, in round robin, the browser warns that the certificate is untrusted, because the host for the back-end servers doesn't match the load balancer CN. I have configured the load balancer's certificate to include the hostname for each of the three back-end servers as a SAN. Any ideas how to get this to work?
stream {
upstream backend {
hash $remote_addr consistent;
server myserver1.example.com;
server myserver2.example.com;
server myserver3.example.com;
}
server {
listen 443;
ssl_certificate /path/to/loadbalancercert.pem;
ssl_certificate_key /path/to/loadbalancerkey.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_timeout 24h;
proxy_pass backend;
}
}
My issue is that while it will redirect to the three servers, in round robin, the browser warns that the certificate is untrusted, because the host for the back-end servers doesn't match the load balancer CN. I have configured the load balancer's certificate to include the hostname for each of the three back-end servers as a SAN. Any ideas how to get this to work?