Need clarification for upstream SSL on an nginx reverse proxy server
I've been reading the nginx docs regarding reverse proxy and securing ssl connections to upstream servers but I'm still confused about which ssl certificates go where. Many of the examples I find have nginx proxying localhost, but my situation has the endpoints on different servers, ports and physical locations.
I'd like to have several domains resolved at the nginx server. Each of those domains has an ssl certificate on its current server for its actual domain name.
Right now I have each server running at it's own network location and physical location, but I'd like to have a single point to manage those endpoints.
My end result should look like
| | |
https://example1.com https://example2.com https://example3.com
a.b.c.d:1234 e.f.g.h:5678 i.j.k.l:9012
Right now https://example1.com resolves to a.b.c.d:1234 which has it's own ssl certificate installed. Because I need to represent to clients that the nginx server is serving for the domain example1.com I think I need the example1.com ssl moved to the frontrunning nginx server, right? If I do that, what ssl certificate do I use on a.b.c.d:1234 to maintain a secure upstream connection?
The nginx docs say client.crt and server.crt, but the CA uses a domain to register these. What is client and server in a reverse proxy situation? To me the client is the browser making the request.
Which ssl certificates go where on an reverse proxy?
I already know you can look like you have a secure connection by simply placing the url based certificates on the proxy server. What I'm hoping to know is what ssl certificates to put on the backend servers. Just reuse their respective certificates? Could
example1.com.crt go on both the proxy server and the backend server?