ssl_preread
Enables SSL/TLS handshake parsing for TCP streams in NGINX. — NGINX Stream Core
Описание
The `ssl_preread` directive is used in the NGINX Stream module to handle TCP streams that are secured with SSL/TLS. This directive allows NGINX to perform initial SSL handshake processing, which enables it to determine the target backend server based on the Server Name Indication (SNI) extension sent by the client during the handshake. When `ssl_preread` is enabled, NGINX can inspect the incoming SSL handshake to extract SNI information, which can be particularly useful when routing traffic to multiple backends based on the hostname specified by the client. If the `ssl_preread` directive is set to `on`, then the SSL handshake will be parsed, and the SNI will be available for further use in the configuration, such as in `proxy_pass` directives or to influence load balancing. This is crucial for applications that host multiple SSL-enabled domains on the same IP address. It is important to note that the `ssl_preread` directive does not handle SSL termination by itself; it only enables NGINX to parse the SNI from the SSL handshake. Users typically use this directive in conjunction with other directives or backend configurations to effectively manage SSL traffic.
Пример конфига
stream {
server {
listen 443;
proxy_pass backend;
ssl_preread on;
}
upstream backend {
server backend1.example.com:443;
server backend2.example.com:443;
}
}Ensure SSL/TLS support is compiled into your NGINX build as `ssl_preread` relies on it.
Do not use `ssl_preread` with non-SSL streams or the behavior will be undefined.
Routing based on SNI may not function as expected if SNI is not sent by the client.