Yes, we have to use client side certificates issued by 3rd party/partner companies for upstream connections.
For now, I am creating a custom location and routing using ngx.exec("@xxx_com").
location @xxx_com {
internal;
access_log logs/access.log perf_log;
proxy_connect_timeout 10s;
proxy_read_timeout 60s;
proxy_ssl_verify on;
proxy_ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_certificate xxx-clientid.pem;
proxy_ssl_certificate_key xxx-clientid.key;
proxy_ssl_server_name on;
proxy_ssl_name $ssl_server_name;
proxy_pass $upstream_http_scheme://$upstream_domain$upstream_uri;
}
On Friday, 27 May 2016 20:23:13 UTC-4, agentzh wrote:
Hello!
On Fri, May 27, 2016 at 2:31 PM, RJoshi wrote:
> 1. Will the per request timeout PR be included in 1.9.15.1 release?
>
No, the merge window of 1.9.15.1 is already closed. Maybe 1.9.15.2.
> 2. I thought ssl_by_lua is for incoming/downstream requests. Our requirements are for outgoing/upstream 3rd party connections which requires different SSL certs/keys etc
>
You need *client-side* SSL certificates for upstream connections? If
they are still *server-side* certificates, then it makes no difference
here.
> 3. Have you done any performance comparison between balancer_by_lua vs Nginx upstream routing?
>
balancer_by_lua* is just the balancer, that is, picking up a peer for
nginx upstream to use. You still use the nginx upstream facility as
well as the ngx_proxy module to do the real work. It's usually nothing
in terms of resource usage as compared to everything else.
Regards,
-agentzh