The nginx webserver as HTTPS/SSL proxy

As CentOS 7 is getting to the end of it’s live it’s time to start thinking about an upgrade.

On my old server I tried LEAPP a couple of times (on a clone, of course), but success was not really guaranteed. So, a complete reinstall is in order.

But, as I move from CentOS 7 to Rocky Linux 9, this automatically means some packages are no longer available. I was using sslh to connect though SSH and HTTPS on port 443.

I was left with a couple of options:

  • Compile sslh from scratch and use that.
    This is a possibility, but it will involve a lot of extra maintenance to keep up to date

  • Rumour says: This is also possible with nginx
    As I was already planning on the move from Apache to nginx, this would be worth the investigation.

As it turns out, this is rather simple. First install the nginx-mod-stream package, to enable the streaming functionality.

In the /etc/nginx/nginx.conf configure the stream, where the SSH and HTTPS streams are separated.

Stream setting in the /etc/nginx/nginx.conf file
# Split SSH and HTTPS streams
stream {
    resolver [::1] valid=30s;

    upstream ssh {

    upstream web {

    map $ssl_preread_server_name $name {         web;     web;
        default                web;

    map $ssl_preread_protocol $upstream {
        default ssh;
        "TLSv1.3" $name;
        "TLSv1.2" $name;
        "TLSv1.1" $name;
        "TLSv1.0" $name;

    # SSH and SSL on the same port
    server {
        listen <your IP address>:443;        (1)

        proxy_pass $upstream;
        ssl_preread on;
  1. Do not specify or [::1] here

Virtual host configuration
server {
    listen                        80;
    server_name         ;

    return                        301 https://$host:443$request_uri;

server {
    listen               ssl;       (1)
    server_name         ;

    ssl_certificate               /etc/letsencrypt/live/;
    ssl_certificate_key           /etc/letsencrypt/live/;

    ssl_session_timeout           5m;
    ssl_protocols                 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                   HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers     on;

    root                         /home/data/vhosts/tonkersten/html;
    index                        index.html;
  1. The vhost listens only on localhost


See also