Can NGINX be used as an intermediate proxy to handle TLS cipher translation between two endpoints

Hi all,

We’re exploring whether NGINX can be used as an intermediate proxy to handle TLS cipher translation between two endpoints. Specifically, we have an internal application server that initiates TLS communication using CBC-mode ciphers, and we need to forward this traffic to a cloud endpoint that only accepts GCM-mode ciphers.

The NGINX server sits between the two and can communicate with the cloud destination. Our goal is to have NGINX terminate the incoming CBC-based TLS session and re-initiate a new TLS session using GCM ciphers toward the cloud server.

Is this kind of TLS re-encryption and cipher translation supported natively in NGINX? If so, are there specific configuration directives or modules required to enforce cipher negotiation on both ends independently?

Any guidance or examples would be greatly appreciated.

You can do this at the TCP layer or the HTTP layer, depending on what level of control/inspection you need over the traffic.

In both cases, NGINX should be configured to terminate the TLS and use proxy_ssl_ciphers to define the GCM ciphers required by the cloud server.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.