Mutual TLS between internal services with Nginx

10869 views

                  server {
  listen 443 ssl;
  server_name internal-api.example.com;

  ssl_certificate /etc/nginx/tls/server.crt;
  ssl_certificate_key /etc/nginx/tls/server.key;
  ssl_client_certificate /etc/nginx/tls/ca.crt;
  ssl_verify_client on;

  location / {
    proxy_set_header X-Client-Verify $ssl_client_verify;
    proxy_set_header X-Client-DN $ssl_client_s_dn;
    proxy_pass http://api_upstream;
  }
}

mTLS is one of the cleanest ways to tighten internal service trust when you control both sides of the connection. I use it for sensitive east-west traffic where bearer credentials alone are too weak. Certificate lifecycle and revocation planning matter just as much as the TLS flags themselves.

Kai Nakamura

More from Kai Nakamura

Mutual TLS between internal services with Nginx

0 Comments

More from Kai Nakamura