nginx 15 lines · 1 tab

Mutual TLS between internal services with Nginx

Kai Nakamura Apr 2026
1 tab
server {
  listen 443 ssl;
  server_name internal-api.example.com;

  ssl_certificate /etc/nginx/tls/server.crt;
  ssl_certificate_key /etc/nginx/tls/server.key;
  ssl_client_certificate /etc/nginx/tls/ca.crt;
  ssl_verify_client on;

  location / {
    proxy_set_header X-Client-Verify $ssl_client_verify;
    proxy_set_header X-Client-DN $ssl_client_s_dn;
    proxy_pass http://api_upstream;
  }
}
1 file · nginx Explain with highlit

mTLS is one of the cleanest ways to tighten internal service trust when you control both sides of the connection. I use it for sensitive east-west traffic where bearer credentials alone are too weak. Certificate lifecycle and revocation planning matter just as much as the TLS flags themselves.

Share this code

Here's the card — post it anywhere.

Mutual TLS between internal services with Nginx — share card
Link copied