Not sure how much it can work in your situation, but newer (1.9.3+) versions of Nginx can pass (encrypted) TLS packets directly to an upstream server, using the stream
block :
stream {
server {
listen 443;
proxy_pass backend.example.com:443;
}
}
If you want to target multiple upstream servers, distinguished by their hostnames, this is possible by using the nginx modules ngx_stream_ssl_preread
and ngx_stream_map
. The concept behind this is TLS Server Name Indication.
Dave T. outlines a solution nicely. See his answer on this network.