Use the following guidelines to free your backend servers from CPU-intensive SSL/TLS processing:

• Install SSL/TLS certificates and security patches on NGINX and use it as a proxy server.

• Configure NGINX to proxy to "https" and automatically encrypt traffic. This minimizes the number of SSL/TLS handshakes and uses a limited number of keepalive connections to backend servers.

• Use HTTPS between an NGINX and backend servers.

  - Especially if the backend servers are not located in the same data center as the backend servers. Such as when the backend servers are in the cloud.
  - Clients will communicate with NGINX over HTTPS, which decrypts the requests and re-encrypts them before passing them to the backend server.
  

• Restrict access to your system by configuring NGINX to validate the SSL/TLS client certificates.

Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-2-extended-functionality-offerings/openshift-pipelines/tasks/phase/deployment/37-T620/

Training Modules

Defending Web Applications

• Secure communications