34 lines
1.3 KiB
Text
34 lines
1.3 KiB
Text
|
# ---------------------------------------------------------------------------
|
||
|
|
# EXAMPLE: MySQL-over-TLS passthrough (or proxy-terminate) via Nginx stream
|
||
|
|
# Copy to stream.d/, change port / target / cert paths to suit your setup.
|
||
|
|
# ---------------------------------------------------------------------------
|
||
|
|
|
||
|
|
# Simple TCP proxy — Nginx *forwards TLS untouched* (preferred)
|
||
|
|
server {
|
||
|
|
# Listen on both IPv4 & IPv6; pick any external port you like
|
||
|
|
listen [::]:7777; # :7777 → target:3306
|
||
|
|
|
||
|
|
# Upstream database host:port (container name, swarm service, or IP)
|
||
|
|
proxy_pass db-primary:3306;
|
||
|
|
|
||
|
|
# Enable SSL preread so Nginx can handle SNI or peek at MySQL TLS handshake
|
||
|
|
ssl_preread on;
|
||
|
|
}
|
||
|
|
|
||
|
|
# ---------------------------------------------------------------------------
|
||
|
|
# OPTIONAL: If you want Nginx to **terminate** TLS and talk plain TCP
|
||
|
|
# to the backend (rare for MySQL but possible), uncomment this variant.
|
||
|
|
#
|
||
|
|
# server {
|
||
|
|
# listen [::]:7777 ssl;
|
||
|
|
#
|
||
|
|
# ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
|
||
|
|
# ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
|
||
|
|
#
|
||
|
|
# proxy_pass db-primary:3306;
|
||
|
|
#
|
||
|
|
# # Since Nginx ends TLS, no ssl_preread here
|
||
|
|
# }
|
||
|
|
# ---------------------------------------------------------------------------
|
||
|
|
|