Can nginx do TCP load balance with SSL termination

Nginx can act as L3/4 balancer with stream module: https://www.nginx.com/resources/admin-guide/tcp-load-balancing/

Because SSL still tcp - Nginx can proxy SSL traffic without termination.

Also stream module can terminate SSL traffic, but it's optional.

Example 1: TCP tunnel for IMAP over SSL without SSL termination

stream {    upstream stream_backend {        server backend1.example.com:993;        server backend2.example.com:993;    }    server {        listen 993;        proxy_pass stream_backend;    }}

In this case, SSL termination processed by backend1/2.

Example 2: TCP tunnel for IMAP with SSL termination.

stream {    upstream stream_backend {        server backend1.example.com:443;        server backend2.example.com:443;    }    server {        listen 993 ssl;        proxy_pass stream_backend;        ssl_certificate        /etc/ssl/certs/server.crt;        ssl_certificate_key    /etc/ssl/certs/server.key;    }}

In this case traffic between nginx and backend1/2 unencrypted (IMAP 443 port used).

Example 3: Receive unencrypted and encrypt it

stream {    upstream stream_backend {        server backend1.example.com:993;        server backend2.example.com:993;    }    server {        listen 443;        proxy_pass stream_backend;        proxy_ssl  on;        proxy_ssl_certificate     /etc/ssl/certs/backend.crt;        proxy_ssl_certificate_key /etc/ssl/certs/backend.key;    }}

So, clients connect to our nginx without SSL and this traffic proxed to backend1/2 using SSL encryption.