# Proxy SSL Client Certificate through NGINX Load-Balancer

The frontend `stream` `proxy_pass` can be used for load-balancing without SSL off-loading.  All SSL connections will be terminated on the backend and client certificate information can be properly authenticated.

This should be used in cases:

* you have enough CPU to decrypt SSL on the backend servers
* you require direct client AUTHENTICATION on the backend servers

## Backend

In this example, the PHP-FPM engine will receive the following variables:

* `$_ENV['X-SSL-CERT']` - Signed client certificate
* `$_ENV['X-SSL-VERIFIED']` - Status of verification
* `$_ENV['X-SSL-CLIENT-DN']` - Full DN of Client
* `$_ENV['X-SSL-ISSUER-DN']` - Full DN of Issuer

## References

* https://nginx.org/en/docs/stream/ngx_stream_core_module.html