What are requirements to enable Nginx to re-encrypt to backend servers?

My goal is to have nginx used as an SSL offloading reverse proxy, but then re-encrypt and forward to the backend web applications. I believe the term Nginx uses is technically "upstream servers" however I kind of call them backend servers.

 

I've consulted the documentation here regarding upstream servers:https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ however I'm a little confused.

 

In this example it appears they are using client/server certificates -- which are much different than SSL Let's Encrypt certificates. I'm not sure if Let's Encrypt-type certificates can be used to proxy to the backend.

 

Typically in my virtual hosts file, to proxy to "backend" I have a line like the following which will forward unencrypted to backend

 

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_pass http://backend.domain.com:80;
}

 

To try to enable re-encryption I've done the following:
location / {

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
proxy_ssl_session_reuse on;
proxy_ssl_verify off;
proxy_ssl_server_name on;
proxy_http_version 1.1;

#proxy_pass http://backend.domain.com:80;
proxy_pass https://backend.domain.com;
}

 

Backend sites are reachable with this setup, however I'm truly wondering if this setup is re-encrypting to the backend. I'm not sure how to even check -- (wireshark, tcpdump??)

 

I can verify I have an SSL certificate installed on the backend and if I take the reverse proxy out of the loop -- I can directly connect to https://backend.domain.com. With wget I'm aware I must connect using the domain name since if I try to request by IP address, I get a warning the IP address doesn't match the name on the certificate.

 

I'm aware if I enable the option with following options:

proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/letsencrypt//fullchain.pem;
proxy_ssl_verify_depth 2;

 

Things no longer work which I think is telling nginx to test the validity of the certificate. I believe this validity check is against the proxy_ssl_trusted_certificate variable. What exactly should be the proxy_ssl_trusted_certificate?

**Addendum**

With some help, the file I was looking for was called ca-certificates.crt. This is the name of the file on Ubuntu/Debian/Arch Linux. Other distributions my call the file ca-bundle.crt or ca-bundle.trust.crt. For Arch Linux to install this file make sure you have installed the ca-certificates-utils package.

The CA verification file is located at:
/etc/ssl/certs/ca-certificates.crt

I made the following modifications:

proxy_ssl_verify on;
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt
proxy_ssl_verify_depth 2

This solution is if you are not using self-signed certificates. This solution may be only applicable to using Let's Encrypt Certificates as that were the only type of Certificates I was testing against.