Intermittent "504 SSL_do_handshake() failed"

Igor Sysoev igor at sysoev.ru
Sun Oct 24 22:31:03 MSD 2010 

On Sun, Oct 24, 2010 at 02:23:52PM -0400, terminal wrote:

> I seem to be having a problem with the secure reverse proxy. I have a
> "Synology Disk Station" that hosts Apache virtual servers with one being
> an administration web panel, and the other "https://192.168.2.2/photo"
> being a photo/blogging site.
> I have googled around and looked at the NGINX forum and have found no
> solution to this problem or as to what is causing it. When I first
> launch nginx everything seems to work fine as expected, but after X
> amount of time testing (clearing client cache and using other browsers)
> I start intermittently getting "502 Bad Gateway" errors from Nginx. Both
> Nginx and Synology use a self-signed certificate. I have done a
> wireshark packet dump from Nginx and decrypted the packets via the
> server's private key, and the only thing I noticed was 302 Not modified
> headers and the SSL Alerts with Key renegotiation.
> 
> My network setup can be described as bellow:
> 192.168.2.2 [Synology (Apache)] <-> 192.168.2.151 [Nginx] <-> External
> [Client]
> 
> My router is setup to serve only HTTPS 443 connections from my LAN to
> external.
> 
> Versions:
> nginx version: nginx/0.7.65 on Ubuntu 10.04.1 LTS (lucid)
> Server version: Apache/2.2.16 (Unix)
> 
> [Nginx Config]
> server {
>         listen   443;
>         ssl on;
>         server_name  home.fractalengine.com;
> 
>         ##LOG
> 	access_log  /var/log/nginx/localhost.access.log;
> 
>         ##SSL Params
>         ssl_certificate         ssl/storage.in.crt;
>         ssl_certificate_key     ssl/storage.key;
>         keepalive_timeout       60;
>         ssl_verify_client       off;
>         ssl_session_cache       off;
> 
>         location / {
>                 proxy_pass              https://192.168.2.2;
>                 proxy_next_upstream error timeout invalid_header
> http_500 http_502 http_503;
>                 proxy_set_header Host $host;
>                 proxy_set_header X-Real-IP $remote_addr;
>                 proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
>                 proxy_set_header X-Forwarded-Proto https;
>                 proxy_redirect     off;
>                 proxy_cache_use_stale   error timeout invalid_header
> updating http_500 http_502 http_503 http_504;
>         }
> 
>         location /doc {
>                 root   /usr/share;
>                 autoindex on;
>                 allow 127.0.0.1;
>                 deny all;
>         }
> 
>         location /images {
>                 root   /usr/share;
>                 autoindex on;
>         }
> 
> 
> [NGINX ERROR Log]
> 2010/10/22 17:23:24 [error] 5206#0: *501 SSL_do_handshake() failed (SSL:
> error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
> SSL handshaking to upstream, client: 69.xx.xxx.x, server:
> home.myDomain.com, request: "GET /blog/modules/friend_link.js HTTP/1.1",
> upstream: "https://192.168.2.2:443/blog/modules/friend_link.js", host:
> "home.myDomain.com", referrer:
> "https://home.myDomain.com/blog/admin_index.php"
> 2010/10/22 17:23:24 [error] 5206#0: *506 SSL_do_handshake() failed (SSL:
> error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
> SSL handshaking to upstream, client: 69.xx.xxx.x, server:
> home.myDomain.com, request: "GET /blog/modules/label_cloud.js HTTP/1.1",
> upstream: "https://192.168.2.2:443/blog/modules/label_cloud.js", host:
> "home.myDomain.com", referrer:
> "https://home.myDomain.com/blog/admin_index.php"
> 2010/10/22 17:23:24 [error] 5206#0: *504 SSL_do_handshake() failed (SSL:
> error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
> SSL handshaking to upstream, client: 69.xx.xxx.x, server:
> home.myDomain.com, request: "GET /blog/modules/statistical_data.js
> HTTP/1.1", upstream:
> "https://192.168.2.2:443/blog/modules/statistical_data.js", host:
> "home.myDomain.com", referrer:
> "https://home.myDomain.com/blog/admin_index.php"
> 2010/10/22 17:23:24 [error] 5206#0: *507 SSL_do_handshake() failed (SSL:
> error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
> SSL handshaking to upstream, client: 69.xx.xxx.x, server:
> home.myDomain.com, request: "GET /blog/modules/recent_article.js
> HTTP/1.1", upstream:
> "https://192.168.2.2:443/blog/modules/recent_article.js", host:
> "home.myDomain.com", referrer:
> "https://home.myDomain.com/blog/admin_index.php"
> 
> 
> Again the weird thing is it stops working after X amount of time
> testing. I'm starting to think it has something to do with the
> connection timeout from Nginx to Apache?? Or maybe something with the
> Cache?

Try
  proxy_ssl_session_reuse off;


-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list