Intermittent "504 SSL_do_handshake() failed"
Igor Sysoev
igor at sysoev.ru
Sun Oct 24 22:31:03 MSD 2010
On Sun, Oct 24, 2010 at 02:23:52PM -0400, terminal wrote:
> I seem to be having a problem with the secure reverse proxy. I have a
> "Synology Disk Station" that hosts Apache virtual servers with one being
> an administration web panel, and the other "https://192.168.2.2/photo"
> being a photo/blogging site.
> I have googled around and looked at the NGINX forum and have found no
> solution to this problem or as to what is causing it. When I first
> launch nginx everything seems to work fine as expected, but after X
> amount of time testing (clearing client cache and using other browsers)
> I start intermittently getting "502 Bad Gateway" errors from Nginx. Both
> Nginx and Synology use a self-signed certificate. I have done a
> wireshark packet dump from Nginx and decrypted the packets via the
> server's private key, and the only thing I noticed was 302 Not modified
> headers and the SSL Alerts with Key renegotiation.
>
> My network setup can be described as bellow:
> 192.168.2.2 [Synology (Apache)] <-> 192.168.2.151 [Nginx] <-> External
> [Client]
>
> My router is setup to serve only HTTPS 443 connections from my LAN to
> external.
>
> Versions:
> nginx version: nginx/0.7.65 on Ubuntu 10.04.1 LTS (lucid)
> Server version: Apache/2.2.16 (Unix)
>
> [Nginx Config]
> server {
> listen 443;
> ssl on;
> server_name home.fractalengine.com;
>
> ##LOG
> access_log /var/log/nginx/localhost.access.log;
>
> ##SSL Params
> ssl_certificate ssl/storage.in.crt;
> ssl_certificate_key ssl/storage.key;
> keepalive_timeout 60;
> ssl_verify_client off;
> ssl_session_cache off;
>
> location / {
> proxy_pass https://192.168.2.2;
> proxy_next_upstream error timeout invalid_header
> http_500 http_502 http_503;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header X-Forwarded-Proto https;
> proxy_redirect off;
> proxy_cache_use_stale error timeout invalid_header
> updating http_500 http_502 http_503 http_504;
> }
>
> location /doc {
> root /usr/share;
> autoindex on;
> allow 127.0.0.1;
> deny all;
> }
>
> location /images {
> root /usr/share;
> autoindex on;
> }
>
>
> [NGINX ERROR Log]
> 2010/10/22 17:23:24 [error] 5206#0: *501 SSL_do_handshake() failed (SSL:
> error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
> SSL handshaking to upstream, client: 69.xx.xxx.x, server:
> home.myDomain.com, request: "GET /blog/modules/friend_link.js HTTP/1.1",
> upstream: "https://192.168.2.2:443/blog/modules/friend_link.js", host:
> "home.myDomain.com", referrer:
> "https://home.myDomain.com/blog/admin_index.php"
> 2010/10/22 17:23:24 [error] 5206#0: *506 SSL_do_handshake() failed (SSL:
> error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
> SSL handshaking to upstream, client: 69.xx.xxx.x, server:
> home.myDomain.com, request: "GET /blog/modules/label_cloud.js HTTP/1.1",
> upstream: "https://192.168.2.2:443/blog/modules/label_cloud.js", host:
> "home.myDomain.com", referrer:
> "https://home.myDomain.com/blog/admin_index.php"
> 2010/10/22 17:23:24 [error] 5206#0: *504 SSL_do_handshake() failed (SSL:
> error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
> SSL handshaking to upstream, client: 69.xx.xxx.x, server:
> home.myDomain.com, request: "GET /blog/modules/statistical_data.js
> HTTP/1.1", upstream:
> "https://192.168.2.2:443/blog/modules/statistical_data.js", host:
> "home.myDomain.com", referrer:
> "https://home.myDomain.com/blog/admin_index.php"
> 2010/10/22 17:23:24 [error] 5206#0: *507 SSL_do_handshake() failed (SSL:
> error:1408C095:SSL routines:SSL3_GET_FINISHED:digest check failed) while
> SSL handshaking to upstream, client: 69.xx.xxx.x, server:
> home.myDomain.com, request: "GET /blog/modules/recent_article.js
> HTTP/1.1", upstream:
> "https://192.168.2.2:443/blog/modules/recent_article.js", host:
> "home.myDomain.com", referrer:
> "https://home.myDomain.com/blog/admin_index.php"
>
>
> Again the weird thing is it stops working after X amount of time
> testing. I'm starting to think it has something to do with the
> connection timeout from Nginx to Apache?? Or maybe something with the
> Cache?
Try
proxy_ssl_session_reuse off;
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list