ssl/tls https with red cross

Francis Daly francis at daoine.org
Wed May 30 18:13:18 UTC 2012 

On Wed, May 30, 2012 at 09:14:59PM +0530, tariq wali wrote:

Hi there,

> We are running nginx/0.7.62 and notice that https with red-cross (either
> the connection is not encrypted or the page has some non https content and
> in my case it is no encrypted connection ) this is how thw config looks

It's not clear from the above paragraph what the problem you are
seeing is.

Are you sure that for your client, "https with red-cross" means only
one of those two possibilities? Might it mean "this is ssl-encrypted,
but the client has not validated the certificate, so it can't say who it
is having an encrypted conversation with"?

>  server {
>         listen       443;
>         ssl on;
>         ssl_certificate login.jobsgulf.com.crt;
>         ssl_certificate_key login.jobsgulf.com.key;

For testing purposes, the above four lines are enough to get nginx
responding over https.

If you see the same problem when leaving out the rest, then you now have
a simpler case to test from.

If you don't see the same problem when leaving out the rest, then you can
try adding back the lines one at a time, to see what causes the problem
to come back.

> I want to know if we really have to explicitly specify ssl_protocols and
> ssl_ciphers in the config in order to be fully https for the said directive
> ??

No.

> Also does it make sense to enable ssl/tls support on apache also ? in my
> case i have nginx in front of the apache .

Probably not.

If the problem you see is that when you do

  curl -i https://your-server/

or

  curl -k -i https://your-server/

you get back content with links (image, css, javascript) to http:// urls,
then you'll probably want to adjust what the back-end (apache) sends.

The first thing to do is probably to identify precisely why your browser
shows you the red cross. Hopefully it has some form of reporting which
will tell you.

After that, you will probably have a specific question which will
hopefully have a straightforward answer.

Good luck with it,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list