Problem with Upstream over SSL
Maxim Dounin
mdounin at mdounin.ru
Thu Dec 5 15:36:18 UTC 2013
Hello!
On Thu, Dec 05, 2013 at 09:44:55AM -0500, cschiewek wrote:
> I was proxying to an IIS server on 443 on nginx 1.1 on FreeBSD and it worked
> perfectly fine. We moved to nginx 1.4 running on ubuntu and now it won't
> work.
>
> The following works perfect:
>
> server {
> location / {
> proxy_pass http://server.domain.com
> }
> }
>
> But when I change it to
>
> server {
> location / {
> proxy_pass https://server.domain.com
> }
> }
>
> It times out. I can curl both http:// and https:// no problem. The strange
> thing is the log message with the timeout error is showing the IP instead of
> the hostname.
>
> 2013/12/05 09:30:33 [error] 20109#0: *1 upstream timed out (110: Connection
> timed out) while reading response header from upstream, client:
> 192.168.1.200, server: external.domain.com, request: "GET / HTTP/1.1",
> upstream: "https://192.168.1.10:443/", host: "external.domain.com"
>
> What I'm guessing is nginx is trying to proxy to the host via the IP and
> then timing out because of SSL issues, as the SSL cert is not valid for the
> IP, only for the domain name.
The problem indeed may be related to SSL - e.g. something
wrong with ciphers used. But it's certainly not a certificate
verification issue, as nginx currently doesn't check upstream
server certificates at all.
You may try using 1.5.x to play with proxy_ssl_protocols and
proxy_ssl_ciphers directives introduced specificaly to help to
resolve various interoperability problems.
> Why is nginx proxying to the IP instead of the hostname? Can I force it to
> use the hostname?
The ip of a particular server nginx connects to is logged.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx
mailing list