<p dir="ltr">Recently I tried setting up a basic nginx reverse proxy in production on Ubuntu 14.04 using their default supported version of nginx 1.4.6.</p>
<p dir="ltr">Basic config as follows:</p>
<p dir="ltr">server {</p>
<p dir="ltr"> listen <a href="http://127.0.0.1:443">127.0.0.1:443</a>;</p>
<p dir="ltr"> server_name <a href="http://myhost.ca">myhost.ca</a>;</p>
<p dir="ltr"> ssl on;</p>
<p dir="ltr"> ssl_certificate /etc/nginx/certs/cert.chained.with.intermediates.crt</p>
<p dir="ltr"> ssl_certificate_key /etc/nginx/certs/cert.key</p>
<p dir="ltr"> ssl_dhparam /etc/nginx/certs/dhparams.pem;</p>
<p dir="ltr"> ssl_session_timeout 5m;</p>
<p dir="ltr"> ssl_session_cache shared:test_cache:5m;</p>
<p dir="ltr"> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</p>
<p dir="ltr"> ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:</p>
<p dir="ltr"> ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:</p>
<p dir="ltr"> !EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';</p>
<p dir="ltr"> ssl_prefer_server_ciphers on;</p>
<p dir="ltr"> access_log /var/log/nginx/proxy.access.log;</p>
<p dir="ltr"> error_log /var/log/nginx/proxy.error.log;</p>
<p dir="ltr"> location / {</p>
<p dir="ltr"> proxy_buffering off;</p>
<p dir="ltr"> proxy_set_header Host $host;</p>
<p dir="ltr"> proxy_set_header X-Real-IP $remote_addr;</p>
<p dir="ltr"> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</p>
<p dir="ltr"> proxy_set_header X-Forwarded-Proto $scheme;</p>
<p dir="ltr"> proxy_pass <a href="https://10.1.10.1">https://10.1.10.1</a>;</p>
<p dir="ltr"> }</p>
<p dir="ltr">}</p>
<p dir="ltr">Config worked pretty good in testing, but when we put it in production, we quickly started seeing intermittent handshake failures.</p>
<p dir="ltr">The handshakes were being rejected by the server with errors like this in the error log:</p>
<p dir="ltr">2016/02/16 13:30:18 [info] 6470#0: *6349 SSL_do_handshake() failed (SSL: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac) while SSL handshaking, client: x.x.x.x, server: x.x.x.x:443</p>
<p dir="ltr">And sometimes from the client like this:</p>
<p dir="ltr">2016/02/16 13:27:51 [info] 6468#0: *6226 peer closed connection in SSL handshake while SSL handshaking, client: x.x.x.x, server: x.x.x.x:443</p>
<p dir="ltr">Upon further investigation we discovered that the same clients were more or less "randomly" effected by this handshake error on an intermittent basis, so one request might work but then the next would fail.</p>
<p dir="ltr">Initially we didn't have any ssl_session_cache enabled, but adding that shared cache setting above had no effect on the random handshake errors.</p>
<p dir="ltr">Thought it might be an openssl issue, so we tried updating from ubuntu's default version of 1.0.1f to 1.0.2f from source, but that had no impact on the clients receiving the handshake error.</p>
<p dir="ltr">Subsequently, we switched the reverse proxy on the same system, with the same configuration (i.e. supported protocols and ciphers) from nginx to apache, and the intermittent handshake errors have gone away.</p>
<p dir="ltr">I'd still like to know what was wrong with our nginx setup to be causing this in the first place, anyone have any ideas?</p>