Проблема nginx и SSL

Behterev D. maillist at itcall.ru
Fri Apr 24 22:20:50 MSD 2009


Здравствуйте. 

Есть у кого соображения по теме?

Проблема - не могу настроить передачу https от nginxa к вышестоящему
веб-серверу Apache, nginx как фронт-енд, апаче - бэк-енд. 

ОС: FreeBSD 7

Nginx установлен из порта nginx-0.7.52.

Если запрос https приходит напрямую на бэк-енд - все работает, если через
nginx - проблемы. В браузере - пустая страница. Лог:

 

2009/04/24 03:35:00 [debug] 77007#0: malloc: 08159000:10240

2009/04/24 03:35:00 [debug] 77007#0: malloc: 0815C000:10240

2009/04/24 03:35:00 [debug] 77007#0: malloc: 08301000:942080

2009/04/24 03:35:00 [debug] 77007#0: malloc: 0815F000:614400

2009/04/24 03:35:00 [debug] 77007#0: malloc: 08401000:614400

2009/04/24 03:35:00 [debug] 77007#0: kevent set event: 5: ft:-1 fl:0005

2009/04/24 03:35:00 [debug] 77007#0: kevent set event: 6: ft:-1 fl:0005

2009/04/24 03:35:00 [debug] 77007#0: kevent set event: 8: ft:-1 fl:0005

2009/04/24 03:35:00 [debug] 77007#0: worker cycle

2009/04/24 03:35:00 [debug] 77007#0: kevent timer: -1, changes: 3

2009/04/24 03:35:24 [debug] 77007#0: kevent events: 1

2009/04/24 03:35:24 [debug] 77007#0: kevent: 6: ft:-1 fl:0000 ff:00000000
d:1 ud:0815F03C

2009/04/24 03:35:24 [debug] 77007#0: accept on xx.xx.xx.xx:443, ready: 1

2009/04/24 03:35:24 [debug] 77007#0: malloc: 08136400:256

2009/04/24 03:35:24 [debug] 77007#0: *175 accept: 85.140.11.227 fd:7

2009/04/24 03:35:24 [debug] 77007#0: *175 event timer add: 7:
60000:3579203720

2009/04/24 03:35:24 [debug] 77007#0: *175 kevent set event: 7: ft:-1 fl:0025

2009/04/24 03:35:24 [debug] 77007#0: timer delta: 24481

2009/04/24 03:35:24 [debug] 77007#0: posted events 00000000

2009/04/24 03:35:24 [debug] 77007#0: worker cycle

2009/04/24 03:35:24 [debug] 77007#0: kevent timer: 60000, changes: 1

2009/04/24 03:35:24 [debug] 77007#0: kevent events: 1

2009/04/24 03:35:24 [debug] 77007#0: kevent: 7: ft:-1 fl:0020 ff:00000000
d:116 ud:0815F0B4

2009/04/24 03:35:24 [debug] 77007#0: *175 malloc: 0811E400:656

2009/04/24 03:35:24 [debug] 77007#0: *175 malloc: 0811FC00:1024

2009/04/24 03:35:24 [debug] 77007#0: *175 malloc: 08118000:4096

2009/04/24 03:35:24 [debug] 77007#0: *175 http check ssl handshake

2009/04/24 03:35:24 [debug] 77007#0: *175 https ssl handshake: 0x16

2009/04/24 03:35:24 [debug] 77007#0: *175 SSL_do_handshake: -1

2009/04/24 03:35:24 [debug] 77007#0: *175 SSL_get_error: 2

2009/04/24 03:35:24 [debug] 77007#0: timer delta: 3

2009/04/24 03:35:24 [debug] 77007#0: posted events 00000000

2009/04/24 03:35:24 [debug] 77007#0: worker cycle

2009/04/24 03:35:24 [debug] 77007#0: kevent timer: 59997, changes: 0

2009/04/24 03:35:25 [debug] 77007#0: kevent events: 1

2009/04/24 03:35:25 [debug] 77007#0: kevent: 7: ft:-1 fl:0020 ff:00000000
d:214 ud:0815F0B4

2009/04/24 03:35:25 [debug] 77007#0: *175 SSL handshake handler: 0

2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_do_handshake: 1

2009/04/24 03:35:25 [debug] 77007#0: *175 SSL: SSLv3, cipher:
"DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1"

2009/04/24 03:35:25 [debug] 77007#0: *175 http process request line

2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_read: -1

2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_get_error: 2

2009/04/24 03:35:25 [debug] 77007#0: timer delta: 82

2009/04/24 03:35:25 [debug] 77007#0: posted events 00000000

2009/04/24 03:35:25 [debug] 77007#0: worker cycle

2009/04/24 03:35:25 [debug] 77007#0: kevent timer: 59915, changes: 0

2009/04/24 03:35:25 [debug] 77007#0: kevent events: 1

2009/04/24 03:35:25 [debug] 77007#0: kevent: 7: ft:-1 fl:0020 ff:00000000
d:437 ud:0815F0B4

2009/04/24 03:35:25 [debug] 77007#0: *175 http process request line

2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_read: 404

2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_read: -1

2009/04/24 03:35:25 [debug] 77007#0: *175 SSL_get_error: 2

2009/04/24 03:35:25 [debug] 77007#0: *175 http request line: "GET /
HTTP/1.1"

2009/04/24 03:35:25 [debug] 77007#0: *175 http uri: "/"

2009/04/24 03:35:25 [debug] 77007#0: *175 http args: ""

2009/04/24 03:35:25 [debug] 77007#0: *175 http exten: ""

2009/04/24 03:35:25 [debug] 77007#0: *175 http process request header line

2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Host: mail.domen.ru"

2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.8) Gecko/2009032609
Firefox/3.0.8"

2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"

2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Accept-Language:
ru,en-us;q=0.7,en;q=0.3"

2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Accept-Encoding:
gzip,deflate"

2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Accept-Charset:
windows-1251,utf-8;q=0.7,*;q=0.7"

2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Keep-Alive: 300"

2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Connection:
keep-alive"

2009/04/24 03:35:25 [debug] 77007#0: *175 http header: "Cache-Control:
max-age=0"

2009/04/24 03:35:25 [debug] 77007#0: *175 http header done

2009/04/24 03:35:25 [debug] 77007#0: *175 event timer del: 7: 3579203720

2009/04/24 03:35:25 [debug] 77007#0: *175 generic phase: 0

2009/04/24 03:35:25 [debug] 77007#0: *175 test location: "/"

2009/04/24 03:35:25 [debug] 77007#0: *175 using configuration "/"

2009/04/24 03:35:25 [debug] 77007#0: *175 http cl:-1 max:1048576

2009/04/24 03:35:25 [debug] 77007#0: *175 generic phase: 2

2009/04/24 03:35:25 [debug] 77007#0: *175 http script var

2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "mail.domen.ru"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script regex:
"(www\.mail.domen\.ru|mail\.domen\.ru)"

2009/04/24 03:35:25 [notice] 77007#0: *175
"(www\.mail.domen\.ru|mail\.domen\.ru)" matches "mail.domen.ru", client:
85.140.11.227, server: mail.domen.ru, request: "GET / HTTP/1.1", host:
"mail.domen.ru"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script if

2009/04/24 03:35:25 [debug] 77007#0: *175 http script complex value

2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "192.168.0.20/"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "/"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script set $perehod

2009/04/24 03:35:25 [debug] 77007#0: *175 post rewrite phase: 3

2009/04/24 03:35:25 [debug] 77007#0: *175 generic phase: 4

2009/04/24 03:35:25 [debug] 77007#0: *175 generic phase: 5

2009/04/24 03:35:25 [debug] 77007#0: *175 access phase: 6

2009/04/24 03:35:25 [debug] 77007#0: *175 access phase: 7

2009/04/24 03:35:25 [debug] 77007#0: *175 post access phase: 8

2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "https://"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "192.168.0.20//"

2009/04/24 03:35:25 [debug] 77007#0: *175 http init upstream, client timer:
0

2009/04/24 03:35:25 [debug] 77007#0: *175 kevent set event: 7: ft:-2 fl:0025

2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy:
"X-FORWARDED_PROTO: https

"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "Host: "

2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "mail.domen.ru"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "

"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "X-Real-IP: "

2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "85.140.11.227"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "

"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy:
"X-Forwarded-For: "

2009/04/24 03:35:25 [debug] 77007#0: *175 http script var: "85.140.11.227"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "

"

2009/04/24 03:35:25 [debug] 77007#0: *175 http script copy: "Connection:
close

"

2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header: "User-Agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.8) Gecko/2009032609
Firefox/3.0.8"

2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header: "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"

2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header:
"Accept-Language: ru,en-us;q=0.7,en;q=0.3"

2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header:
"Accept-Encoding: gzip,deflate"

2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header:
"Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7"

2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header: "Cache-Control:
max-age=0"

2009/04/24 03:35:25 [debug] 77007#0: *175 http proxy header:

"GET // HTTP/1.0

X-FORWARDED_PROTO: https

Host: mail.domen.ru

X-Real-IP: 85.140.11.227

X-Forwarded-For: 85.140.11.227

Connection: close

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.0.8)
Gecko/2009032609 Firefox/3.0.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: ru,en-us;q=0.7,en;q=0.3

Accept-Encoding: gzip,deflate

Accept-Charset: windows-1251,utf-8;q=0.7,*;q=0.7

Cache-Control: max-age=0

 

"

2009/04/24 03:35:25 [debug] 77007#0: *175 http cleanup add: 08118B5C

2009/04/24 03:35:25 [debug] 77007#0: resolve: "192.168.0.20"

2009/04/24 03:35:25 [debug] 77007#0: *175 name was resolved to 192.168.0.20

2009/04/24 03:35:25 [debug] 77007#0: resolve name done: 0

2009/04/24 03:35:25 [debug] 77007#0: *175 get rr peer, try: 1

2009/04/24 03:35:25 [debug] 77007#0: *175 socket 10

2009/04/24 03:35:25 [debug] 77007#0: *175 connect to 192.168.0.20:443, fd:10
#176

2009/04/24 03:35:25 [debug] 77007#0: *175 kevent set event: 10: ft:-1
fl:0025

2009/04/24 03:35:25 [debug] 77007#0: *175 kevent set event: 10: ft:-2
fl:0025

2009/04/24 03:35:25 [debug] 77007#0: *175 http upstream connect: -2

2009/04/24 03:35:25 [debug] 77007#0: *175 event timer add: 10:
75000:3579218858

2009/04/24 03:35:25 [debug] 77007#0: timer delta: 53

2009/04/24 03:35:25 [debug] 77007#0: posted events 00000000

2009/04/24 03:35:25 [debug] 77007#0: worker cycle

2009/04/24 03:35:25 [debug] 77007#0: kevent timer: 75000, changes: 3

2009/04/24 03:35:25 [debug] 77007#0: kevent events: 2

2009/04/24 03:35:25 [debug] 77007#0: kevent: 7: ft:-2 fl:0020 ff:00000000
d:33396 ud:084010B4

2009/04/24 03:35:25 [debug] 77007#0: *175 http run request: "/?"

2009/04/24 03:35:25 [debug] 77007#0: *175 http upstream check client, write
event:1, "/"

2009/04/24 03:35:25 [debug] 77007#0: kevent: 10: ft:-2 fl:0020 ff:00000000
d:43008 ud:084010F0

2009/04/24 03:35:25 [debug] 77007#0: *175 http upstream request: "/?"

2009/04/24 03:35:25 [debug] 77007#0: *175 http upstream send request handler

2009/04/24 03:35:25 [notice] 69512#0: signal 20 (SIGCHLD) received

2009/04/24 03:35:25 [alert] 69512#0: worker process 77007 exited on signal
11

2009/04/24 03:35:25 [debug] 69512#0: wake up

2009/04/24 03:35:25 [debug] 69512#0: reap children

2009/04/24 03:35:25 [debug] 69512#0: child: 0 77007 e:0 t:1 d:0 r:1 j:0

2009/04/24 03:35:25 [debug] 69512#0: channel 7:8

2009/04/24 03:35:25 [notice] 69512#0: start worker process 77078

2009/04/24 03:35:25 [debug] 69512#0: sigsuspend

2009/04/24 03:35:25 [debug] 77078#0: malloc: 0812A000:10240

2009/04/24 03:35:25 [debug] 77078#0: malloc: 08159000:10240

2009/04/24 03:35:25 [debug] 77078#0: malloc: 0815C000:10240

2009/04/24 03:35:25 [debug] 77078#0: malloc: 08301000:942080

2009/04/24 03:35:25 [debug] 77078#0: malloc: 0815F000:614400

2009/04/24 03:35:25 [debug] 77078#0: malloc: 08401000:614400

2009/04/24 03:35:25 [debug] 77078#0: kevent set event: 5: ft:-1 fl:0005

2009/04/24 03:35:25 [debug] 77078#0: kevent set event: 6: ft:-1 fl:0005

2009/04/24 03:35:25 [debug] 77078#0: kevent set event: 8: ft:-1 fl:0005

2009/04/24 03:35:25 [debug] 77078#0: worker cycle

2009/04/24 03:35:25 [debug] 77078#0: kevent timer: -1, changes: 3 

 

Конфиг nginx'a:

worker_processes  1;

 

error_log /var/log/nginx/error.log debug;

 

pid        nginx.pid;

 

events {

    worker_connections  10240;

}

 

http {

        include       mime.types;

 

        default_type  application/octet-stream;

 

        log_format  main  '$remote_addr - $remote_user [$time_local]
$request '

                      '"$status" $body_bytes_sent "$http_referer" '

                      '"$http_user_agent" "$http_x_forwarded_for"';

 

        access_log  /var/log/nginx/access.log  main;

 

        sendfile        on;

 

        tcp_nopush     on;

 

        tcp_nodelay on;

 

        keepalive_timeout  65;

 

        server {

                listen       xx.xx.xx.xx:80;

 

                # Директива задаёт имена виртуального сервера,

                server_name  domen.ru www.domen.ru

 

                location / {

                        root   /var/www/nginx;

                        index  index.html index.htm;

                        if ($http_host ~* ^(www\.domen\.ru|domen\.ru)) {

                                set $perehod 192.168.0.20/$request_uri;

                                break;

                        }

 

                        proxy_pass http://$perehod;

 

                        client_max_body_size 100m;

                        client_body_buffer_size 128k;

 

                        include /usr/local/etc/nginx/proxy.conf;

                }

 

                error_page   500 502 503 504  /50x.html;

                location = /50x.html {

                        root   /var/www/nginx;

                }

        }

 

    # HTTPS server

    #

    server {

        listen       xx.xx.xx.xx:443;

        server_name  mail.domen.ru www.mail.domen.ru;

 

        ssl                  on;

        ssl_certificate      /usr/local/etc/nginx/cert/server_www.crt;

        ssl_certificate_key  /usr/local/etc/nginx/cert/server_www.key;

 

        ssl_session_timeout  5m;

 

        ssl_protocols  SSLv2 SSLv3 TLSv1;

        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2;

        # ssl_prefer_server_ciphers   on;

 

        location / {

 

                proxy_set_header X-FORWARDED_PROTO https;

                if ($http_host ~* (www\.mail.domen\.ru|mail\.domen\.ru)) {

                        set $perehod 192.168.0.20:443/$request_uri;

                        break;

                }

 

                proxy_pass https://$perehod <https://$perehod/> ;

 

                include /usr/local/etc/nginx/proxy.conf ;

 

        }

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

                root   /var/www/nginx;

        }

 

    }

}

 

Спасибо за ответ.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nginx.org/pipermail/nginx-ru/attachments/20090424/90d82099/attachment.html>


More information about the nginx-ru mailing list