SSL Handshake problems, nginx reverse web proxy.
Nathan
lagern at lafayette.edu
Tue Nov 12 17:07:08 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am working on setting up an http reverse proxy in front of a
pre-packaged jetty server. The jetty server is a pre-configured
application, and not very flexible.
Here's the quick and dirty. I have nginx configured to listen on 443,
using its own SSL cert. Then behind nginx, i have anohter server
running this jetty application, with its own cert, on port 9192.
My nginx config looks like this:
server {
listen 139.147.165.99:443;
server_name papercut.dev.lafayette.edu papercut.dev;
access_log /var/log/nginx/papercut.dev.lafayette.edu_access;
error_log /var/log/nginx/papercut.dev.lafayette.edu_error debug;
ssl on;
ssl_certificate
/etc/nginx/ssl.crt/papercut.dev.lafayette.edu.crt;
ssl_certificate_key
/etc/nginx/ssl.key/papercut.dev.lafayette.edu.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP;
ssl_prefer_server_ciphers on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
location / {
proxy_pass https://printman.dev.lafayette.edu:9192;
}
}
If i hit my vhost on https, i get a 502, bad gateway.
The error log reports:
2013/11/12 12:02:10 [error] 28416#0: *230 SSL_do_handshake() failed
(SSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
unexpected message) while SSL handshaking to upstream, client:
10.100.0.12, server: papercut.dev.lafayette.edu, request: "GET /
HTTP/1.1", upstream: "https://139.147.165.80:9192/", host:
"papercut.dev.lafayette.edu"
- From what I can tell, this is saying that the ssl connection from my
proxy, to my jetty host is failing negotiation.
If i browse directly to the target, on https and port 9192, it works
perfectly.
openssl s_connect from the proxy to the target seems to work ONLY if i
force sslv3, If i use TSLv1, or sslv2 it fails. If i use TLSv2 and
use -no_ticket, it works.
I'm wondering if one of these would solve the proxy problem? But how
can i force nginx to use sslv3, or no ticket, when connecting to its
target?
Thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKCYDwACgkQsZqG4IN3suly1QCfbUmLesdBHsrm/diS/Sg0+n8O
XN8An3XkdTp3m8P2dzEeoZAKMzp5qjX9
=4UkA
-----END PGP SIGNATURE-----
More information about the nginx
mailing list