NGINX proxy, 502 error while SSL handshaking to upstream
Maxim Dounin
mdounin at mdounin.ru
Tue Feb 25 17:03:22 UTC 2014
Hello!
On Tue, Feb 25, 2014 at 04:34:34PM +0100, Juan Matías wrote:
> Hello everyone, I'm new here and this my first post in this mailing list,
>
> Maybe this is a frequently answered question but I could't find a solution.
> Maybe is a "layer 8" issue.
>
> Right now, I have a Nginx(1.0.8) proxy running on Ubuntu 10.04 32bits,
> OpenSSL 0.9.8 doing a https upstream on port 33195. Here is a piece of the
> nginx.conf file:
>
> ......
> location /external_services {
> proxy_pass https://x.x.x.x:33195/external_service;
> allow x.x.x.x;
> deny all;
> }
> ......
>
>
> It is working, but I need to migrate this proxy to a new server. This new
> server runs Ubuntu 12.04, OpenSSL 1.0.1 and Nginx 1.5.10.
>
> This server receive an http://myproxy/external_services request and proxy
> it to https://x.x.x.x:33195/external_service; (http to https)
>
> When I try to access http://myproxy/external_services on the new server, I
> got a 502 error and I see this message in error.log :
>
> "peer closed connection in SSL handshake while SSL handshaking to
> upstream"
>
> I found that I can connect(from the proxy server) to
> https://x.x.x.x:33195/external_service using openssl, doing this:
>
> $ openssl s_client -connect https://x.x.x.x:33195/external_service-no_tls1_1
>
> I tried to disable TLSv1.1 in Nginx using the directive: ssl_protocols
> SSLv3 TLSv1; but nothing change.
You have to use proxy_ssl_protocols, not ssl_protocols. See
http://nginx.org/r/proxy_ssl_protocols.
The proxy_ssl_ciphers directive may help, too, depending on what
exactly triggers the problem on your backend.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list