SSL renegotiation probelm using nginx as reverse proxy to apache

sean_at_stitcher nginx-forum at nginx.us
Fri Apr 4 00:57:24 UTC 2014 

My goal is end-to-end encryption of multiple domains using nginx as a
reverse proxy to load balance to multiple backends.  Both nginx and apache
use the same wildcard cert, eg *.domain.com.

The first request to https://abc.domain.com/ works as expected, but a call
to https://xyz.domain.com produces the following debug output in the apache
logs:

[Thu Apr 03 17:17:07 2014] [info] Initial (No.1) HTTPS request received for
child 0 (server xyz.domain.com:443)
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(423): [client
10.0.0.115] Reconfigured cipher suite will force renegotiation
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Requesting connection
re-negotiation
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(766): [client
10.0.0.115] Performing full renegotiation: complete handshake protocol
(client does support secure renegotiation)
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Awaiting
re-negotiation handshake
[Thu Apr 03 17:18:07 2014] [error] [client 10.0.0.115] Re-negotiation
handshake failed: Not accepted by client!?

with the following in the nginx log:

2014/04/03 17:18:07 [error] 29052#0: *355 upstream timed out (110:
Connection timed out) while reading response header from upstream, client:
10.0.0.171, server: xyz.domain.com, request: "GET /index.php HTTP/1.1",
upstream: "https://10.0.15.101:443/index.php", host: "xyz.domain.com"
2014/04/03 17:18:07 [info] 29052#0: *355 client 10.0.0.171 closed keepalive
connection

My nginx config looks like this:

http {

    # Header settings - Keep as much original as possible
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  Host       $host;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-HTTPS on;

    upstream svhostcluster {
       server web1.domain.com:443 max_fails=5 fail_timeout=10s;
       server web2.domain.com:443 max_fails=5 fail_timeout=10s;
       least_conn;
    }
    include /etc/nginx/conf.d/*.conf;
}

and /etc/nginx/conf.d/servers.conf

ssl_certificate_key  /etc/pki/tls/private/wildcard.priv.domain.pem;

ssl_session_timeout  5m;

ssl_protocols  SSLv3 TLSv1;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM;
ssl_prefer_server_ciphers   on;

server {
    listen *:443;
    server_name abc.domain.com;
    access_log   /var/log/nginx/abc.domain.access.log;
    access_log   /var/log/nginx/abc.domain.upstream.access.log upstreamlog;
    error_log   /var/log/nginx/sabc.domain.errors.log debug;

    ssl                  on;

    location / {
    	proxy_pass  https://svhostcluster;
    }
}

server {
    listen *:443;
    server_name xyz.domain.com;
    access_log   /var/log/nginx/xyz.domain.access.log;
    access_log   /var/log/nginx/xyz.domain.access.log upstreamlog;
    error_log   /var/log/nginx/xyz.domain.errors.log debug;

    ssl                  on;

    location / {
    	proxy_pass  https://svhostcluster;
    }
}

on the apache side, here is the ssl.conf

LoadModule ssl_module modules/mod_ssl.so
Listen *:443
NameVirtualHost *:443

SSLStrictSNIVHostCheck off

<VirtualHost *:443>
	ServerName abc.domain.com
	DocumentRoot "/var/www/abc/html"

	LogLevel debug
	ErrorLog logs/abc_ssl_error_log
	CustomLog logs/abc_ssl_access_log \
			  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	SSLEngine on
	SSLProtocol all -SSLv2
	SSLHonorCipherOrder On
	SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
	SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
	SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
	SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
	SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

	<Directory "/var/www/abc/html">
		Options FollowSymLinks
		AllowOverride All
		RewriteEngine On
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost> 

<VirtualHost *:443>
	ServerName xyz.domain.com
	DocumentRoot "/var/www/xyz/html"

	LogLevel debug
	ErrorLog logs/xyz_ssl_error_log
	CustomLog logs/xyz_ssl_access_log \
			  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

	SSLEngine on
	SSLProtocol all -SSLv2
	SSLHonorCipherOrder On
	SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
	SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
	SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
	SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
	SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

	<Directory "/var/www/xyz/html">
		Options FollowSymLinks
		AllowOverride All
		RewriteEngine On
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost> 

I'm not sure I understand why apache wants to renegotiate with nginx, nor
why nginx doesn't seem to want to do it (despite apache thinking it can.) 
Can anyone help?

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,248982,248982#msg-248982

More information about the nginx mailing list