SSL renegotiation probelm using nginx as reverse proxy to apache
sean_at_stitcher
nginx-forum at nginx.us
Fri Apr 4 00:57:24 UTC 2014
My goal is end-to-end encryption of multiple domains using nginx as a
reverse proxy to load balance to multiple backends. Both nginx and apache
use the same wildcard cert, eg *.domain.com.
The first request to https://abc.domain.com/ works as expected, but a call
to https://xyz.domain.com produces the following debug output in the apache
logs:
[Thu Apr 03 17:17:07 2014] [info] Initial (No.1) HTTPS request received for
child 0 (server xyz.domain.com:443)
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(423): [client
10.0.0.115] Reconfigured cipher suite will force renegotiation
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Requesting connection
re-negotiation
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(766): [client
10.0.0.115] Performing full renegotiation: complete handshake protocol
(client does support secure renegotiation)
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Awaiting
re-negotiation handshake
[Thu Apr 03 17:18:07 2014] [error] [client 10.0.0.115] Re-negotiation
handshake failed: Not accepted by client!?
with the following in the nginx log:
2014/04/03 17:18:07 [error] 29052#0: *355 upstream timed out (110:
Connection timed out) while reading response header from upstream, client:
10.0.0.171, server: xyz.domain.com, request: "GET /index.php HTTP/1.1",
upstream: "https://10.0.15.101:443/index.php", host: "xyz.domain.com"
2014/04/03 17:18:07 [info] 29052#0: *355 client 10.0.0.171 closed keepalive
connection
My nginx config looks like this:
http {
# Header settings - Keep as much original as possible
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-HTTPS on;
upstream svhostcluster {
server web1.domain.com:443 max_fails=5 fail_timeout=10s;
server web2.domain.com:443 max_fails=5 fail_timeout=10s;
least_conn;
}
include /etc/nginx/conf.d/*.conf;
}
and /etc/nginx/conf.d/servers.conf
ssl_certificate_key /etc/pki/tls/private/wildcard.priv.domain.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;
server {
listen *:443;
server_name abc.domain.com;
access_log /var/log/nginx/abc.domain.access.log;
access_log /var/log/nginx/abc.domain.upstream.access.log upstreamlog;
error_log /var/log/nginx/sabc.domain.errors.log debug;
ssl on;
location / {
proxy_pass https://svhostcluster;
}
}
server {
listen *:443;
server_name xyz.domain.com;
access_log /var/log/nginx/xyz.domain.access.log;
access_log /var/log/nginx/xyz.domain.access.log upstreamlog;
error_log /var/log/nginx/xyz.domain.errors.log debug;
ssl on;
location / {
proxy_pass https://svhostcluster;
}
}
on the apache side, here is the ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen *:443
NameVirtualHost *:443
SSLStrictSNIVHostCheck off
<VirtualHost *:443>
ServerName abc.domain.com
DocumentRoot "/var/www/abc/html"
LogLevel debug
ErrorLog logs/abc_ssl_error_log
CustomLog logs/abc_ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt
<Directory "/var/www/abc/html">
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName xyz.domain.com
DocumentRoot "/var/www/xyz/html"
LogLevel debug
ErrorLog logs/xyz_ssl_error_log
CustomLog logs/xyz_ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt
<Directory "/var/www/xyz/html">
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
I'm not sure I understand why apache wants to renegotiate with nginx, nor
why nginx doesn't seem to want to do it (despite apache thinking it can.)
Can anyone help?
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,248982,248982#msg-248982
More information about the nginx
mailing list