how to allow apache to control SSL traffic ?
Joydeep Bakshi
joydeep.bakshi at netzrezepte.de
Mon Apr 21 09:30:22 UTC 2014
Hello Jonathan,
thanks for your response. Here is the details what I have done so far.
SSL configuration for nginx is as below
server {
listen 443 ssl;
server_name example.com <http://example2.com>;
gzip on; # Turn on gZip
gzip_disable msie6;
gzip_static on;
gzip_comp_level 9;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml
application/xml application/xml+rss text/javascript;
ssl_certificate /etc/apache2/myca/server.crt;
ssl_certificate_key /etc/apache2/myca/ssl.key;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_redirect off; # Do not redirect this proxy - It needs to be
pass-through
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Server-Address $server_addr;
proxy_pass_header Set-Cookie;
proxy_pass https://127.0.0.1:4443;
}
}
accordingly apache has
Listen 4443
<VirtualHost example.com:4443>
# General setup for the virtual host
DocumentRoot /srv/www/htdocs/xxx
SSLEngine on
#Here, I am allowing only "high" and "medium" security key lengths.
SSLCipherSuite HIGH:MEDIUM
#Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
#Server Certificate:
SSLCertificateFile /etc/apache2/myca/server.crt
#Server Private Key:
SSLCertificateKeyFile /etc/apache2/myca/ssl.key
# Server Certificate Chain
SSLCertificateChainFile /etc/apache2/myca/ssl.crt
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
DirectoryIndex index.php
<Directory "/srv/www/htdocs/xxxi/">
Options Indexes FollowSymLinks MultiViews
AllowOverride ALL
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
but when try to access SSL , nginx error.log shows
*453 SSL_do_handshake() failed (SSL: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to
upstream
Hope the info help
Thanks
On Mon, Apr 21, 2014 at 2:18 PM, Jonathan Matthews
<contact at jpluscplusm.com>wrote:
> On 21 Apr 2014 07:01, "Joydeep Bakshi" <joydeep.bakshi at netzrezepte.de>
> wrote:
> >
> > Hello list,
> >
> > My apache vhosts are configured to take care of SSL connections. I have
> installed nginix as http accelerator. How can I instruct nginx to pass all
> SSL request to apache SSL vhost ?
>
> Most simply, try stopping nginx listening on port 443 and make apache
> listen on 443.
>
> If you want more advanced suggestions than that, you'll probably have to
> explain what you're trying to do in more detail.
>
> J
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140421/ac861856/attachment-0001.html>
More information about the nginx
mailing list