how to allow apache to control SSL traffic ?

Joydeep Bakshi joydeep.bakshi at netzrezepte.de
Mon Apr 21 09:30:22 UTC 2014


Hello Jonathan,

thanks for your response. Here is the details what I have done so far.

SSL configuration for nginx is as below

server {

 listen 443 ssl;
 server_name   example.com <http://example2.com>;
 gzip on; # Turn on gZip
 gzip_disable msie6;
 gzip_static on;
 gzip_comp_level 9;
 gzip_proxied any;
 gzip_types text/plain text/css application/x-javascript text/xml
application/xml application/xml+rss text/javascript;

ssl_certificate  /etc/apache2/myca/server.crt;
ssl_certificate_key /etc/apache2/myca/ssl.key;

ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_ciphers  HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers   on;


 location / {
  proxy_redirect off; # Do not redirect this proxy - It needs to be
pass-through
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Server-Address $server_addr;
  proxy_pass_header Set-Cookie;
 proxy_pass https://127.0.0.1:4443;

  }
}

accordingly apache has

Listen 4443
<VirtualHost example.com:4443>
#  General setup for the virtual host

DocumentRoot /srv/www/htdocs/xxx

SSLEngine on
#Here, I am allowing only "high" and "medium" security key lengths.
SSLCipherSuite HIGH:MEDIUM
#Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
#Server Certificate:
SSLCertificateFile /etc/apache2/myca/server.crt
#Server Private Key:
SSLCertificateKeyFile /etc/apache2/myca/ssl.key
# Server Certificate Chain
SSLCertificateChainFile /etc/apache2/myca/ssl.crt

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

DirectoryIndex index.php

<Directory "/srv/www/htdocs/xxxi/">
Options Indexes FollowSymLinks MultiViews
AllowOverride ALL
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>


but when try to access SSL , nginx error.log shows

*453 SSL_do_handshake() failed (SSL: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to
upstream

Hope the info help

Thanks


On Mon, Apr 21, 2014 at 2:18 PM, Jonathan Matthews
<contact at jpluscplusm.com>wrote:

> On 21 Apr 2014 07:01, "Joydeep Bakshi" <joydeep.bakshi at netzrezepte.de>
> wrote:
> >
> > Hello list,
> >
> > My apache vhosts are configured to take care of SSL connections. I have
> installed  nginix as http accelerator. How can I instruct nginx to pass all
> SSL request to apache SSL vhost ?
>
> Most simply, try stopping nginx listening on port 443 and make apache
> listen on 443.
>
> If you want more advanced suggestions than that, you'll probably have to
> explain what you're trying to do in more detail.
>
> J
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140421/ac861856/attachment-0001.html>


More information about the nginx mailing list