Proxying to older apache fails

Maxim Dounin mdounin at mdounin.ru
Fri Apr 24 11:45:21 UTC 2015 

Hello!

On Fri, Apr 24, 2015 at 01:27:43AM -0400, sporkman wrote:

> I'm trying to keep an old apache install limping along for a few more months
> by letting nginx handle the SSL connection between site visitors and
> apache.
> 
> I have a pretty simple config on the nginx side for the proxy_pass config;
> 
> location / {
>                         proxy_pass https://foo.i.example.com;
>                         proxy_set_header        Host    $host;
>                         proxy_set_header        X-Real-IP   $remote_addr;
>                         proxy_send_timeout      360;
>                         proxy_read_timeout      360;
>                 }
> 
> I see the request hit the apache side, and with some debugging enabled, I'm
> able to get some detail:
> 
> [Fri Apr 24 01:21:48 2015] [info] Initial (No.1) HTTPS request received for
> child 6 (server signup.biglist.com:443)
> [Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(400): [client
> 10.99.88.59] Reconfigured cipher suite will force renegotiation
> [Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Requesting connection
> re-negotiation
> [Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(750): [client
> 10.99.88.59] Performing full renegotiation: complete handshake protocol
> (client does support secure renegotiation)
> [Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Awaiting
> re-negotiation handshake
> [Fri Apr 24 01:22:18 2015] [error] [client 10.99.88.59] Re-negotiation
> handshake failed: Not accepted by client!?
> 
> This is nginx 1.6.2, OpenSSL 1.0.1m and Apache 2.2.25, OpenSSL 0.9.8y
> 
> Relevant apache config:
> 
> SSLEngine On
> SSLVerifyClient none (tried with and without this)
> SSLInsecureRenegotiation off  (tried with and without this)
> SSLStrictSNIVHostCheck off  (tried with and without this)
> SSLProtocol ALL -SSLv2
> SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
> 
> I've also tried forcing a TLSv1 and a single cipher on the nginx side,
> thinking that might somehow simplify things, but no difference.
> 
> Any ideas?

You have to configure Apache in a way which won't force 
renegotiation.  In particular, avoid configuring ciphers in 
virtual hosts - note "Reconfigured cipher suite will force 
renegotiation" in Apache logs.

-- 
Maxim Dounin
http://nginx.org/

More information about the nginx mailing list