Proxying to older apache fails
sporkman
nginx-forum at nginx.us
Fri Apr 24 17:09:00 UTC 2015
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Fri, Apr 24, 2015 at 01:27:43AM -0400, sporkman wrote:
>
> > I'm trying to keep an old apache install limping along for a few
> more months
> > by letting nginx handle the SSL connection between site visitors and
> > apache.
> >
> > I have a pretty simple config on the nginx side for the proxy_pass
> config;
> >
> > location / {
> > proxy_pass https://foo.i.example.com;
> > proxy_set_header Host $host;
> > proxy_set_header X-Real-IP
> $remote_addr;
> > proxy_send_timeout 360;
> > proxy_read_timeout 360;
> > }
> >
> > I see the request hit the apache side, and with some debugging
> enabled, I'm
> > able to get some detail:
> >
> > [Fri Apr 24 01:21:48 2015] [info] Initial (No.1) HTTPS request
> received for
> > child 6 (server signup.biglist.com:443)
> > [Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(400): [client
> > 10.99.88.59] Reconfigured cipher suite will force renegotiation
> > [Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Requesting
> connection
> > re-negotiation
> > [Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(750): [client
> > 10.99.88.59] Performing full renegotiation: complete handshake
> protocol
> > (client does support secure renegotiation)
> > [Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Awaiting
> > re-negotiation handshake
> > [Fri Apr 24 01:22:18 2015] [error] [client 10.99.88.59]
> Re-negotiation
> > handshake failed: Not accepted by client!?
> >
> > This is nginx 1.6.2, OpenSSL 1.0.1m and Apache 2.2.25, OpenSSL
> 0.9.8y
> >
> > Relevant apache config:
> >
> > SSLEngine On
> > SSLVerifyClient none (tried with and without this)
> > SSLInsecureRenegotiation off (tried with and without this)
> > SSLStrictSNIVHostCheck off (tried with and without this)
> > SSLProtocol ALL -SSLv2
> > SSLCipherSuite
> ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
> >
> > I've also tried forcing a TLSv1 and a single cipher on the nginx
> side,
> > thinking that might somehow simplify things, but no difference.
> >
> > Any ideas?
>
> You have to configure Apache in a way which won't force
> renegotiation. In particular, avoid configuring ciphers in
> virtual hosts - note "Reconfigured cipher suite will force
> renegotiation" in Apache logs.
That was too simple. :) Thanks so much.
I kept finding this thread and thinking a much more complicated issue was
going on:
http://forum.nginx.org/read.php?2,248982,248982
I removed all overrides and nginx and apache are happily talking ssl to each
other.
Thanks again,
Charles
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,258341,258365#msg-258365
More information about the nginx
mailing list