Proxying to older apache fails

sporkman nginx-forum at nginx.us
Fri Apr 24 17:09:00 UTC 2015 

Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
> 
> On Fri, Apr 24, 2015 at 01:27:43AM -0400, sporkman wrote:
> 
> > I'm trying to keep an old apache install limping along for a few
> more months
> > by letting nginx handle the SSL connection between site visitors and
> > apache.
> > 
> > I have a pretty simple config on the nginx side for the proxy_pass
> config;
> > 
> > location / {
> >                         proxy_pass https://foo.i.example.com;
> >                         proxy_set_header        Host    $host;
> >                         proxy_set_header        X-Real-IP  
> $remote_addr;
> >                         proxy_send_timeout      360;
> >                         proxy_read_timeout      360;
> >                 }
> > 
> > I see the request hit the apache side, and with some debugging
> enabled, I'm
> > able to get some detail:
> > 
> > [Fri Apr 24 01:21:48 2015] [info] Initial (No.1) HTTPS request
> received for
> > child 6 (server signup.biglist.com:443)
> > [Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(400): [client
> > 10.99.88.59] Reconfigured cipher suite will force renegotiation
> > [Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Requesting
> connection
> > re-negotiation
> > [Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(750): [client
> > 10.99.88.59] Performing full renegotiation: complete handshake
> protocol
> > (client does support secure renegotiation)
> > [Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Awaiting
> > re-negotiation handshake
> > [Fri Apr 24 01:22:18 2015] [error] [client 10.99.88.59]
> Re-negotiation
> > handshake failed: Not accepted by client!?
> > 
> > This is nginx 1.6.2, OpenSSL 1.0.1m and Apache 2.2.25, OpenSSL
> 0.9.8y
> > 
> > Relevant apache config:
> > 
> > SSLEngine On
> > SSLVerifyClient none (tried with and without this)
> > SSLInsecureRenegotiation off  (tried with and without this)
> > SSLStrictSNIVHostCheck off  (tried with and without this)
> > SSLProtocol ALL -SSLv2
> > SSLCipherSuite
> ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
> > 
> > I've also tried forcing a TLSv1 and a single cipher on the nginx
> side,
> > thinking that might somehow simplify things, but no difference.
> > 
> > Any ideas?
> 
> You have to configure Apache in a way which won't force 
> renegotiation.  In particular, avoid configuring ciphers in 
> virtual hosts - note "Reconfigured cipher suite will force 
> renegotiation" in Apache logs.

That was too simple. :)  Thanks so much.

I kept finding this thread and thinking a much more complicated issue was
going on:

http://forum.nginx.org/read.php?2,248982,248982

I removed all overrides and nginx and apache are happily talking ssl to each
other.

Thanks again,

Charles

>
> -- 
> Maxim Dounin
> http://nginx.org/
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,258341,258365#msg-258365

More information about the nginx mailing list