Help with ssl_write() failed issue on nginx

adhprash nginx-forum at
Fri Mar 18 17:00:50 UTC 2022

Please find below output from nginx -t
nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log info; # CIS 3.3 Ensure error logging is
enabled and set to the info logging level (Scored)
pid /run/;
include /usr/share/nginx/modules/*.conf;

worker_rlimit_nofile 8192;
events {
worker_connections 4096;

http {

sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
server_tokens off; # CIS 2.5.1 Ensure server_tokens directive is set to
'off' (Scored)
keepalive_timeout 0; # CIS 2.4.3 Ensure keepalive_timeout is 10 seconds or
less, but not 0 (Scored)
send_timeout 60; # CIS 2.4.4 Ensure send_timeout is set to 10 seconds or
less, but not 0 (Scored)

# 3.1 Ensure detailed logging is enabled (Not Scored)
log_format main 'time_local="$time_local" server="$server_name" host="$host"
dest_port="$server_port" http_status="$status" '
'src="$remote_addr" ip="$realip_remote_addr" user="$remote_user" '
'http_referer="$http_referer" http_user_agent="$http_user_agent" '
'http_x_forwarded_for="$http_x_forwarded_for" '
'http_x_header="$http_x_header" uri_query="$query_string" uri_path="$uri" '
client_Issuer_DN="$ssl_client_i_dn" '
'client_DN="$ssl_client_s_dn" end_date_client_cert="$ssl_client_v_end" '
thumbrint_sha1="$ssl_client_fingerprint" '
'client_verification_status="$ssl_client_verify" '
'request=$request http_method="$request_method"';

include /etc/nginx/mime.types;
default_type application/octet-stream;

ssl_protocols TLSv1.2; # CIS 4.1.4 Ensure only modern TLS protocols are used
ssl_prefer_server_ciphers on;

access_log /var/log/nginx/access.log main; # 3.2 Ensure access logging is
enabled (Scored)
error_log /var/log/nginx/error.log info;

gzip off; # CIS 2.1.3 Ensure modules with gzip functionality are disabled

map $ssl_client_s_dn $partner_id {
default $ssl_client_s_dn;


include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

# configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml mml;
text/plain txt;
text/ jad;
text/vnd.wap.wml wml;
text/x-component htc;

image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;

font/woff woff;
font/woff2 woff2;

application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/ m3u8;
application/ kml;
application/ kmz;
application/ xls;
application/ eot;
application/ ppt;
application/ odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;

application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;

audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;

video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;

# configuration file /etc/nginx/sites-enabled/default:

server {
listen 443 ssl http2 default_server; # CIS 4.1.14 Ensure HTTP/2.0 is used
(Not Scored)
server_name _;

client_max_body_size 1000m;
client_body_timeout 120;
client_header_timeout 120;

large_client_header_buffers 4 8k;

ssl_dhparam /etc/nginx/ssl/dhparam.pem; # CIS 4.1.6 Ensure custom
Diffie-Hellman parameters are used (Scored)
ssl_certificate "/path/to/certificate/";
ssl_certificate_key "/path/to/key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_client_certificate "/path/to/mtls_cert";
ssl_verify_client on;
ssl_verify_depth 10;
ssl_crl "/path/to/crl";
ssl_session_tickets off;

underscores_in_headers on;

add_header Strict-Transport-Security "max-age=15768000;"; # 4.1.8 Ensure
HTTP Strict Transport Security (HSTS) is enabled (Scored)

location / {
rewrite "^.*$" break;

if ($ssl_client_verify != SUCCESS) {
return 403;
proxy_ignore_client_abort on;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_ciphers ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4;

proxy_hide_header X-Powered-By;
proxy_hide_header Server;

proxy_set_header Host $host;
proxy_set_header partner-id $partner_id;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;

proxy_pass https://alb-name/path;
proxy_read_timeout 120;

proxy_pass_request_headers on;

Posted at Nginx Forum:,293852,293854#msg-293854

More information about the nginx mailing list