Hey Guys -

I've been wanting to set up a Reverse Proxy for my hosted apps for a while now and after reading an article about Nginx yesterday; decided to give it a shot. The only part I have questions about & am getting errors with is adding my own purchased SSL cert.

I purchased my SSL from GoDaddy based on a key I generated on the host computer and it has the same domain name as what I'd use with Nginx. I have even added a record in my router to forward local requests for my domain name to the server's local IP. I know the SSL crt / key combination works as I'm currently using it for many hosted services on the system.

I added the SSL cert by copying the two files (crt & key) to the nginx folder, then adding 3 lines below the "listen" line in the conf file. Below are the added lines plus the lines that come before & after them:
-----------------------------------------------------------------
listen 443;

ssl on;
ssl_certificate C:\nginx-1.6.2\kelnet.crt;
ssl_certificate_key C:\nginx-1.6.2\myserver.key;

server_name mydomain.com, 192.168.0.25;
-----------------------------------------------------------------

After saving the conf file, I started Nginx, but it didn't work. i checked the logs and the error.log lists these 3 lines:
-----------------------------------------------------------------
2014/12/29 14:57:00 [emerg] 53236#50624: BIO_new_file("C:
ginx-1.6.2\kelnet.crt") failed (SSL: error:0200107B:system library:fopen:Unknown error:fopen('C:
ginx-1.6.2\kelnet.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)
-----------------------------------------------------------------

After getting the error, I installed OpenSSL (Win32 OpenSSL v1.0.1j Light specifially) but still got the same error. I'm running everything on Windows 8.1 x64 (Fully Patched.)

[b]Questions[/b]
1. What am I doing incorrectly / what's causing the error?

2. Since the sites I'm redirecting to use SSL and require a logon, does that change the way I configure their redirection in the conf file? I'm currently using the below code:
-----------------------------------------------------------------
location /myapp {
proxy_pass https://mynetwork.com:9898;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-----------------------------------------------------------------

3. If I wanted to use a port other than 443 when using SSL, would it be as easy as changing it on the listening line or is further config required?

Any help would be greatly appreciated - Thanks!!

Get prove04.zip from http://nginx-win.ecsds.eu/
and have a look at the *.conf files and the ssl localhost test files.

Thanks for the fast reply...

I'm downloading and taking a look now. Post update soon - Thanks again!

OK, so I downloaded, extracted, and took a look at the conf file. I copied every line which had "ssl" in it, pasted it into my conf file, then made the following changes:
- Removed "spdy" from listening line
- Changed path+file name for .crt & .key

I saved and tried again, but am still getting the exact same error!

After my initial post, i tried a few more things. Using the installed OpenSSL x32, I verified that the crt and key were good. I also used OpenSSL to converty my crt to a pem file and tried using it in the conf file. However, I get the same error no matter what...

When I copy / paste the conf file, the spacing is a bit different. Does that matter? Below is a paste of my current conf file (at least the part I'm working with) and attached is a screenshot. Any more ideas? Thanks!!

#keepalive_timeout 0;
keepalive_timeout 65;
ssl_session_cache shared:SSL:10m;
#gzip on;

server {
listen 443 ssl;
server_name mydomain.com;
ssl_certificate C:\nginx-1.6.2\kelnet.crt;
ssl_certificate_key C:\nginx-1.6.2\myserver.key;
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!MD5:!DSS;


#charset koi8-r;

#access_log logs/host.access.log main;


Thanks again!

Try the example localhost files, do they give the same error?

---
nginx for Windows http://nginx-win.ecsds.eu/

OK - I tried copying over & using the conf file, but had to rename it to nginx.conf first (to match what I was using.) When running it, I kept getting errors that files / modules couldn't be found. I ended up coping the entire "tconf" folder over, renaming it to "conf", then performing a find/replace from "tconf" to "conf" in the config file. Still can't get it to work without showing an error related to versions.

Are we talking about / am I using the same version of Nginix that you are referring to? I'm using 1.6.2 which I got from a link on another site but found there's also one for Windows (Gryphon) which I haven't tried yet. Even with it, there isn't a tconf folder.

Sorry for all the questions - just trying to see what I'm doing wrong.

Thanks!

UPDATE

I downloaded nginx-1.7.9.1-Gryphon and made the following changes:
- Edited it's conf file with my SSL info
- Saved conf file as nginx.conf
- Ran "ngnix.exe"

It didn't write anything to a log file, but echoed the same error in the command prompt. Below's where i ran the exe followed by it's echo...

C:\nginx-1.7.9.1-Gryphon>nginx
nginx: [emerg] BIO_new_file("C:
ginx-1.7.9.1-Gryphon\kelnet.crt") failed (SSL: error:0200107B:system library:fopen:Unknown error:fopen('C:
ginx-1.7.9.1-Gryphon\kelnet.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)



Edited 1 time(s). Last edit at 12/29/2014 05:28PM by bzowk.

The error tells you it can't find the files, you are using a backslash while it should be a slash, ea.:
ssl_certificate ./tconf/localhost-prove.cert;
ssl_certificate_key ./tconf/localhost-prove.key;

ssl_certificate C:/nginx......../kelnet.crt;
ssl_certificate_key C:/nginx......../myserver.key;

Windows (Gryphon) comes with a /conf folder, the /tconf folder is part of a test suite.

---
nginx for Windows http://nginx-win.ecsds.eu/

Thanks!

That actually makes sense. I changed the slashes to forward ones and tried to start Nginx again. The good news is that I didn't get the errors again. The bad news is that I got a different error:

C:\nginx-1.6.2>nginx
nginx: [emerg] PEM_read_bio_X509_AUX("C:/nginx-1.6.2/kelnet.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:
no start line:Expecting: TRUSTED CERTIFICATE)

ARGH!

I tried adding the below 3 lines from the other conf file, but still had the same issue.
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!eNULL:!MD5:!DSS;

It must be something simple like the previous issue. Any idea what this one is? Thanks again!

UPDATE

I tried using the PEM file instead of the CRT one and the error didn't appear. However, it still didn't work. There wasn't a command line echo so looked in the log file and found this:
2014/12/29 17:49:37 [emerg] 3468#53652: shared zone "SSL" has no equal addresses: 02E70000 vs 02C30000
2014/12/29 17:49:37 [alert] 52896#41692: worker process 3468 exited with code 1

Researching now - Thoughts?



Edited 1 time(s). Last edit at 12/29/2014 06:50PM by bzowk.

WAIT - Figured it out - It finally works!

I found out that the proxy cache line was still in there. I commented it out, saved, and tried and it worked. Hopefully, it's not something I'll need :)

Thanks Guys!

> shared zone "SSL" has no equal addresses:

Thats one of the many limitations of the default windows nginx version, use the one from http://nginx-win.ecsds.eu/ and you can use everything and at full speed.

---
nginx for Windows http://nginx-win.ecsds.eu/