I'm fairly new to NGINX but absolutely love this functionality. I set this up inside a FreeNAS Jail and its been working for months without an issue. I decided to upgrade my router for various reasons from a Cisco Small Business Router RV220W (a 5 year old router) to the new Netgear Nighthawk X10 AD7200 Smart WiFi Router. After the new router was installed, I saw two things happen. First, my Internet speeds doubled for my clients, and my IP address from Comcast changed for the first time in almost 3 years.
I manually recreated all the port forward settings from the Cisco to the Nighthawk and these are working fine. I was able to test the Nginx certificate by using the "SSL Server Test" at the URL below and it can connect and can verify the SSL certificate is working properly and remains secure. The SSL test reflect the new IP address and verifies the site with an "A" overall rating.
https://www.ssllabs.com/ssltest/index.html
What is not happening is the reverse proxy to the 3 insecure internal websites which was previously secured by Ngnix with the Cisco router. I've made no changes to the Ngnix server config files since they worked fine with the Cisco router. All of my servers, FreeNAS Jails, VM's and clients have all retained the same IP addresses or DHCP to the same IP subnet on my internal network. All my internal port addresses are also the same. The only thing I can think of is that my external DNS "A" record was updated to reflect my new IP address and maybe this invalidated my SSL certificate installed into the Ngnix reverse proxy configuration.
Before I make any changes, I wanted to see if anyone running the Ngnix remote proxy configurations who may have experienced similar issues and what they did to correct the problem. Any suggestions and feedback would be greatly appreciated. If you need me to post any logs, please let me know and I'll post them here to debug. Here are a few logs snips covering todays quick test.
My router is setup that all incoming HTTPS traffic on port 443 is forwarded to the NGNIX server.
Here are the log entries for my most recent test connecting to https://kv.heronet.net/nzbhydra
/var/log/nginx/nginx_err.log
2017/09/10 12:01:21 [crit] 53238#105268: *569 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.108, server: 0.0.0.0:443
2017/09/10 12:01:21 [crit] 53238#105268: *570 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:ssl3_read_bytes:ccs received early) while SSL handshaking, client: 64.41.200.108, server: 0.0.0.0:443
Here are the access logs covering the same timeframe, which looks like only the SSL test server event.
/var/log/nginx/access.log
64.41.200.108 - - [10/Sep/2017:12:00:49 -0700] "GET / HTTP/1.1" 401 195 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"
64.41.200.108 - - [10/Sep/2017:12:00:51 -0700] "GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0" 400 0 "-" "SSL Labs (https://www.ssllabs.com/about/assessment.html)"
Edited 1 time(s). Last edit at 09/10/2017 03:43PM by trdemoss.
