Welcome! Log In Create A New Profile

SSL Handshake problems, nginx reverse web proxy.

Forum List Message List New Topic Print View

Nathan

November 12, 2013 12:08PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am working on setting up an http reverse proxy in front of a
pre-packaged jetty server. The jetty server is a pre-configured
application, and not very flexible.

Here's the quick and dirty. I have nginx configured to listen on 443,
using its own SSL cert. Then behind nginx, i have anohter server
running this jetty application, with its own cert, on port 9192.

My nginx config looks like this:

server {
listen 139.147.165.99:443;
server_name papercut.dev.lafayette.edu papercut.dev;

access_log /var/log/nginx/papercut.dev.lafayette.edu_access;
error_log /var/log/nginx/papercut.dev.lafayette.edu_error debug;

ssl on;
ssl_certificate
/etc/nginx/ssl.crt/papercut.dev.lafayette.edu.crt;
ssl_certificate_key
/etc/nginx/ssl.key/papercut.dev.lafayette.edu.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP;

ssl_prefer_server_ciphers on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;

location / {
proxy_pass https://printman.dev.lafayette.edu:9192;
}
}

If i hit my vhost on https, i get a 502, bad gateway.

The error log reports:
2013/11/12 12:02:10 [error] 28416#0: *230 SSL_do_handshake() failed
(SSL: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
unexpected message) while SSL handshaking to upstream, client:
10.100.0.12, server: papercut.dev.lafayette.edu, request: "GET /
HTTP/1.1", upstream: "https://139.147.165.80:9192/", host:
"papercut.dev.lafayette.edu"

- From what I can tell, this is saying that the ssl connection from my
proxy, to my jetty host is failing negotiation.

If i browse directly to the target, on https and port 9192, it works
perfectly.

openssl s_connect from the proxy to the target seems to work ONLY if i
force sslv3, If i use TSLv1, or sslv2 it fails. If i use TLSv2 and
use -no_ticket, it works.

I'm wondering if one of these would solve the proxy problem? But how
can i force nginx to use sslv3, or no ticket, when connecting to its
target?

Thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKCYDwACgkQsZqG4IN3suly1QCfbUmLesdBHsrm/diS/Sg0+n8O
XN8An3XkdTp3m8P2dzEeoZAKMzp5qjX9
=4UkA
-----END PGP SIGNATURE-----

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
SSL Handshake problems, nginx reverse web proxy.	Nathan	November 12, 2013 12:08PM
Re: SSL Handshake problems, nginx reverse web proxy.	Maxim Dounin	November 12, 2013 12:16PM
Re: SSL Handshake problems, nginx reverse web proxy.	Nathan	November 12, 2013 12:24PM
Re: SSL Handshake problems, nginx reverse web proxy.	Maxim Dounin	November 12, 2013 04:20PM
Re: SSL Handshake problems, nginx reverse web proxy.	Nathan	November 13, 2013 08:50AM