Welcome! Log In Create A New Profile

Advanced

SSL renegotiation probelm using nginx as reverse proxy to apache

April 03, 2014 08:57PM
My goal is end-to-end encryption of multiple domains using nginx as a reverse proxy to load balance to multiple backends. Both nginx and apache use the same wildcard cert, eg *.domain.com.

The first request to https://abc.domain.com/ works as expected, but a call to https://xyz.domain.com produces the following debug output in the apache logs:

[Thu Apr 03 17:17:07 2014] [info] Initial (No.1) HTTPS request received for child 0 (server xyz.domain.com:443)
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(423): [client 10.0.0.115] Reconfigured cipher suite will force renegotiation
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Requesting connection re-negotiation
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(766): [client 10.0.0.115] Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Awaiting re-negotiation handshake
[Thu Apr 03 17:18:07 2014] [error] [client 10.0.0.115] Re-negotiation handshake failed: Not accepted by client!?

with the following in the nginx log:

2014/04/03 17:18:07 [error] 29052#0: *355 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.171, server: xyz.domain.com, request: "GET /index.php HTTP/1.1", upstream: "https://10.0.15.101:443/index.php", host: "xyz.domain.com"
2014/04/03 17:18:07 [info] 29052#0: *355 client 10.0.0.171 closed keepalive connection

My nginx config looks like this:

http {

# Header settings - Keep as much original as possible
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-HTTPS on;

upstream svhostcluster {
server web1.domain.com:443 max_fails=5 fail_timeout=10s;
server web2.domain.com:443 max_fails=5 fail_timeout=10s;
least_conn;
}
include /etc/nginx/conf.d/*.conf;
}

and /etc/nginx/conf.d/servers.conf

ssl_certificate_key /etc/pki/tls/private/wildcard.priv.domain.pem;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;

server {
listen *:443;
server_name abc.domain.com;
access_log /var/log/nginx/abc.domain.access.log;
access_log /var/log/nginx/abc.domain.upstream.access.log upstreamlog;
error_log /var/log/nginx/sabc.domain.errors.log debug;

ssl on;

location / {
proxy_pass https://svhostcluster;
}
}

server {
listen *:443;
server_name xyz.domain.com;
access_log /var/log/nginx/xyz.domain.access.log;
access_log /var/log/nginx/xyz.domain.access.log upstreamlog;
error_log /var/log/nginx/xyz.domain.errors.log debug;

ssl on;

location / {
proxy_pass https://svhostcluster;
}
}

on the apache side, here is the ssl.conf

LoadModule ssl_module modules/mod_ssl.so
Listen *:443
NameVirtualHost *:443

SSLStrictSNIVHostCheck off

<VirtualHost *:443>
ServerName abc.domain.com
DocumentRoot "/var/www/abc/html"

LogLevel debug
ErrorLog logs/abc_ssl_error_log
CustomLog logs/abc_ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

<Directory "/var/www/abc/html">
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

<VirtualHost *:443>
ServerName xyz.domain.com
DocumentRoot "/var/www/xyz/html"

LogLevel debug
ErrorLog logs/xyz_ssl_error_log
CustomLog logs/xyz_ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

<Directory "/var/www/xyz/html">
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all
</Directory>
</VirtualHost>

I'm not sure I understand why apache wants to renegotiate with nginx, nor why nginx doesn't seem to want to do it (despite apache thinking it can.) Can anyone help?
Subject Author Posted

SSL renegotiation probelm using nginx as reverse proxy to apache

sean_at_stitcher April 03, 2014 08:57PM

Re: SSL renegotiation probelm using nginx as reverse proxy to apache

Jonathan Matthews April 04, 2014 04:34AM

Re: SSL renegotiation probelm using nginx as reverse proxy to apache

sean_at_stitcher April 04, 2014 05:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 120
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready