Welcome! Log In Create A New Profile

Advanced

Re: Proxying to older apache fails

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
April 24, 2015 07:46AM
Hello!

On Fri, Apr 24, 2015 at 01:27:43AM -0400, sporkman wrote:

> I'm trying to keep an old apache install limping along for a few more months
> by letting nginx handle the SSL connection between site visitors and
> apache.
>
> I have a pretty simple config on the nginx side for the proxy_pass config;
>
> location / {
> proxy_pass https://foo.i.example.com;
> proxy_set_header Host $host;
> proxy_set_header X-Real-IP $remote_addr;
> proxy_send_timeout 360;
> proxy_read_timeout 360;
> }
>
> I see the request hit the apache side, and with some debugging enabled, I'm
> able to get some detail:
>
> [Fri Apr 24 01:21:48 2015] [info] Initial (No.1) HTTPS request received for
> child 6 (server signup.biglist.com:443)
> [Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(400): [client
> 10.99.88.59] Reconfigured cipher suite will force renegotiation
> [Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Requesting connection
> re-negotiation
> [Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(750): [client
> 10.99.88.59] Performing full renegotiation: complete handshake protocol
> (client does support secure renegotiation)
> [Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Awaiting
> re-negotiation handshake
> [Fri Apr 24 01:22:18 2015] [error] [client 10.99.88.59] Re-negotiation
> handshake failed: Not accepted by client!?
>
> This is nginx 1.6.2, OpenSSL 1.0.1m and Apache 2.2.25, OpenSSL 0.9.8y
>
> Relevant apache config:
>
> SSLEngine On
> SSLVerifyClient none (tried with and without this)
> SSLInsecureRenegotiation off (tried with and without this)
> SSLStrictSNIVHostCheck off (tried with and without this)
> SSLProtocol ALL -SSLv2
> SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
>
> I've also tried forcing a TLSv1 and a single cipher on the nginx side,
> thinking that might somehow simplify things, but no difference.
>
> Any ideas?

You have to configure Apache in a way which won't force
renegotiation. In particular, avoid configuring ciphers in
virtual hosts - note "Reconfigured cipher suite will force
renegotiation" in Apache logs.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Proxying to older apache fails

sporkman April 24, 2015 01:27AM

Re: Proxying to older apache fails

Maxim Dounin April 24, 2015 07:46AM

Re: Proxying to older apache fails

sporkman April 24, 2015 01:09PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 183
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready