Welcome! Log In Create A New Profile

Nginx + Android + ssl = 400

Forum List Message List New Topic Print View

ingtar

February 28, 2015 04:10AM

Registered: 10 years ago
Posts: 33

Доброго дня! Столкнулся с непонятной проблемой, не могу даже локализовать.
Настраиваем на фронте доступ к сайту по ssl сертификатам (Публикуем Exchange и как фронтенд - nginx)
Соответственно доступ с мобильных устройств идет на локейшен Microsoft-Server-ActiveSync. Сгенерировали CA, клиенский сертификат и установили его на Андроид и на iPad. На втором работает, на первом дает ошибку 400 - обращение без сертификата.
Как смог повторил состав ПО на тестовом фронте - работает и на Андройде.
Причем что необычно - запросы от андройда на проблемном фронте падают не в лог для этого локейшена , а в основной лог для этого сайта (падают в exchange.example.com_main_access.log, а не в exchange.example.com_sync_access.log, листинг конфига ниже)
Доступ через web - локейшен owa работает без замечаний и корректно на всех устройствах
Все указывает на проблему софта, но я теряюсь в догадках, кто может мне помочь. Решил попытать счастья тут:)
Если вдруг вы сталкивались с чем-то подобным - помогите, пожалуйста.

Версия nginx:
nginx version: nginx/1.6.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-file-aio --add-module=ngx_devel_kit --add-module=set-misc-nginx-module --add-module=echo-nginx-module --with-http_spdy_module --with-cc-opt='-O2 -g'

CentOS release 6.3
openssl-1.0.1e-30.el6_6.5.x86_64

Конфиг nginx для данного сайта:
server
{
listen :80;
server_name exchange.example.com;
return 301 https://$server_name$request_uri;
}

server
{
server_name exchange.example.com;
listen *:443 ssl;

ssl on;
ssl_certificate /etc/pki/tls/certs/example.com_full.crt;
ssl_certificate_key /etc/pki/tls/example.com.key;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL;
ssl_client_certificate /etc/nginx/exchange_ssl/ssl/ca.crt;
ssl_verify_client on;

keepalive_timeout 70;
fastcgi_param SSL_VERIFIED $ssl_client_verify;
fastcgi_param SSL_CLIENT_SERIAL $ssl_client_serial;
fastcgi_param SSL_CLIENT_CERT $ssl_client_cert;
fastcgi_param SSL_DN $ssl_client_s_dn;

# Set global proxy settings
proxy_read_timeout 360;
proxy_connect_timeout 360;
proxy_pass_header Date;
proxy_pass_header Server;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";

proxy_buffers 8 32k;
proxy_buffer_size 64k;
large_client_header_buffers 8 32k;

location / {
return 301 https://$server_name/owa;
proxy_buffer_size 32k;
}

location ~* ^/owa {
proxy_buffer_size 32k;
error_log /var/log/nginx/exchange.example.com_owa_error.log ;
access_log /var/log/nginx/exchange.example.com_owa_access.log exchange;
proxy_pass https://exchange;
}

location ~* ^/Microsoft-Server-ActiveSync(.*) {
proxy_buffer_size 32k;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X_FORWARDED_PROTO https;
proxy_set_header X-Url-Scheme $scheme;
proxy_set_header X-Real-IP $remote_addr;

error_log /var/log/nginx/exchange.example.com_sync_error.log ;
access_log /var/log/nginx/exchange.example.com_sync_access.log exchange;
proxy_pass https://exchange;
}

error_log /var/log/nginx/exchange.example.com_main_error.log ;
access_log /var/log/nginx/exchange.example.com_main_access.log exchange;

}

Reply Quote

RSS

Subject	Author	Posted
Nginx + Android + ssl = 400	ingtar	February 28, 2015 04:10AM
Re: Nginx + Android + ssl = 400	Andrey Kopeyko	February 28, 2015 06:42AM
Re: Nginx + Android + ssl = 400	ingtar	February 28, 2015 09:41AM
Re: Nginx + Android + ssl = 400	Andrey Kopeyko	February 28, 2015 12:20PM
Re: Nginx + Android + ssl = 400	ingtar	February 28, 2015 01:27PM
Re: Nginx + Android + ssl = 400	Andrey Kopeyko	February 28, 2015 05:02PM
Re: Nginx + Android + ssl = 400	ingtar	February 28, 2015 05:19PM
Re: Nginx + Android + ssl = 400	Anton Gorlov	February 28, 2015 05:32PM
Re: Nginx + Android + ssl = 400	ingtar	February 28, 2015 05:53PM
Re: Nginx + Android + ssl = 400	Anton Gorlov	February 28, 2015 06:10PM
Re: Nginx + Android + ssl = 400	Andrey Kopeyko	February 28, 2015 05:42PM
Re: Nginx + Android + ssl = 400	ingtar	February 28, 2015 05:52PM
Re: Nginx + Android + ssl = 400	ingtar	March 01, 2015 02:43AM
Re: Nginx + Android + ssl = 400	Maxim Dounin	March 02, 2015 08:44AM
Re: Nginx + Android + ssl = 400	ingtar	March 02, 2015 11:23AM
Re: Nginx + Android + ssl = 400	Илья Шипицин	March 02, 2015 03:00PM
Re: Nginx + Android + ssl = 400	ingtar	March 03, 2015 12:30PM
Re: Nginx + Android + ssl = 400	Aleksandr Sytar	March 03, 2015 01:52PM
Re: Nginx + Android + ssl = 400	ingtar	March 03, 2015 01:59PM
Re: Nginx + Android + ssl = 400	Gena Makhomed	March 03, 2015 02:56PM
Re: Nginx + Android + ssl = 400	ingtar	March 04, 2015 10:38AM
Re: Nginx + Android + ssl = 400	Maxim Dounin	March 04, 2015 11:00AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 275

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018