Welcome! Log In Create A New Profile

Advanced

Проблема при проксировании на nginx с ssl_reject_handshake on

December 22, 2020 03:48AM
Сервер1 (принимает запросы и проксирует на сервер 2):

server {
listen a.b.c.d:443 ssl;
server_name
abcd.example
;
access_log off;
ssl_certificate path_to.crt;
ssl_certificate_key path_to.key;
location / {
proxy_pass https://b.c.d.e:443;
proxy_ssl_server_name on;
proxy_set_header Host $host;
}
}

Сервер2
server {
listen b.c.d.e:443 ssl default_server;
server_name _;

access_log off;
ssl_certificate /usr/local/nginx/conf/cert.pem;
ssl_certificate_key /usr/local/nginx/conf/key.pem;
ssl_reject_handshake on;

location / {
return 444;
}
}

server {
listen b.c.d.e:443 ssl http2;
server_name abcd.example
;
access_log access.log combined;
root /home2/xyz/abcd.example/WWW;
ssl_certificate path_to.crt;
ssl_certificate_key path_to.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate path_to.trusted;
location / {
proxy_pass http://127.0.0.1:80;
}

}


Если на Сервер2 ssl_reject_handshake on;, то запросы к Сервер 1 завершаются 502 ошибкой. В error лог такое:
2020/12/22 11:05:13 [crit] 57654#0: *13192673 SSL_do_handshake() failed (SSL: error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:SSL alert number 112) while SSL handshaking to upstream, client: 192.168.10.250, server: abcd.example, request: "GET / HTTP/2.0", upstream: "https://b.c.d.e:443/", host: "xn--b1aghahdtcfeb2aifj5e.xn--p1ai"

Наличие строк
proxy_ssl_server_name on;
proxy_set_header Host $host;
в конфиге server на Сервер1 никак не влияет на проблему.

В чем может быть дело?
Subject Author Posted

Проблема при проксировании на nginx с ssl_reject_handshake on

Alexey Koscheev December 22, 2020 03:48AM

Re: Проблема при проксировании на nginx с ssl_reject_handshake on

Alexey Koscheev December 22, 2020 04:57AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 67
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready