How to allow apache to control SSL traffic?

Detlef_R · April 21, 2014, 8:01am

Hello list,

My apache vhosts are configured to take care of SSL connections. I have
installed nginix as http accelerator. How can I instruct nginx to pass
all
SSL request to apache SSL vhost ?

Thanks

Joydeep_Bakshi · April 21, 2014, 10:18am

Hello,

I like to mention the following error from nginx log

*453 SSL_do_handshake() failed (SSL: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking
to
upstream

though the ssl is working fine with apache along (after proper
modification
in apache vhost ) when nginx is down.

Any clue please ?

Thanks

On Mon, Apr 21, 2014 at 11:31 AM, Joydeep Bakshi <

Joydeep_Bakshi · April 21, 2014, 10:49am

On 21 Apr 2014 07:01, “Joydeep Bakshi” [email protected]
wrote:

Hello list,

My apache vhosts are configured to take care of SSL connections. I have
installed nginix as http accelerator. How can I instruct nginx to pass
all
SSL request to apache SSL vhost ?

Most simply, try stopping nginx listening on port 443 and make apache
listen on 443.

If you want more advanced suggestions than that, you’ll probably have to
explain what you’re trying to do in more detail.

J

Joydeep_Bakshi · April 21, 2014, 11:36am

Hello Jonathan,

thanks for your response. Here is the details what I have done so far.

SSL configuration for nginx is as below

server {

listen 443 ssl;
server_name example.com http://example2.com;
gzip on; # Turn on gZip
gzip_disable msie6;
gzip_static on;
gzip_comp_level 9;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml
application/xml application/xml+rss text/javascript;

ssl_certificate /etc/apache2/myca/server.crt;
ssl_certificate_key /etc/apache2/myca/ssl.key;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {
proxy_redirect off; # Do not redirect this proxy - It needs to be
pass-through
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Server-Address $server_addr;
proxy_pass_header Set-Cookie;
proxy_pass https://127.0.0.1:4443;

}
}

accordingly apache has

Listen 4443
VirtualHostexample.com:4443

General setup for the virtual host

DocumentRoot /srv/www/htdocs/xxx

SSLEngine on
#Here, I am allowing only “high” and “medium” security key lengths.
SSLCipherSuite HIGH:MEDIUM
#Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
#Server Certificate:
SSLCertificateFile /etc/apache2/myca/server.crt
#Server Private Key:
SSLCertificateKeyFile /etc/apache2/myca/ssl.key

Server Certificate Chain

SSLCertificateChainFile /etc/apache2/myca/ssl.crt

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

DirectoryIndex index.php

<Directory “/srv/www/htdocs/xxxi/”>
Options Indexes FollowSymLinks MultiViews
AllowOverride ALL
Options None
Order allow,deny
Allow from all

but when try to access SSL , nginx error.log shows

*453 SSL_do_handshake() failed (SSL: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking
to
upstream

Hope the info help

Thanks

On Mon, Apr 21, 2014 at 2:18 PM, Jonathan M.

Joydeep_Bakshi · April 21, 2014, 11:31am

Hello Jonathan,

thanks for your response. Here is the details what I have done so far.

SSL configuration for nginx is as below

server {

listen 443 ssl;
server_name example.com http://example2.com;
gzip on; # Turn on gZip
gzip_disable msie6;
gzip_static on;
gzip_comp_level 9;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml
application/xml application/xml+rss text/javascript;

ssl_certificate /etc/apache2/myca/server.crt;
ssl_certificate_key /etc/apache2/myca/ssl.key;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {
proxy_redirect off; # Do not redirect this proxy - It needs to be
pass-through
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Server-Address $server_addr;
proxy_pass_header Set-Cookie;
proxy_pass https://127.0.0.1:4443;

}
}

accordingly apache has

Listen 4443

General setup for the virtual host

DocumentRoot /srv/www/htdocs/xxx

SSLEngine on
#Here, I am allowing only “high” and “medium” security key lengths.
SSLCipherSuite HIGH:MEDIUM
#Here I am allowing SSLv3 and TLSv1, I am NOT allowing the old SSLv2.
SSLProtocol all -SSLv2
#Server Certificate:
SSLCertificateFile /etc/apache2/myca/server.crt
#Server Private Key:
SSLCertificateKeyFile /etc/apache2/myca/ssl.key

Server Certificate Chain

SSLCertificateChainFile /etc/apache2/myca/ssl.crt

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

DirectoryIndex index.php

<Directory “/srv/www/htdocs/xxxi/”>
Options Indexes FollowSymLinks MultiViews
AllowOverride ALL
Options None
Order allow,deny
Allow from all

but when try to access SSL , nginx error.log shows

*453 SSL_do_handshake() failed (SSL: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking
to
upstream

Hope the info help

Thanks

On Mon, Apr 21, 2014 at 2:18 PM, Jonathan M.