Https proxy to apache server

luislavena · January 10, 2012, 12:21pm

I got an namebased vhost apache server running on 192.168.24.66 for
calendar.powercraft.nl on both port 80 and 443.

I need nginx to make a proxy pass for port 443 to the apache server. I
don’t mind if it uses the port 80 or 443 with ssl to proxy the data.

I tried the bellow and some variations based on some docs. and wiki
pages I found, but I cant get it to work for port 443

server {
listen 443;
server_name calendar.powercraft.nl;
ssl on;
ssl_certificate /etc/ssl/certs/yessica-certificate.pem;
ssl_certificate_key /etc/ssl/certs/yessica-privatekey.pem;
access_log /var/log/nginx/calendar.secure.log;
error_log /var/log/nginx/calendar.error-secure.log;
location / {
#proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_pass http://192.168.24.66/;
}
}

https://calendar.powercraft.nl/ is giving me SSL received a record that
exceeded the maximum permissible length. (Error code:
ssl_error_rx_record_too_long)

Does somebody know what I am doing wrong and may provide a working
example to make a https proxy with nginx to an apache server?

I tried searching the mailing-list archive for the last year but didn’t
find a similar question. (my apologies if I missed something)

Thanks in advance,

Kind regards,

Jelle de Jong

Jelle_de_Jong · January 10, 2012, 12:56pm

AFAIK, you can’t proxy directly to https. Why are you trying to do
this. Generally you terminate SSL on nginx the proxy to something else
in cases like this.

If you really (for some reason) needed to proxy over https, you could
put something like stunnel (or stud) and have nginx talk to it.

Jelle_de_Jong · January 10, 2012, 1:13pm

On 10/01/12 12:56, Brian A. wrote:

AFAIK, you can’t proxy directly to https. Why are you trying to do
this. Generally you terminate SSL on nginx the proxy to something
else in cases like this. If you really (for some reason) needed to
proxy over https, you could put something like stunnel (or stud) and
have nginx talk to it.

I dont mind proxing with nginx port 443 to apache port 80, as long as
the connection between nginx and the client is using https.

I want this because I got only one IPv4 address and multiple local
servers with services running on port 80 or 443. Proxing for nginx port
80 to apache port 80 works perfectly. I now want to have an https
connection also.

Thanks in advance,

Kind regards,

Jelle de Jong

Jelle_de_Jong · January 10, 2012, 3:39pm

Hello!

On Tue, Jan 10, 2012 at 12:21:15PM +0100, Jelle de Jong wrote:

listen      443;
    proxy_redirect      off;
    proxy_pass          http://192.168.24.66/;

Just use “https” instead of “http” here, i.e.

      proxy_pass          https://192.168.24.66/;

I tried searching the mailing-list archive for the last year but didn’t
find a similar question. (my apologies if I missed something)

Maxim D.

Jelle_de_Jong · January 10, 2012, 4:18pm

On 10/01/12 15:38, Maxim D. wrote:

Just use “https” instead of “http” here, i.e.
proxy_pass https://192.168.24.66/;

I tried that, (did it again to be sure). I think the issues may be
somewhere else…

I removed the port 80 part of the config and only have the 443 now.

checking: nginx is listing

lsof -i :443

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 30136 root 20u IPv4 482955 0t0 TCP *:https (LISTEN)
nginx 30137 www-data 20u IPv4 482955 0t0 TCP *:https (LISTEN)
nginx 30138 www-data 20u IPv4 482955 0t0 TCP *:https (LISTEN)
nginx 30139 www-data 20u IPv4 482955 0t0 TCP *:https (LISTEN)
nginx 30140 www-data 20u IPv4 482955 0t0 TCP *:https (LISTEN)

checking: wierd response from ssl check, what is wrong?

openssl s_client -connect localhost:443

CONNECTED(00000003)
31082:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:607:

nginx should be able to read the certs?

output shorted for mail purpose

su -c ‘ls -hal /etc/ssl/certs/yessica-*’ www-data

-rw-r–r-- 1 root root 1.4K Jan 7 16:42 /etc/ssl/certs/cert-request.pem
-rw-r–r-- 1 root root 2.9K Jan 7 16:42 /etc/ssl/certs/cert.pem
-r-------- 1 root root 1.7K Jan 7 16:42 /etc/ssl/certs/privatekey.pem

the config…

server {
listen 443;
server_name calendar.powercraft.nl;
ssl on;
ssl_certificate /etc/ssl/certs/yessica-certificate.pem;
ssl_certificate_key /etc/ssl/certs/yessica–privatekey.pem;
access_log /var/log/nginx/calendar.secure.log;
error_log /var/log/nginx/calendar.error-secure.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_pass https://192.168.24.66/;
}
}

Thanks in advance,

Kind regards,

Jelle de Jong

Jelle_de_Jong · January 10, 2012, 7:56pm

On Tue, Jan 10, 2012 at 9:38 AM, Maxim D. [email protected]
wrote:

Just use “https” instead of “http” here, i.e.
     proxy_pass          https://192.168.24.66/;

I learn something new everyday. I didn’t know this was possible.

–Brian

Jelle_de_Jong · January 10, 2012, 5:13pm

On 10/01/12 16:17, Jelle de Jong wrote:

On 10/01/12 15:38, Maxim D. wrote:

Just use “https” instead of “http” here, i.e.
proxy_pass https://192.168.24.66/;

I tried that, (did it again to be sure). I think the issues may be
somewhere else…

I had another server section with:

server {
listen 80;
listen 443;
server_name guadec.powercraft.nl;
…

I removed the listen 443; line and everything started working…

I have no idea why this was interfering with the other server section
but it did?

I am OK for now

Thanks in advance,

Kind regards,

Jelle de Jong