NGINX proxy, 502 error while SSL handshaking to upstream

Hello everyone, I’m new here and this my first post in this mailing
list,

Maybe this is a frequently answered question but I could’t find a
solution.
Maybe is a “layer 8” issue.

Right now, I have a Nginx(1.0.8) proxy running on Ubuntu 10.04 32bits,
OpenSSL 0.9.8 doing a https upstream on port 33195. Here is a piece of
the
nginx.conf file:


location /external_services {
proxy_pass https://x.x.x.x:33195/external_service;
allow x.x.x.x;
deny all;
}

It is working, but I need to migrate this proxy to a new server. This
new
server runs Ubuntu 12.04, OpenSSL 1.0.1 and Nginx 1.5.10.

This server receive an http://myproxy/external_services request and
proxy
it to https://x.x.x.x:33195/external_service; (http to https)

When I try to access http://myproxy/external_services on the new server,
I
got a 502 error and I see this message in error.log :

"peer closed connection in SSL handshake while SSL handshaking to

upstream"

I found that I can connect(from the proxy server) to
https://x.x.x.x:33195/external_service using openssl, doing this:

$ openssl s_client -connect 

https://x.x.x.x:33195/external_service-no_tls1_1

I tried to disable TLSv1.1 in Nginx using the directive: ssl_protocols
SSLv3 TLSv1; but nothing change.

I don’t want to downgrade to Nginx(1.0.8) and OpenSSL 0.9.8 (I think is
a
possible solution).

Any help? I’m doing something wrong, I can’t find a solution.

Thanks,
Matias.

Hello!

On Tue, Feb 25, 2014 at 04:34:34PM +0100, Juan Matías wrote:

location /external_services {
This server receive an http://myproxy/external_services request and proxy

$ openssl s_client -connect https://x.x.x.x:33195/external_service-no_tls1_1

I tried to disable TLSv1.1 in Nginx using the directive: ssl_protocols
SSLv3 TLSv1; but nothing change.

You have to use proxy_ssl_protocols, not ssl_protocols. See
http://nginx.org/r/proxy_ssl_protocols.

The proxy_ssl_ciphers directive may help, too, depending on what
exactly triggers the problem on your backend.


Maxim D.
http://nginx.org/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs