Problem with Upstream over SSL

musicdenotation · December 5, 2013, 3:45pm

I was proxying to an IIS server on 443 on nginx 1.1 on FreeBSD and it
worked
perfectly fine. We moved to nginx 1.4 running on ubuntu and now it
won’t
work.

The following works perfect:

server {
location / {
proxy_pass http://server.domain.com
}
}

But when I change it to

server {
location / {
proxy_pass https://server.domain.com
}
}

It times out. I can curl both http:// and https:// no problem. The
strange
thing is the log message with the timeout error is showing the IP
instead of
the hostname.

2013/12/05 09:30:33 [error] 20109#0: *1 upstream timed out (110:
Connection
timed out) while reading response header from upstream, client:
192.168.1.200, server: external.domain.com, request: “GET / HTTP/1.1”,
upstream: “https://192.168.1.10:443/”, host: “external.domain.com”

What I’m guessing is nginx is trying to proxy to the host via the IP and
then timing out because of SSL issues, as the SSL cert is not valid for
the
IP, only for the domain name.

Why is nginx proxying to the IP instead of the hostname? Can I force it
to
use the hostname?

Posted at Nginx Forum:

cschiewek · December 5, 2013, 4:37pm

Hello!

On Thu, Dec 05, 2013 at 09:44:55AM -0500, cschiewek wrote:

}
thing is the log message with the timeout error is showing the IP instead of
the hostname.

2013/12/05 09:30:33 [error] 20109#0: *1 upstream timed out (110: Connection
timed out) while reading response header from upstream, client:
192.168.1.200, server: external.domain.com, request: “GET / HTTP/1.1”,
upstream: “https://192.168.1.10:443/”, host: “external.domain.com”

What I’m guessing is nginx is trying to proxy to the host via the IP and
then timing out because of SSL issues, as the SSL cert is not valid for the
IP, only for the domain name.

The problem indeed may be related to SSL - e.g. something
wrong with ciphers used. But it’s certainly not a certificate
verification issue, as nginx currently doesn’t check upstream
server certificates at all.

You may try using 1.5.x to play with proxy_ssl_protocols and
proxy_ssl_ciphers directives introduced specificaly to help to
resolve various interoperability problems.

Why is nginx proxying to the IP instead of the hostname? Can I force it to
use the hostname?

The ip of a particular server nginx connects to is logged.

–
Maxim D.
http://nginx.org/en/donation.html