SSL renegotiation probelm using nginx as reverse proxy to apache

Server NGINX
1

My goal is end-to-end encryption of multiple domains using nginx as a
reverse proxy to load balance to multiple backends. Both nginx and
apache
use the same wildcard cert, eg *.domain.com.

The first request to https://abc.domain.com/ works as expected, but a
call
to https://xyz.domain.com produces the following debug output in the
apache
logs:

[Thu Apr 03 17:17:07 2014] [info] Initial (No.1) HTTPS request received
for
child 0 (server xyz.domain.com:443)
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(423): [client
10.0.0.115] Reconfigured cipher suite will force renegotiation
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Requesting
connection
re-negotiation
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(766): [client
10.0.0.115] Performing full renegotiation: complete handshake protocol
(client does support secure renegotiation)
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Awaiting
re-negotiation handshake
[Thu Apr 03 17:18:07 2014] [error] [client 10.0.0.115] Re-negotiation
handshake failed: Not accepted by client!?

with the following in the nginx log:

2014/04/03 17:18:07 [error] 29052#0: *355 upstream timed out (110:
Connection timed out) while reading response header from upstream,
client:
10.0.0.171, server: xyz.domain.com, request: “GET /index.php HTTP/1.1”,
upstream: “https://10.0.15.101:443/index.php”, host: “xyz.domain.com
2014/04/03 17:18:07 [info] 29052#0: *355 client 10.0.0.171 closed
keepalive
connection

My nginx config looks like this:

http {

# Header settings - Keep as much original as possible
proxy_set_header  X-Real-IP  $remote_addr;
proxy_set_header  Host       $host;
proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-HTTPS on;

upstream svhostcluster {
   server web1.domain.com:443 max_fails=5 fail_timeout=10s;
   server web2.domain.com:443 max_fails=5 fail_timeout=10s;
   least_conn;
}
include /etc/nginx/conf.d/*.conf;

}

and /etc/nginx/conf.d/servers.conf

ssl_certificate_key /etc/pki/tls/private/wildcard.priv.domain.pem;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;

server {
listen *:443;
server_name abc.domain.com;
access_log /var/log/nginx/abc.domain.access.log;
access_log /var/log/nginx/abc.domain.upstream.access.log
upstreamlog;
error_log /var/log/nginx/sabc.domain.errors.log debug;

ssl                  on;

location / {
  proxy_pass  https://svhostcluster;
}

}

server {
listen *:443;
server_name xyz.domain.com;
access_log /var/log/nginx/xyz.domain.access.log;
access_log /var/log/nginx/xyz.domain.access.log upstreamlog;
error_log /var/log/nginx/xyz.domain.errors.log debug;

ssl                  on;

location / {
  proxy_pass  https://svhostcluster;
}

}

on the apache side, here is the ssl.conf

LoadModule ssl_module modules/mod_ssl.so
Listen *:443
NameVirtualHost *:443

SSLStrictSNIVHostCheck off

<VirtualHost *:443>
ServerName abc.domain.com
DocumentRoot “/var/www/abc/html”

LogLevel debug
ErrorLog logs/abc_ssl_error_log
CustomLog logs/abc_ssl_access_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b”

SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

<Directory “/var/www/abc/html”>
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all

<VirtualHost *:443>
ServerName xyz.domain.com
DocumentRoot “/var/www/xyz/html”

LogLevel debug
ErrorLog logs/xyz_ssl_error_log
CustomLog logs/xyz_ssl_access_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b”

SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

<Directory “/var/www/xyz/html”>
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all

I’m not sure I understand why apache wants to renegotiate with nginx,
nor
why nginx doesn’t seem to want to do it (despite apache thinking it
can.)
Can anyone help?

Posted at Nginx Forum:

2

On 4 Apr 2014 01:57, “sean_at_stitcher” [email protected] wrote:

I’m not sure I understand why apache wants to renegotiate with nginx, nor
why nginx doesn’t seem to want to do it (despite apache thinking it can.)

I vaguely recall seeing (on this list) the suggestion that Apache does
this
(at least) when a request’s post-SSL-negotiation, HTTP/layer-7 details
change Apache’s idea of where/how the request should be handled. If
that’s
happening here, perhaps Apache is seeing your SSL* settings in different
vhosts as being different - even though they aren’t really.

What happens if you move the SSL* directives up a level? Maybe not the
on/off flag - just the cipher/cert/key/info ones.

HTH,
J

3

Brilliant! Thanks so much, I was pulling my hair out on this one. Just
goes to show you… never rely on the apache documentation!

Posted at Nginx Forum: