Two Problems with proxy_pass to upstream


#1

I am trying to proxy traffic to a pair of apache web servers using nginx
with proxy_pass and upstream. All works well for port 80, even given
that the apache server is using NameVirtualHost and has a half-dozen
sites on it. All fine.

The problems I have are for traffic going to port 443 (SSL) and 9090
(this is a java app).

SSL traffic results in the following error:
Secure Connection Failed
An error occurred during a connection to www.gcnpublishing.com.
SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)
The page you are trying to view can not be shown because the
authenticity of the received data could not be verified.

  • Please contact the web site owners to inform them of this problem.

Traffic to: http://www.gcnpublishing.com:9090/ results in:
The requested URL /login.jsp was not found on this server.
Apache/2.0.52 (CentOS) Server at www.gcnpublishing.com Port 80
And the URL is rewritten as:
http://www.gcnpublishing.com/login.jsp?url=%2Findex.jsp
Which is getting mangled. However if I enter:
http://www.gcnpublishing.com:9090/login.jsp?url=%2Findex.jsp
It seems to work. Somehow it’s getting re-written in correctly.

Here are my configs:
upstream gcn-chat {
server 74.201.38.2:9090 ;
server 74.201.39.2:9090 backup ;
}

server {
listen 74.201.40.2:9090 ;
server_name gcn-chat.gcnpublishing.com ;

location / {
    proxy_pass http://gcn-chat ;
    proxy_redirect off;
    proxy_set_header Host $host ;
    proxy_set_header X-Real-IP $remote_addr ;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;


}
# Load a bunch of stuff for proxying
#        include /etc/nginx/proxy.conf ;
}

upstream gcn-ssl {
    server 74.201.38.2:443 ;
    server 74.201.39.2:443 backup ;
}

server {

listen 74.201.40.2:443 ;
server_name www.gcnpublishing.com ;
ssl on ;
location / {
    proxy_set_header X-FORWARDED_PROTO https;
    proxy_pass https://gcn-ssl ;
     include /etc/nginx/proxy.conf ;
}
}    # server





upstream 74.201.40.2 {
    server 74.201.38.2 ;
    server 74.201.39.2 backup ;
}

    server {
listen    74.201.40.2:80;
    server_name  www.gcnpublishing.com ;
access_log logs/74.201.40.2-access_log ;


    location / {
    proxy_pass http://74.201.40.2$request_uri ;
    # proxy_pass http://$proxy_host:$proxy_port/ ;
    }

# Load a bunch of stuff for proxying
    include /etc/nginx/proxy.conf ;
}

And /etc/nginx/proxy.conf

proxy.conf

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;

Any suggestions or advice would be greatly appreciated.

sean


Sean F.
GCN Publishing, Inc.
Internet Design, Development and Consulting For Today’s Media Companies


(203) 665-6211, x203


#2

Hi Sean,

Firstly, let me commend you on giving a full config, without
obfuscation.
This makes things a lot easier.

It looks like SSL isn’t correctly setup on port 443

lucky:~ dcheney$ openssl s_client -connect www.gcnpublishing.com:443
CONNECTED(00000003)
23096:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:585:
lucky:~ dcheney$ telnet www.gcnpublishing.com 443
Trying 74.201.40.2…
Connected to www.gcnpublishing.com.
Escape character is ‘^]’.
hello

400 Bad Request

400 Bad Request


nginx/0.6.32 Connection closed by foreign host.

Cheers

Dave

n Mon, 27 Oct 2008 18:50:38 -0400, Sean F. removed_email_address@domain.invalid


#3

Yes, that is the problem. The NGINX server you are hitting is supposed
to pass the request to an upstream apache server but it isn’t.

sean


#4

The two remote servers may be expanded to a third, off-site. So what I
am trying to do is simply proxy the whole ssl transaction over to the
apache servers, not have nginx handle it at all, just pass it over.

sean


#5

I don’t think that isn’t possible, SSL is used to secure end to end
encryption, so what you are trying to do probably won’t work.

My suggestion is to use nginx to handle ssl, then pass the requests on
to your backends over http.

Cheers

Dave


#6

On Tue, 2008-10-28 at 10:19 -0400, Sean F. wrote:

The two remote servers may be expanded to a third, off-site. So what I
am trying to do is simply proxy the whole ssl transaction over to the
apache servers, not have nginx handle it at all, just pass it over.

This is impossible with SSL (not an Nginx limitation). The SSL
negotiation must be done by the proxy. This means you must configure
Nginx with the proper SSL certs.

Cliff


#7

Two things.

  1. you probably don’t need to pass

upstream gcn-ssl { server 74.201.38.2:443 ; server 74.201.39.2:443
backup ; }

if nginx is handling the ssl negotation. Backending to the http port
is a more accepted pattern.

server_name www.gcnpublishing.com ; ssl on ;
Is probably not sufficient, you’ll need to configure your private key
and signed cert as well.

Cheers

Dave