User with ssl-proxy, nginx problem

hi,

i’m facing a strange problem here, maybe someone had
experience with this before…

i have an nginx server, which server some files using HTTPS,
and http-basic-auth.

because nginx had ssl-problems in the past, in the past we had this
config:

  • we had an apache server, listening on port 443, that got the requests,
    did the ssl-handling, and then proxied the request to nginx. so nginx
    did not do any SSL-stuff.
  • and everything worked fine.

but now we switched to an nginx-only solution, and starting to have
problems with one user, who uses a https proxy.

in the past, for him the file-download worked this way:

  • the java app requested the file, got a HTTP 401 (Unauthorized)
    response
  • so the java app requested the file again, but now it sent the
    necessary username/password, and got the file (and a HTTP 200)
  • and all was ok

after we switched to the nginx-only solution, this is what happens:

  • the java app requests the file, gets a http 400 (not 401)
  • so the java app retries, and gets the http 400 again
  • this happens 5 times, and then the java app gives up

in the nginx access log, i see 5 http 401 (Unauthorized) accesses, and i
see that the client did not send the username/password.

also, an additional detail:

using a web-browser, the user is able to download from the server fine,
even when using the https proxy.

with this info, i would usually blame the java-app, but the strange
thing is, that in the past with the apache+nginx config, it worked fine.

i tried to migrate every setting from the apache-server to the
nginx-server,
even the ssl_cipher settings, but it did not help.

any ideas?

thanks,
gabor

On Thu, Feb 21, 2008 at 08:30:01AM +0100, G?bor Farkas wrote:

did not do any SSL-stuff.

  • and all was ok

also, an additional detail:

using a web-browser, the user is able to download from the server fine,
even when using the https proxy.

with this info, i would usually blame the java-app, but the strange
thing is, that in the past with the apache+nginx config, it worked fine.

i tried to migrate every setting from the apache-server to the nginx-server,
even the ssl_cipher settings, but it did not help.

I need a debug log. You may send it privately.
Note, that username/password in log is in plain text encoded by base64,
so choose some dummy values.

Igor S. wrote:

in the nginx access log, i see 5 http 401 (Unauthorized) accesses, and i
see that the client did not send the username/password.

I need a debug log. You may send it privately.
Note, that username/password in log is in plain text encoded by base64,
so choose some dummy values.

is there a way to tell nginx to only “debug log” connections from
certain IPs?

thanks,
gabor

Hello!

On Thu, Feb 21, 2008 at 02:50:48PM +0100, G??bor Farkas wrote:

in the nginx access log, i see 5 http 401 (Unauthorized) accesses, and i
see that the client did not send the username/password.

I need a debug log. You may send it privately.
Note, that username/password in log is in plain text encoded by base64,
so choose some dummy values.

is there a way to tell nginx to only “debug log” connections from certain
IPs?

events {
debug_connection 1.2.3.4;

}

Instead of IP you may use CIDR here, e.g. 192.168.0.0/16.

Maxim D.

On Thu, Feb 21, 2008 at 02:50:48PM +0100, G??bor Farkas wrote:

in the nginx access log, i see 5 http 401 (Unauthorized) accesses, and i
see that the client did not send the username/password.

I need a debug log. You may send it privately.
Note, that username/password in log is in plain text encoded by base64,
so choose some dummy values.

is there a way to tell nginx to only “debug log” connections from
certain IPs?

./configure --with-debug

events {
debug_connection 192.168.1.0/32;
debug_connection 10.1.1.0/16;
}