Forum: NGINX SSL renegotiation probelm using nginx as reverse proxy to apache

2974d09ac2541e892966b762aad84943?d=identicon&s=25 sean_at_stitcher (Guest)
on 2014-04-04 02:57
(Received via mailing list)
My goal is end-to-end encryption of multiple domains using nginx as a
reverse proxy to load balance to multiple backends.  Both nginx and
apache
use the same wildcard cert, eg *.domain.com.

The first request to https://abc.domain.com/ works as expected, but a
call
to https://xyz.domain.com produces the following debug output in the
apache
logs:

[Thu Apr 03 17:17:07 2014] [info] Initial (No.1) HTTPS request received
for
child 0 (server xyz.domain.com:443)
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(423): [client
10.0.0.115] Reconfigured cipher suite will force renegotiation
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Requesting
connection
re-negotiation
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(766): [client
10.0.0.115] Performing full renegotiation: complete handshake protocol
(client does support secure renegotiation)
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Awaiting
re-negotiation handshake
[Thu Apr 03 17:18:07 2014] [error] [client 10.0.0.115] Re-negotiation
handshake failed: Not accepted by client!?

with the following in the nginx log:

2014/04/03 17:18:07 [error] 29052#0: *355 upstream timed out (110:
Connection timed out) while reading response header from upstream,
client:
10.0.0.171, server: xyz.domain.com, request: "GET /index.php HTTP/1.1",
upstream: "https://10.0.15.101:443/index.php", host: "xyz.domain.com"
2014/04/03 17:18:07 [info] 29052#0: *355 client 10.0.0.171 closed
keepalive
connection

My nginx config looks like this:

http {

    # Header settings - Keep as much original as possible
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  Host       $host;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-HTTPS on;

    upstream svhostcluster {
       server web1.domain.com:443 max_fails=5 fail_timeout=10s;
       server web2.domain.com:443 max_fails=5 fail_timeout=10s;
       least_conn;
    }
    include /etc/nginx/conf.d/*.conf;
}

and /etc/nginx/conf.d/servers.conf

ssl_certificate_key  /etc/pki/tls/private/wildcard.priv.domain.pem;

ssl_session_timeout  5m;

ssl_protocols  SSLv3 TLSv1;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM;
ssl_prefer_server_ciphers   on;

server {
    listen *:443;
    server_name abc.domain.com;
    access_log   /var/log/nginx/abc.domain.access.log;
    access_log   /var/log/nginx/abc.domain.upstream.access.log
upstreamlog;
    error_log   /var/log/nginx/sabc.domain.errors.log debug;

    ssl                  on;

    location / {
      proxy_pass  https://svhostcluster;
    }
}

server {
    listen *:443;
    server_name xyz.domain.com;
    access_log   /var/log/nginx/xyz.domain.access.log;
    access_log   /var/log/nginx/xyz.domain.access.log upstreamlog;
    error_log   /var/log/nginx/xyz.domain.errors.log debug;

    ssl                  on;

    location / {
      proxy_pass  https://svhostcluster;
    }
}

on the apache side, here is the ssl.conf

LoadModule ssl_module modules/mod_ssl.so
Listen *:443
NameVirtualHost *:443

SSLStrictSNIVHostCheck off

<VirtualHost *:443>
  ServerName abc.domain.com
  DocumentRoot "/var/www/abc/html"

  LogLevel debug
  ErrorLog logs/abc_ssl_error_log
  CustomLog logs/abc_ssl_access_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLHonorCipherOrder On
  SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
  SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
  SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
  SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
  SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

  <Directory "/var/www/abc/html">
    Options FollowSymLinks
    AllowOverride All
    RewriteEngine On
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

<VirtualHost *:443>
  ServerName xyz.domain.com
  DocumentRoot "/var/www/xyz/html"

  LogLevel debug
  ErrorLog logs/xyz_ssl_error_log
  CustomLog logs/xyz_ssl_access_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  SSLEngine on
  SSLProtocol all -SSLv2
  SSLHonorCipherOrder On
  SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
  SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
  SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
  SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
  SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt

  <Directory "/var/www/xyz/html">
    Options FollowSymLinks
    AllowOverride All
    RewriteEngine On
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

I'm not sure I understand why apache wants to renegotiate with nginx,
nor
why nginx doesn't seem to want to do it (despite apache thinking it
can.)
Can anyone help?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,248982,248982#msg-248982
34011bc56457235a2caa5ed1d4a29f3c?d=identicon&s=25 Jonathan Matthews (Guest)
on 2014-04-04 10:33
(Received via mailing list)
On 4 Apr 2014 01:57, "sean_at_stitcher" <nginx-forum@nginx.us> wrote:
> I'm not sure I understand why apache wants to renegotiate with nginx, nor
> why nginx doesn't seem to want to do it (despite apache thinking it can.)

I vaguely recall seeing (on this list) the suggestion that Apache does
this
(at least) when a request's post-SSL-negotiation, HTTP/layer-7 details
change Apache's idea of where/how the request should be handled. If
that's
happening here, perhaps Apache is seeing your SSL* settings in different
vhosts as being different - even though they aren't really.

What happens if you move the SSL* directives up a level? Maybe not the
on/off flag - just the cipher/cert/key/info ones.

HTH,
J
2974d09ac2541e892966b762aad84943?d=identicon&s=25 sean_at_stitcher (Guest)
on 2014-04-04 23:02
(Received via mailing list)
Brilliant!  Thanks so much, I was pulling my hair out on this one.  Just
goes to show you... never rely on the apache documentation!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,248982,249012#msg-249012
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.