Proxying to older apache fails

I’m trying to keep an old apache install limping along for a few more
months
by letting nginx handle the SSL connection between site visitors and
apache.

I have a pretty simple config on the nginx side for the proxy_pass
config;

location / {
proxy_pass https://foo.i.example.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP
$remote_addr;
proxy_send_timeout 360;
proxy_read_timeout 360;
}

I see the request hit the apache side, and with some debugging enabled,
I’m
able to get some detail:

[Fri Apr 24 01:21:48 2015] [info] Initial (No.1) HTTPS request received
for
child 6 (server signup.biglist.com:443)
[Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(400): [client
10.99.88.59] Reconfigured cipher suite will force renegotiation
[Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Requesting
connection
re-negotiation
[Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(750): [client
10.99.88.59] Performing full renegotiation: complete handshake protocol
(client does support secure renegotiation)
[Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Awaiting
re-negotiation handshake
[Fri Apr 24 01:22:18 2015] [error] [client 10.99.88.59] Re-negotiation
handshake failed: Not accepted by client!?

This is nginx 1.6.2, OpenSSL 1.0.1m and Apache 2.2.25, OpenSSL 0.9.8y

Relevant apache config:

SSLEngine On
SSLVerifyClient none (tried with and without this)
SSLInsecureRenegotiation off (tried with and without this)
SSLStrictSNIVHostCheck off (tried with and without this)
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM

I’ve also tried forcing a TLSv1 and a single cipher on the nginx side,
thinking that might somehow simplify things, but no difference.

Any ideas?

Posted at Nginx Forum:

Hello!

On Fri, Apr 24, 2015 at 01:27:43AM -0400, sporkman wrote:

                    proxy_send_timeout      360;

[Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Requesting connection

thinking that might somehow simplify things, but no difference.

Any ideas?

You have to configure Apache in a way which won’t force
renegotiation. In particular, avoid configuring ciphers in
virtual hosts - note “Reconfigured cipher suite will force
renegotiation” in Apache logs.


Maxim D.
http://nginx.org/

Maxim D. Wrote:

config;

I see the request hit the apache side, and with some debugging
re-negotiation
This is nginx 1.6.2, OpenSSL 1.0.1m and Apache 2.2.25, OpenSSL
ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
renegotiation" in Apache logs.
That was too simple. :slight_smile: Thanks so much.

I kept finding this thread and thinking a much more complicated issue
was
going on:

I removed all overrides and nginx and apache are happily talking ssl to
each
other.

Thanks again,

Charles


Maxim D.
http://nginx.org/


nginx mailing list
[email protected]
nginx Info Page

Posted at Nginx Forum: