I’m trying to keep an old apache install limping along for a few more
months
by letting nginx handle the SSL connection between site visitors and
apache.
I have a pretty simple config on the nginx side for the proxy_pass
config;
location / {
proxy_pass https://foo.i.example.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP
$remote_addr;
proxy_send_timeout 360;
proxy_read_timeout 360;
}
I see the request hit the apache side, and with some debugging enabled,
I’m
able to get some detail:
[Fri Apr 24 01:21:48 2015] [info] Initial (No.1) HTTPS request received
for
child 6 (server signup.biglist.com:443)
[Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(400): [client
10.99.88.59] Reconfigured cipher suite will force renegotiation
[Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Requesting
connection
re-negotiation
[Fri Apr 24 01:21:48 2015] [debug] ssl_engine_kernel.c(750): [client
10.99.88.59] Performing full renegotiation: complete handshake protocol
(client does support secure renegotiation)
[Fri Apr 24 01:21:48 2015] [info] [client 10.99.88.59] Awaiting
re-negotiation handshake
[Fri Apr 24 01:22:18 2015] [error] [client 10.99.88.59] Re-negotiation
handshake failed: Not accepted by client!?
This is nginx 1.6.2, OpenSSL 1.0.1m and Apache 2.2.25, OpenSSL 0.9.8y
Relevant apache config:
SSLEngine On
SSLVerifyClient none (tried with and without this)
SSLInsecureRenegotiation off (tried with and without this)
SSLStrictSNIVHostCheck off (tried with and without this)
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
I’ve also tried forcing a TLSv1 and a single cipher on the nginx side,
thinking that might somehow simplify things, but no difference.
Any ideas?
Posted at Nginx Forum: