SSL & Nginx

luislavena · January 3, 2011, 11:22am

Hello,

First let me wish everybody a very good and healthy 2011!

We are using nginx for loadbalancing multiple websites. Almost every
website
has SSL enabled.

We have one upstream for a couple of websites:

#start webservers:
upstream webservers-fair {
fair;
server 213.154.235.247 max_fails=5 fail_timeout=20s weight=1;
server 213.154.235.248 max_fails=5 fail_timeout=20s weight=1;
} #end upstream

The upstream needed is provided in the config, here is the problem. We
use
the config IP multiple times with different certificates and different
server_name variables. Last Friday weve noticed that the certificate
wasnt
working well in IE7/8/9. Is this a known problem or am I doing something
wrong?

server {
listen xxx.xxx.xxx.249:80;
server_name domain.nl;
server_name domain.nl;
#logs
access_log /var/log/nginx/lb1-webservers.access.log;
error_log /var/log/nginx/lb1-webservers.error.log;

    location / {
          proxy_pass http://webservers-fair;
            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_max_temp_file_size 0;
client_max_body_size 30M;
}

          location /status {
            stub_status on;
            access_log off;
            }

    }#end server

server {
listen xxx.xxx.xxx.249:443;
server_name domain.nl;
server_name domain.nl;
#logs
access_log /var/log/nginx/lb1-webservers.access.log;
error_log /var/log/nginx/lb1-webservers.error.log;

    ssl                 on;
    ssl_certificate     /certificates/ssl/domain-nl.crt;
    ssl_certificate_key  /certificates/ssl/domain-nl.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

    location / {
          proxy_pass http://webservers-fair;
            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For

$proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_max_temp_file_size 0;
client_max_body_size 30M;
}

          location /status-ssl {
            stub_status on;
            access_log off;
            }

    }#end server

########################### WEBSERVER
###############################################

Help is much appreciated!!

Grt
Jaap van Arragon

Jaap_van_Arragon · January 3, 2011, 11:30am

SSL & NginxHi,

The upstream needed is provided in the config, here is the problem. We use
the config IP multiple times with different certificates and different
server_name variables. Last Friday we’ve noticed that the certificate wasn’t
working well in IE7/8/9. Is this a known problem or am I doing something
wrong?

TL;DR: Your setup doesn’t work for clients that use Windows XP, but it
works
for clients that use Windows Vista or 7. If you want SSL to work for
everybody, then you need to use separate IP address for each
certificate.

Best regards,
Piotr S. < [email protected] >

Jaap_van_Arragon · January 3, 2011, 1:14pm

Ahh oke that explains a lot.

We will change the config to separate ip addresses.

Thank you.

Regards,

Jaap

On 1/3/11 11:29 AM, “Piotr S.” [email protected] wrote:

SSL & NginxHi,

The upstream needed is provided in the config, here is the
problem. We use
the config IP multiple times with different certificates
and different
server_name variables. Last Friday weve noticed that the
certificate wasnt
working well in IE7/8/9. Is this a known problem or am I
doing something

wrong?

TL;DR: Your setup

doesn’t work for clients that use Windows XP, but it works
for clients that
use Windows Vista or 7. If you want SSL to work for
everybody, then you need
to use separate IP address for each certificate.

Best regards,
Piotr S. <

[email protected]

nginx mailing

list
[email protected]
nginx Info Page