My goal is end-to-end encryption of multiple domains using nginx as a reverse proxy to load balance to multiple backends. Both nginx and apache use the same wildcard cert, eg *.domain.com.
The first request to https://abc.domain.com/ works as expected, but a call to https://xyz.domain.com produces the following debug output in the apache logs:
[Thu Apr 03 17:17:07 2014] [info] Initial (No.1) HTTPS request received for child 0 (server xyz.domain.com:443)
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(423): [client 10.0.0.115] Reconfigured cipher suite will force renegotiation
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Requesting connection re-negotiation
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(766): [client 10.0.0.115] Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Awaiting re-negotiation handshake
[Thu Apr 03 17:18:07 2014] [error] [client 10.0.0.115] Re-negotiation handshake failed: Not accepted by client!?
with the following in the nginx log:
2014/04/03 17:18:07 [error] 29052#0: *355 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.171, server: xyz.domain.com, request: "GET /index.php HTTP/1.1", upstream: "https://10.0.15.101:443/index.php", host: "xyz.domain.com"
2014/04/03 17:18:07 [info] 29052#0: *355 client 10.0.0.171 closed keepalive connection
My nginx config looks like this:
http {
# Header settings - Keep as much original as possible
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-HTTPS on;
upstream svhostcluster {
server web1.domain.com:443 max_fails=5 fail_timeout=10s;
server web2.domain.com:443 max_fails=5 fail_timeout=10s;
least_conn;
}
include /etc/nginx/conf.d/*.conf;
}
and /etc/nginx/conf.d/servers.conf
ssl_certificate_key /etc/pki/tls/private/wildcard.priv.domain.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;
server {
listen *:443;
server_name abc.domain.com;
access_log /var/log/nginx/abc.domain.access.log;
access_log /var/log/nginx/abc.domain.upstream.access.log upstreamlog;
error_log /var/log/nginx/sabc.domain.errors.log debug;
ssl on;
location / {
proxy_pass https://svhostcluster;
}
}
server {
listen *:443;
server_name xyz.domain.com;
access_log /var/log/nginx/xyz.domain.access.log;
access_log /var/log/nginx/xyz.domain.access.log upstreamlog;
error_log /var/log/nginx/xyz.domain.errors.log debug;
ssl on;
location / {
proxy_pass https://svhostcluster;
}
}
on the apache side, here is the ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen *:443
NameVirtualHost *:443
SSLStrictSNIVHostCheck off
<VirtualHost *:443>
ServerName abc.domain.com
DocumentRoot "/var/www/abc/html"
LogLevel debug
ErrorLog logs/abc_ssl_error_log
CustomLog logs/abc_ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt
<Directory "/var/www/abc/html">
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName xyz.domain.com
DocumentRoot "/var/www/xyz/html"
LogLevel debug
ErrorLog logs/xyz_ssl_error_log
CustomLog logs/xyz_ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt
<Directory "/var/www/xyz/html">
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
I'm not sure I understand why apache wants to renegotiate with nginx, nor why nginx doesn't seem to want to do it (despite apache thinking it can.) Can anyone help?
The first request to https://abc.domain.com/ works as expected, but a call to https://xyz.domain.com produces the following debug output in the apache logs:
[Thu Apr 03 17:17:07 2014] [info] Initial (No.1) HTTPS request received for child 0 (server xyz.domain.com:443)
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(423): [client 10.0.0.115] Reconfigured cipher suite will force renegotiation
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Requesting connection re-negotiation
[Thu Apr 03 17:17:07 2014] [debug] ssl_engine_kernel.c(766): [client 10.0.0.115] Performing full renegotiation: complete handshake protocol (client does support secure renegotiation)
[Thu Apr 03 17:17:07 2014] [info] [client 10.0.0.115] Awaiting re-negotiation handshake
[Thu Apr 03 17:18:07 2014] [error] [client 10.0.0.115] Re-negotiation handshake failed: Not accepted by client!?
with the following in the nginx log:
2014/04/03 17:18:07 [error] 29052#0: *355 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 10.0.0.171, server: xyz.domain.com, request: "GET /index.php HTTP/1.1", upstream: "https://10.0.15.101:443/index.php", host: "xyz.domain.com"
2014/04/03 17:18:07 [info] 29052#0: *355 client 10.0.0.171 closed keepalive connection
My nginx config looks like this:
http {
# Header settings - Keep as much original as possible
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-HTTPS on;
upstream svhostcluster {
server web1.domain.com:443 max_fails=5 fail_timeout=10s;
server web2.domain.com:443 max_fails=5 fail_timeout=10s;
least_conn;
}
include /etc/nginx/conf.d/*.conf;
}
and /etc/nginx/conf.d/servers.conf
ssl_certificate_key /etc/pki/tls/private/wildcard.priv.domain.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;
server {
listen *:443;
server_name abc.domain.com;
access_log /var/log/nginx/abc.domain.access.log;
access_log /var/log/nginx/abc.domain.upstream.access.log upstreamlog;
error_log /var/log/nginx/sabc.domain.errors.log debug;
ssl on;
location / {
proxy_pass https://svhostcluster;
}
}
server {
listen *:443;
server_name xyz.domain.com;
access_log /var/log/nginx/xyz.domain.access.log;
access_log /var/log/nginx/xyz.domain.access.log upstreamlog;
error_log /var/log/nginx/xyz.domain.errors.log debug;
ssl on;
location / {
proxy_pass https://svhostcluster;
}
}
on the apache side, here is the ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen *:443
NameVirtualHost *:443
SSLStrictSNIVHostCheck off
<VirtualHost *:443>
ServerName abc.domain.com
DocumentRoot "/var/www/abc/html"
LogLevel debug
ErrorLog logs/abc_ssl_error_log
CustomLog logs/abc_ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt
<Directory "/var/www/abc/html">
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName xyz.domain.com
DocumentRoot "/var/www/xyz/html"
LogLevel debug
ErrorLog logs/xyz_ssl_error_log
CustomLog logs/xyz_ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM
SSLCertificateFile /etc/pki/tls/certs/star_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/wildcard.priv.domain.pem
SSLCertificateChainFile /etc/pki/tls/certs/star_domain_com.crt
SSLCACertificateFile /etc/pki/tls/certs/DigiCertCA.crt
<Directory "/var/www/xyz/html">
Options FollowSymLinks
AllowOverride All
RewriteEngine On
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
I'm not sure I understand why apache wants to renegotiate with nginx, nor why nginx doesn't seem to want to do it (despite apache thinking it can.) Can anyone help?