These days, I am working on forwarding ssl payload to upstream tcp server using nginx, and the final nginx configure comes after a lot of experiment:
stream {
map $ssl_server_name $stream_map {
aby3_task_1 upstream_task_1;
aby3_task_2 upstream_task_2;
}
upstream upstream_task_1 {
server 127.0.0.1:1313;
}
upstream upstream_task_2 {
server 127.0.0.1:1314;
}
server {
listen 8185 ssl;
ssl_certificate /home/ttt/nginx-cfg/cert/server1.crt;
ssl_certificate_key /home/ttt/nginx-cfg/cert/server1.key;
proxy_pass $stream_map;
ssl_preread off;
}
error_log /etc/nginx/logs/error.log debug;
}
The hardest problem during experiment is that nginx don't forward ssl payload into upstream tcp server according to server name, I worked on this problem for many days but got nothing. And yesterday my workmate removed ssl_preread on by accident then solves this problem. The default value of ssl_preread is off, so we realized that set ssl_preread to off would help us to solve the problem, this is the reason why ssl_preread off appears in the final nginx configure.
Why ssl_preread on has big impact to nginx's forward process? we collect some debug log when nginx forward runs well and runs bad, see below:
# This is the log when nginx can forward ssl payload to upstream tcp server.
2023/01/28 14:25:17 [info] 2952111#2952111: *1204 client 192.168.16.184:33868 connected to 0.0.0.0:8185
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 posix_memalign: 000055B8CEC6B700:256 #16
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 generic phase: 0
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 generic phase: 1
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 generic phase: 2
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 tcp_nodelay
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 SSL_do_handshake: -1
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 SSL_get_error: 2
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 epoll add event: fd:4 op:1 ev:80002001
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 event timer add: 4: 60000:8285386327
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 SSL handshake handler: 0
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 SSL_do_handshake: 1
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD"
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 event timer del: 4: 8285386327
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 generic phase: 2
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 ssl preread handler
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 proxy connection handler
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 malloc: 000055B8CEC92630:448
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 posix_memalign: 000055B8CEC8D1C0:256 #16
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 malloc: 000055B8CEC87C60:16384
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 post event 000055B8CECC87A0
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 stream map started
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 stream script var: "aby3_task_3"
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 stream map: "aby3_task_3" "upstream_task_3"
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 stream script var: "upstream_task_3"
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 get rr peer, try: 1
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 stream socket 18
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 epoll add connection: fd:18 ev:80002005
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 connect to 127.0.0.1:1315, fd:18 #1205
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 proxy connect: -2
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 event timer add: 18: 60000:8285386327
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 delete posted event 000055B8CECC87A0
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 SSL_read: -1
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 SSL_get_error: 2
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 event timer del: 18: 8285386327
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 stream proxy connect upstream
2023/01/28 14:25:17 [debug] 2952111#2952111: *1204 tcp_nodelay
# This is the log when nginx can't forward ssl payload to upstream tcp server.
2023/01/28 14:23:21 [info] 2950336#2950336: *1192 client 192.168.16.184:60998 connected to 0.0.0.0:8185
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 posix_memalign: 000055B8CEC6A530:256 #16
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 generic phase: 0
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 generic phase: 1
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 generic phase: 2
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 tcp_nodelay
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 SSL_do_handshake: -1
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 SSL_get_error: 2
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 epoll add event: fd:11 op:1 ev:80002001
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 event timer add: 11: 60000:8285270365
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 SSL handshake handler: 0
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 SSL_do_handshake: 1
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 SSL: TLSv1.2, cipher: "ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD"
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 SSL reused session
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 event timer del: 11: 8285270365
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 generic phase: 2
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 ssl preread handler
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 malloc: 000055B8CEC877F0:16384
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 SSL_read: -1
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 SSL_get_error: 2
2023/01/28 14:23:21 [debug] 2950336#2950336: *1192 event timer add: 11: 30000:8285240369
Compare the two log, we find that proxy connection handler occurs only in the case that nginx can forward ssl payload to upstream tcp server, so we assume that ssl_preread on will disable the forwarding, but why, can you tell me the reason?
Today I notice a sentence in the introduction of nginx_stream_ssl_preread_module, the sentence is that the ngx_stream_ssl_preread_module module (1.11.5) allows extracting information from the ClientHello message without terminating SSL/TLS. I find very little detail hidden at the end of the sentence, it is without terminating SSL/TLS, then I know the answer to this problem.
SSL termination refers to the process of decrypting encrypted traffic before passing it along to a web server, and in our case,we want to decrypt encrypted traffic and pass it along to a TCP server, so what we want to Nginx do can also be called SSL termination. According to the introduction of ngx_stream_ssl_preread_module, we know that this module doesn't support our case, so we must set ssl_preread to off. Many days before, I try to use $ssl_preread_server_name in the map block and find the forward don't take effect after many experiments, today I know that the reason is the same as this question.
Related
I've setup nginx/1.18.0 Ubuntu with the following parameters at http level:
http {
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
client_max_body_size 24M;
client_body_buffer_size 128k;
client_header_buffer_size 5120k;
large_client_header_buffers 16 5120k;
}
If I remove the parameters then I get Error 414 (Request-URI Too Large).
I've tried to put the parameters at server level, I've removed all parameters from every server and left them on http level, also checked there is no default server, but nothing works. Always same error: 400. Debug logs:
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 http process request line
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 http alloc large header buffer
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 malloc: 0000557BF591C880:65536
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 http large header alloc: 0000557BF591C880 65536
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 http large header copy: 1024
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 SSL_read: 15360
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 SSL_read: -1
...
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 chain writer buf fl:1 s:18856
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 chain writer in: 0000557BF5910DF0
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 writev: 18856 of 18856
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 chain writer out: 0000000000000000
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 event timer del: 27: 1394198951
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 event timer add: 27: 1800000:1395997951
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 http upstream request: "/api/reports/get-data?data=U2FsdGVkX184fkBl4wAhRkbfDL...
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 http upstream process header
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 malloc: 0000557BF5911310:4096
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 recv: eof:1, avail:-1
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 recv: fd:27 28 of 4096
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 http proxy status 400 "400 Bad Request"
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 http proxy header done
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 xslt filter header
2022/09/22 14:06:38 [debug] 1083638#1083638: *2 HTTP/1.1 400 Bad Request
Server: nginx/1.18.0 (Ubuntu)
I've reviewed the proxy, which is a node.js application, it does not receive the request.
I've even tried with
client_header_buffer_size 800M;
large_client_header_buffers 16 800M;
And the result is the same. The same configuration with same node.js app, exactly same data, etc. was working properly in a nginx/1.10.3 (Ubuntu).
Please any help would be really appreciated.
I’m trying to use nginx as a reverse proxy for multiple docker containers running wordpress. The nginx instance and docker are running on Ubuntu 16.04.3 server. I have been testing this out on my local dev environment with Vagrant using a separate Ubuntu box for nginx and another for docker. The vagrant configuration works as expected, but when I try to make a similar configuration on a single physical Ubuntu server the route to the wordpress docker container hangs and eventually returns an HTTP 301 error.
Note: Using a similar nginx reverse proxy configuration for other docker containers listening on different port works. For example, running Jenkins in docker and using a reverse proxy to that container works successfully.
Here are the configurations I am using with Vagrant and then on my physical Ubuntu server:
Working solution with Vagrant and Two separate Ubuntu boxes
Vagrant Configuration
Nginx running in a separate Ubuntu Box
Setting local host file
/etc/hosts 10.10.45.10 - wp.dev
nginx configuration
server {
listen 80;
listen [::]:80;
server_name wp.dev;
error_log /var/log/nginx/wp_dev_error.log debug;
location / {
proxy_pass http://10.10.45.11:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Wordpress docker configuration
Docker-compose.yml file:
version: "2"
services:
my-wpdb:
image: mariadb
ports:
- "8081:3306"
environment:
MYSQL_ROOT_PASSWORD: <some_password>
my-wp:
image: wordpress
volumes:
- ./:/var/www/html
ports:
- "8080:80"
links:
- my-wpdb:mysql
environment:
WORDPRESS_DB_PASSWORD: <some_password>
Run docker container
docker-compose up -d
Route
wp.dev (10.10.45.10) → docker_wp (10.10.45.11 port 8080)
Curl test: curl wp.dev -- SUCCESS
10.10.45.1 - - [18/Aug/2017:21:38:37 +0000] "GET / HTTP/1.1" 200 51638 "-" "curl/7.54.0"
Broken Configuration
/etc/nginx/sites-available/sub1.mydomain.com.conf
server {
listen 80;
listen [::]:80;
server_name sub1.mydomain.com;
error_log /var/log/nginx/mydomain_nonssl_error.log debug;
location / {
proxy_pass http://localhost:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Docker-compose file for wordpress docker container is the same as the vagrant configuration above.
Testing configuration and results
Curl test: curl ..com
159.203.127.57 - - [18/Aug/2017:15:37:52 -0600] "GET / HTTP/1.1" 301 0 "-" "curl/7.47.0"
The page hangs and I see in the header a HTTP 301 error.
curl -v http://
* Rebuilt URL to: http://<my_testdomain>/
* Trying xx.xx.xx.91...
* Connected to sub1.mydomain.com (xx.xx.xx.91) port 80 (#0)
> GET / HTTP/1.1
> Host: sub1.mydomain.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.10.3 (Ubuntu)
< Date: Sat, 19 Aug 2017 15:05:38 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 0
< Connection: keep-alive
< X-Powered-By: PHP/5.6.31
**< Location: http://<my_test_domain>:8080/**
<
* Connection #0 to host <my_test_domain> left intact
Note: that the route continues to use the destination port in the URL. I don’t see this in my Vagrant configuration. This may be the problem.
I’ve tried different nginx configuration to hide the destination port but nothing seems to work.
Here are some specific questions that may help troubleshoot this problem:
How can I enable more debug information with nginx. I’m using the following “error_log” setting but would like to enable “verbose” logging to determine how routing is working.
error_log /var/log/nginx/mydomain_nonssl_error.log debug;
Why is the destination port still showing in the URL when I run nginx reverse proxy on the same machine, but a similar configuration in Vagrant running separate boxes hides the port and uses the original URL in the request?
Could the problem be in the Docker wordpress/Apache container that is causing the 301 HTTP error?
I’ve been working on this problem for several days and have not been able to resolve the issue. Thanks in advance for your help.
**Nginx Log file of reverse proxy **
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script copy: "X-Real-IP: "
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script var: "168.179.61.161"
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script copy: "
"
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script copy: "X-Forwarded-For: "
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script var: "168.179.61.161"
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script copy: "
"
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script copy: "Connection: close
"
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script copy: ""
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script copy: ""
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script copy: ""
2017/08/28 09:53:14 [debug] 11853#11853: *1 http script copy: ""
2017/08/28 09:53:14 [debug] 11853#11853: *1 http proxy header: "user-agent: curl/7.53.0"
2017/08/28 09:53:14 [debug] 11853#11853: *1 http proxy header: "accept: */*"
2017/08/28 09:53:14 [debug] 11853#11853: *1 http proxy header:
"GET / HTTP/1.0
Host: <mydevsite>
X-Real-IP: 168.179.61.161
X-Forwarded-For: 168.179.61.161
Connection: close
user-agent: curl/7.53.0
accept: */*
… snip ….
2017/08/28 09:53:15 [debug] 11853#11853: *1 http upstream request: "/?"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http upstream process header
2017/08/28 09:53:15 [debug] 11853#11853: *1 malloc: 000055D755D248F0:4096
2017/08/28 09:53:15 [debug] 11853#11853: *1 recv: fd:29 246 of 4096
2017/08/28 09:53:15 [debug] 11853#11853: *1 http proxy status 301 "301 Moved Permanently"
2017/08/28 09:53:15 [debug] 11853#11853: *1 posix_memalign: 000055D755D168A0:4096 #16
2017/08/28 09:53:15 [debug] 11853#11853: *1 http proxy header: "Date: Mon, 28 Aug 2017 15:53:14 GMT"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http proxy header: "Server: Apache/2.4.10 (Debian)"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http proxy header: "X-Powered-By: PHP/5.6.31"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http proxy header: "Location: http://<mydevsite>:8080/"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http proxy header: "Content-Length: 0"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http proxy header: "Connection: close"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http proxy header: "Content-Type: text/html; charset=UTF-8"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http proxy header done
2017/08/28 09:53:15 [debug] 11853#11853: *1 xslt filter header
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 header filter
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 output header: ":status: 301"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 output header: "server: nginx/1.10.3 (Ubuntu)"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 output header: "date: Mon, 28 Aug 2017 15:53:15 GMT"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 output header: "content-type: text/html; charset=UTF-8"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 output header: "content-length: 0"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 output header: "location: http://<mydevsite>:8080/"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 output header: "x-powered-by: PHP/5.6.31"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 output header: "strict-transport-security: max-age=63072000; includeSubdomains"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 output header: "x-frame-options: DENY"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 output header: "x-content-type-options: nosniff"
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2:1 create HEADERS frame 000055D755D16B78: len:200
2017/08/28 09:53:15 [debug] 11853#11853: *1 http cleanup add: 000055D755D16C60
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 frame out: 000055D755D16B78 sid:1 bl:1 len:200
2017/08/28 09:53:15 [debug] 11853#11853: *1 SSL buf copy: 9
2017/08/28 09:53:15 [debug] 11853#11853: *1 SSL buf copy: 200
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2:1 HEADERS frame 000055D755D16B78 was sent
2017/08/28 09:53:15 [debug] 11853#11853: *1 http2 frame sent: 000055D755D16B78 sid:1 bl:1 len:200
2017/08/28 09:53:15 [debug] 11853#11853: *1 http cacheable: 0
2017/08/28 09:53:15 [debug] 11853#11853: *1 http proxy filter init s:301 h:0 c:0 l:0
2017/08/28 09:53:15 [debug] 11853#11853: *1 http upstream process upstream
2017/08/28 09:53:15 [debug] 11853#11853: *1 pipe read upstream: 1
2017/08/28 09:53:15 [debug] 11853#11853: *1 pipe preread: 0
2017/08/28 09:53:15 [debug] 11853#11853: *1 readv: 1, last:3850
2017/08/28 09:53:15 [debug] 11853#11853: *1 pipe recv chain: 0
2017/08/28 09:53:15 [debug] 11853#11853: *1 pipe buf free s:0 t:1 f:0 000055D755D248F0, pos 000055D755D249E6, size: 0 file: 0, size: 0
Before seeing you trying to debug in nginx side, i would suggest you to try how the upstreams are active for nginx. Could post the output for http://localhost:8080 from nginx ?
--
Mohammed Azfar
Change
proxy_redirect off
to
proxy_redirect http://localhost:8080/ http://$host/
this is what I got as debug level info from the error log
"GET /api/account/logout HTTP/1.0
Host: http://SERVER_IP/
Connection: close
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.6,en;q=0.4,zh-TW;q=0.2
"
2017/08/22 19:38:42 [debug] 22939#0: *62 http cleanup add: 00007F557D385FD0
2017/08/22 19:38:42 [debug] 22939#0: *62 get rr peer, try: 1
2017/08/22 19:38:42 [debug] 22939#0: *62 stream socket 8
2017/08/22 19:38:42 [debug] 22939#0: *62 epoll add connection: fd:8 ev:80002005
2017/08/22 19:38:42 [debug] 22939#0: *62 connect to 10.14.6.4:80, fd:8 #63
2017/08/22 19:38:42 [debug] 22939#0: *62 http upstream connect: -2
2017/08/22 19:38:42 [debug] 22939#0: *62 posix_memalign: 00007F557D2E7DE0:128 #16
2017/08/22 19:38:42 [debug] 22939#0: *62 event timer add: 8: 60000:1503401982521
2017/08/22 19:38:42 [debug] 22939#0: *62 http finalize request: -4, "/admin_api/account/logout?" a:1, c:2
2017/08/22 19:38:42 [debug] 22939#0: *62 http request count:2 blk:0
2017/08/22 19:38:42 [debug] 22939#0: *62 post event 00007F557D41A6E0
2017/08/22 19:38:42 [debug] 22939#0: *62 delete posted event 00007F557D41A6E0
2017/08/22 19:38:42 [debug] 22939#0: *62 http run request: "/admin_api/account/logout?"
2017/08/22 19:38:42 [debug] 22939#0: *62 http upstream check client, write event:1, "/admin_api/account/logout"
2017/08/22 19:38:42 [debug] 22939#0: *62 http upstream recv(): -1 (11: Resource temporarily unavailable)
2017/08/22 19:38:42 [debug] 22939#0: *62 post event 00007F557D41A740
2017/08/22 19:38:42 [debug] 22939#0: *62 delete posted event 00007F557D41A740
2017/08/22 19:38:42 [debug] 22939#0: *62 http upstream request: "/admin_api/account/logout?"
2017/08/22 19:38:42 [debug] 22939#0: *62 http upstream send request handler
2017/08/22 19:38:42 [debug] 22939#0: *62 http upstream send request
2017/08/22 19:38:42 [debug] 22939#0: *62 http upstream send request body
2017/08/22 19:38:42 [debug] 22939#0: *62 chain writer buf fl:1 s:467
2017/08/22 19:38:42 [debug] 22939#0: *62 chain writer in: 00007F557D386008
2017/08/22 19:38:42 [debug] 22939#0: *62 writev: 467 of 467
2017/08/22 19:38:42 [debug] 22939#0: *62 chain writer out: 0000000000000000
2017/08/22 19:38:42 [debug] 22939#0: *62 event timer del: 8: 1503401982521
2017/08/22 19:38:42 [debug] 22939#0: *62 event timer add: 8: 60000:1503401982522
2017/08/22 19:38:42 [debug] 22939#0: *62 post event 00007F557D402730
2017/08/22 19:38:42 [debug] 22939#0: *62 post event 00007F557D41A740
2017/08/22 19:38:42 [debug] 22939#0: *62 delete posted event 00007F557D402730
2017/08/22 19:38:42 [debug] 22939#0: *62 http upstream request: "/admin_api/account/logout?"
2017/08/22 19:38:42 [debug] 22939#0: *62 http upstream process header
2017/08/22 19:38:42 [debug] 22939#0: *62 malloc: 00007F557D35A4D0:4096
2017/08/22 19:38:42 [debug] 22939#0: *62 recv: fd:8 325 of 4096
2017/08/22 19:38:42 [debug] 22939#0: *62 http proxy status 400 "400 Bad Request"
2017/08/22 19:38:42 [debug] 22939#0: *62 http proxy header: "Server: nginx/1.10.2"
2017/08/22 19:38:42 [debug] 22939#0: *62 http proxy header: "Date: Tue, 22 Aug 2017 11:38:42 GMT"
2017/08/22 19:38:42 [debug] 22939#0: *62 http proxy header: "Content-Type: text/html"
2017/08/22 19:38:42 [debug] 22939#0: *62 http proxy header: "Content-Length: 173"
2017/08/22 19:38:42 [debug] 22939#0: *62 http proxy header: "Connection: close"
2017/08/22 19:38:42 [debug] 22939#0: *62 http proxy header done
2017/08/22 19:38:42 [debug] 22939#0: *62 xslt filter header
2017/08/22 19:38:42 [debug] 22939#0: *62 HTTP/1.1 400 Bad Request
I'm forwarding requests to an internal server. The request I get has admin_api prefix and it should be forwarded to an internal server with api prefix. Here is my Nginx config.
server {
listen 8006;
server_name THIS_SERVER_IP;
root /usr/share/nginx;
error_log /var/log/nginx/xxx-error.log debug;
location /admin_api {
proxy_pass http://INTERNAL_SERVER_IP/api;
proxy_set_header Host http://INTERNAL_SERVER_IP/;
proxy_pass_request_headers On;
}
location / {
try_files $uri /index.html;
}
}
I am getting a "safari cant verify the identity of website" pop-up, while connecting to my webserver. However all other browsers chrome, IE, firefox doesnot have any problem in connection. I turned on the debug in conf file and got this:
ssl error logs::http check ssl handshake
2013/11/01 23:27:59 [debug] 16494#0: *240 http recv(): 1
2013/11/01 23:27:59 [debug] 16494#0: *240 https ssl handshake: 0x16
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL server name: "www.unitedwifi.com"
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_do_handshake: -1
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_get_error: 2
2013/11/01 23:27:59 [debug] 16494#0: *240 reusable connection: 0
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL handshake handler: 0
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_do_handshake: 1
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL: TLSv1, cipher: "ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1"
2013/11/01 23:27:59 [debug] 16494#0: *240 reusable connection: 1
2013/11/01 23:27:59 [debug] 16494#0: *240 http wait request handler
2013/11/01 23:27:59 [debug] 16494#0: *240 malloc: 09307C40:1024
2013/11/01 23:27:59 [debug] 16494#0: *240 posix_memalign: 09451B10:256 #16
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_read: -1
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_get_error: 2
2013/11/01 23:27:59 [debug] 16494#0: *240 free: 09307C40
2013/11/01 23:27:59 [debug] 16494#0: *240 http wait request handler
2013/11/01 23:27:59 [debug] 16494#0: *240 malloc: 09307C40:1024
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_read: 242
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_read: -1
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_get_error: 2
2013/11/01 23:27:59 [debug] 16494#0: *240 reusable connection: 0
2013/11/01 23:27:59 [debug] 16494#0: *240 posix_memalign: 0944C940:4096 #16
I thought may be its a renegotiation issue with safari.. But I couldn't see anything in the logs regarding that..
Any ideas?
Regardless of browser that I use to connect to "www.unitedwifi.com" I get a certificate error, this is because the certificate presented on the server is only valid for CN=www.mileageplus.com
I may be completely wrong there bit I believe this is why Safari is giving you a cipher-suite but won't actually trust the connection unless you accept it within your keystore/keychain
I am having a very weird problem with safari on nginx which is hosting my server. The ssl handshake fails and give a server certificate warning pop-up and I get this in nginx debug logs
nginx logs
2013/11/01 23:27:59 [debug] 16494#0: *240 http recv(): 1
2013/11/01 23:27:59 [debug] 16494#0: *240 https ssl handshake: 0x16
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL server name: "www.unitedwifi.com"
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_do_handshake: -1
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_get_error: 2
2013/11/01 23:27:59 [debug] 16494#0: *240 reusable connection: 0
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL handshake handler: 0
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL_do_handshake: 1
2013/11/01 23:27:59 [debug] 16494#0: *240 SSL: TLSv1, cipher: "ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1"
2013/11/01 23:27:59 [debug] 16494#0: *240 reusable connection: 1
After searching online the only reason that I can think of is ssl renegotiation which according to some posts is still not supported by safari. With other browsers I dont see any problem.ALso unitedwifi.com is a portal that I host on my VPN
Is there a way in nginx to disable renegotiation from conf file? ANy suggestions to fix this?
Nginx doesn't allow renegotiation since 0.7.64 or 0.8.23. And I don't see any renegotiation in the debug log that you have provided.
http://nginx.org/en/CHANGES
Changes with nginx 0.8.23 11 Nov 2009
*) Security: now SSL/TLS renegotiation is disabled.
Thanks to Maxim Dounin.
Most likely, that certificate warning pop-up has nothing to do with nginx, but is related to certificate itself.